• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Aaangel

CWS.SearchX

9 posts in this topic

I've been using CWShredder for like 3 months now ... and it does a pretty nice job, both for some reason this thing keeps coming back.

 

From time to time, it even recreates itself after I've cleaned with CWShredder and only been using delphi for a couple of hours and never even open my browser and now I'm really beginning to be irritated, it has also set my Norton antivirus out of play, since it doesn't detect it's stealth download, it did so before my system reinstallment. (or atleast it detected a wide number of trojan hijacks, now it never does)

 

I've even created a small application myself to track and remove unwanted BHO and toolbars in internet explorer. IE Button manager

 

Anyway I tried the remove my Microsoft VM (as suggested by CWShredder) and it kept me free for about 2 days (longest ever), but then it came back at what appeared to be renewed strengh.

 

Please help,

Aaangel

 

Ps. I'm not sure what you need to know, so please post and I shall be more than happy to supply it.

Share this post


Link to post
Share on other sites

ups forgot this - Hijack This log:

-----------

Logfile of HijackThis v1.97.7

Scan saved at 02:12:56, on 07-06-2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\D-Tools\daemon.exe

E:\eMule\emule.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\AcroTray.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Winamp\winamp.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\DnloadMage\DnloadMage.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\WINDOWS\explorer.exe

D:\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://scheo.com/srchasst/srchcust.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Upload\start - internet.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [NetStat Live] C:\Program Files\AnalogX\NetStat Live\nsl.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [RegKillTray] C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Startup: Download Mage.lnk = C:\Program Files\DnloadMage\DnloadMage.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: eMule.lnk = E:\eMule\emule.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm

O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: RoBOT Smart link (HKLM)

O9 - Extra 'Tools' menuitem: RoBOT Smart link (HKLM)

O9 - Extra button: IE Alter (HKLM)

O9 - Extra 'Tools' menuitem: IE Alter (HKLM)

O9 - Extra button: CoolMon Forum (HKLM)

O9 - Extra 'Tools' menuitem: The CoolMon Forum (HKLM)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8072.4631712963

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.3 -6/07 @@@***==--

 

 

Tue Jun 08 22:48:44 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "" (A461:46F3) - FS:NTFS clusters:4k

Total: 12 584 644 608 [12G] - Free: 3 033 948 160 [2.8G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;

 

»»Google:

2.0.111.0 C:\Program Files\google\googletoolbar1.dll

-ra-- W32i DLL ENU 2.0.111.0 shp 770,048 05-23-2004 googletoolbar1.dll

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 8.0.0.4490 shp 520,192 04-11-2003 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

 

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-23-2001 regedt32.exe

 

 

»»PC uptime:

10:48pm up 16 days, 5:37

 

»»Locked or 'Suspect' file(s) found...

One or more CON code pages invalid for given keyboard code

\\?\C:\WINDOWS\System32\WDM.DLL +++ File read error

\\?\C:\WINDOWS\System32\WDM.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

468 smss.exe

524 csrss.exe Title:

548 winlogon.exe Title: NetDDE Agent

592 services.exe Svcs: Eventlog,PlugPlay

604 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

780 svchost.exe Svcs: RpcSs

832 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa

ibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,Schedule,sec

ogon,SENS,ShellHWDetection,srservice,TermService,Themes,TrkWks,uploadmgr,W32Time

winmgmt,Wmdm

964 svchost.exe Svcs: Dnscache

988 svchost.exe Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient

1384 spoolsv.exe Svcs: Spooler

1476 type32.exe Title:

1568 daemon.exe Title: Virtual DAEMON Manager V3.46

1772 emule.exe Title:

460 defwatch.exe Svcs: DefWatch

508 rtvscan.exe Svcs: Norton AntiVirus Server

724 nvsvc32.exe Svcs: NVSvc

852 svchost.exe Svcs: stisvc

1340 MSGSYS.EXE

3544 explorer.exe Title: Program Manager

3992 devldr32.exe Title: DEVLDR

3012 acrotray.exe Title: AcrobatTrayIcon

2232 msnmsgr.exe Title: Emoticon popup

1824 winamp.exe Title: 9. Da Buzz - Stay Forever Young - Winamp

2784 Skype.exe Title: Skype™ Beta - tai1992 added you to their Contact List

2400 DnloadMage.exe Title: Download Mage

3428 evntsvc.exe Title: Notification Wnd for RNAdmin

2572 mplayerc.exe Title:

2672 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

2192 ntvdm.exe

3984 regedit.exe Title: Registry Editor

364 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 504

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\ : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Winlogon\notify:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5308

 

»»UserInit value:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

 

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

 

»»Group/user settings:

 

 

User: [LARISARULES\Aaangel], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group LARISARULES\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

LARISARULES\Aaangel:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

R C:\WINDOWS\System32\Drivers\etc\hosts

-r--- - - - - - 0 04-07-2004 hosts

------

»»Rehash:

 

»Strings found:

 

Tue Jun 08 22:49:25 2004 -- ++Find-All backups:

c:\find-all\find-all\winBackup.hiv

--a-- - - - - - 8,192 06-08-2004 winbackup.hiv

c:\find-all\find-all\windows.txt

--a-- - - - - - 8,192 06-08-2004 windows.txt

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-07-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-07-2004 findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

The hidden' file was identified here:

 

»»Locked or 'Suspect' file(s) found...

One or more CON code pages invalid for given keyboard code

\\?\C:\WINDOWS\System32\WDM.DLL +++ File read error

\\?\C:\WINDOWS\System32\WDM.DLL +++ File read error

 

 

First, search for this file and be sure it's not found anywhere, as there could be legitimate file using the same name.

 

If found, post back details first!

 

Otherwise ( if not found)proceed :

 

follow these steps carefully:

 

Your Windows registry is set to open this key directly:

*My Computer\HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

 

--Go to Start/run/type:

regedit

The registry should open with the Windows Subfolder

hilited.

(*compare and be sure the path on the status

bar is same as indicated above!)

 

--RightClick on the Windows Subfolder,

And rename Windows as Windows1

 

--Locate "AppInit_DLLs" value on the right

pane, RightClick it and select -> 'delete'

 

--Select the Windows1 on the left pane

again and rename it back to it's

original name, Windows

 

--Use top regedit's menu view->refresh once

and be sure the "AppInit_DLLs"

value is 'officially' gone from the right pane.

 

--Close regedit, *restart computer!

 

--Navigate to System32 folder, Search

for System32\ WDM.DLL file, hilite

and use the folder's top menu

option : "Edit-> Move to folder..."

Browse to and select: C:\junkxxx folder.

(It was created during first 'Find-All' run)

'ok' it.

 

---Re-run 'Find-All.cmd' and post new log!

Share this post


Link to post
Share on other sites

So I followed your instructions, the file didn't exists ... so I did the registry alterations and rebooted. Then at startup Norton Antivirus detected the "wdm.dll" as a trojan, but it was said that it had failed when it tried to quarentine the file. But I can't even find the damn file ...

 

---------------------------------------

anyway, new find-all log

---------------------------------------

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.3 -6/07 @@@***==--

 

 

Wed Jun 09 21:30:05 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "" (A461:46F3) - FS:NTFS clusters:4k

Total: 12 584 644 608 [12G] - Free: 3 412 332 544 [3.2G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;

 

»»Google:

2.0.111.0 C:\Program Files\google\googletoolbar1.dll

-ra-- W32i DLL ENU 2.0.111.0 shp 770,048 05-23-2004 googletoolbar1.dll

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 8.0.0.4490 shp 520,192 04-11-2003 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

 

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-23-2001 regedt32.exe

 

 

»»PC uptime:

9:30pm up 0 days, 0:04

 

»»Locked or 'Suspect' file(s) found...

One or more CON code pages invalid for given keyboard code

 

 

»»Tasks (services):

0 System Process

4 System

468 smss.exe

524 csrss.exe Title:

548 winlogon.exe Title: NetDDE Agent

592 services.exe Svcs: Eventlog,PlugPlay

604 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

780 svchost.exe Svcs: RpcSs

832 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa

ibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,Schedule,sec

ogon,SENS,ShellHWDetection,srservice,TermService,Themes,TrkWks,uploadmgr,W32Time

winmgmt,Wmdm

856 StyleXPService.eOleMainThreadWndNameSvcs: StyleXPService

984 svchost.exe Svcs: Dnscache

1032 svchost.exe Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient

1192 spoolsv.exe Svcs: Spooler

1476 explorer.exe Title: Program Manager

1700 type32.exe Title:

1708 nsl.exe Title: AnalogX NetStat Live

1724 daemon.exe Title: Virtual DAEMON Manager V3.46

1752 vptray.exe Title: Norton AntiVirus Corporate Edition

1784 jusched.exe Title: OleMainThreadWndName

1820 defwatch.exe Svcs: DefWatch

1868 rtvscan.exe Svcs: Norton AntiVirus Server

1880 rundll32.exe Title: MediaCenter

1896 winampa.exe Title:

1904 RegKillTray.exe Title: ElbyTrayWindow

1916 msnmsgr.exe Title:

1940 Skype.exe Title: Skype™ Beta

1956 nvsvc32.exe Svcs: NVSvc

2012 acrotray.exe Title: AcrobatTrayIcon

180 svchost.exe Svcs: stisvc

360 emule.exe Title:

508 DnloadMage.exe Title:

1808 devldr32.exe Title: DEVLDR

2520 MSGSYS.EXE

3980 explorer.exe Title: Find-All

268 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

3768 winamp.exe Title: 6. Da buzz - Stop, Look, Listen - Winamp

896 ntvdm.exe

1656 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access LARISARULES\Aaangel

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access LARISARULES\Aaangel

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

 

»»Winlogon\notify:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5308

 

»»UserInit value:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

 

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

 

»»Group/user settings:

 

 

User: [LARISARULES\Aaangel], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group LARISARULES\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

LARISARULES\Aaangel:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

R C:\WINDOWS\System32\Drivers\etc\hosts

-r--- - - - - - 0 04-07-2004 hosts

------

»»Rehash:

 

»Strings found:

 

Wed Jun 09 21:30:22 2004 -- ++Find-All backups:

c:\find-all\find-all\winBackup.hiv

--a-- - - - - - 8,192 06-09-2004 winbackup.hiv

c:\find-all\find-all\windows.txt

--a-- - - - - - 8,192 06-09-2004 windows.txt

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-07-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-07-2004 findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Norton deleted the file as soon as it came out from hiding ;)

 

You need to follow these steps, next (just ignore the N/A parts)

 

------------------------------------------------------------------------------

We can wrap up the hijacker following these steps:

 

--Open the 'Find-All'\Tools Subfolder.

DoubleClick once on: "ZIPZAP.bat" file!

 

It will quickly/Silently do this:

-*Restore your key &Security back to defaults

-*Reset permissions on the junkxxx\*.dll moved file

-*Create zipped copy in the same folder: "junkxxx.zip"

-*Open your email client with given addresses for submission!

 

--Drag the 'junkxxx.zip' and submit the

attachment to the specified addresses, ! , thanks

 

When done, Delete the "junkxxx.zip"

as well as the "junkxxx" folder in C:\ And the 'Find-All' folder(s).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next, you need to clear all the elements the hijacker

downloaded!

Run these tools (whether used before or not!), as

they should work properly now.

have them fix all problems:

*Ad-Aware 6 Build 181:

http://www.lavasoftusa.com/software/adaware/

 

*Latest reference file :

http://www.lavasoftsupport.com/index.php?showtopic=28310

 

How To: Perform a "Full Scan" With Ad-aware 6 Build 181

http://www.lavahelp.com/howto/fullscan/index.html

 

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

 

Feel free to post follow up hijackthis log when done!

Good luck

 

P.S: ignore the 'submission' part, you're all set otherwise!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0