• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
soultaker_x

HijackThis Log File

17 posts in this topic

I was browsing on the web when I was done I closed IE, but then when I opened it again, my homepage had changed to about:blank.

 

Then I ran Ad-aware and Spybot, but the problem persisted.

 

After that I downloaded HijackThis, but I didn't understand the log file.

 

I would really appriciate it if you can help me.

 

Here is my HijackThis log.

 

Logfile of HijackThis v1.97.7

Scan saved at 08:40:01 p.m., on 13/06/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe

C:\Archivos de programa\Norton AntiVirus\navapsvc.exe

C:\Archivos de programa\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Archivos de programa\HP CD-Writer\Mmenu\hpcdtray.exe

C:\Archivos de programa\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe

C:\Archivos de programa\Microsoft Hardware\Mouse\point32.exe

C:\Archivos de programa\QuickTime\qttask.exe

C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Archivos de programa\MSN Messenger\msnmsgr.exe

C:\Archivos de programa\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\ARCHIV~1\mozilla.org\Mozilla\mozilla.exe

C:\Documents and Settings\All Users\Escritorio\Metal Gear\Downloads\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xrd.best.cd/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {1B5EA026-7B06-471A-BEB3-C5E2B893973B} - C:\WINDOWS\System32\dffbgb.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [TkBellExe] C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [mmtask] C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Archivos de programa\mozilla.org\Mozilla\Mozilla.exe" -turbo

O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: NeoTrace It! (HKCU)

O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsoradulto.com/SysWebTelecom.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7252.7185416667

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Edited by soultaker_x

Share this post


Link to post
Share on other sites

=== Download and Install Needed Programs ===

Download the following: (freeware)

'Find-All.zip' from:

http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

 

Unzip 'Find-All.zip' to its own folder.

 

 

Open the Find-All folder and double click on Find-All.cmd

IMPORTANT!: Before you run this tool please close ALL running programs and ALL Windows except Find-All.

 

Answer the alerts then sit back and wait a few minutes while the program collects the necessary information.

 

*Note: If your Antivirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

 

 

When the program is finished:

 

Open the Find-All folder.

1. Post the contents of Output.txt in this thread.

2. Attach file Windows.txt to the same post. (Please attach, do not post)

(If this board does not provide the ability to attach documents to your post, then please post the windows.txt file in this thread)

Share this post


Link to post
Share on other sites

Here is the Find All Log and I'm going to put the Windows.txt in another post because I wasn't able to attach it.

 

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10.1 -6/10 @@@***==--

 

»»»»»»Find-All recent updates:»»»»»»

*Size of Windows key

*Winlogon\notify

*UserInit value

*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)

*Versions of major keys and windows files

*list of active services and drivers (\'FilesList')

*Note:

If using 'Find-All' to clean, be sure to include the link to your

post in the forum!! (I keep recieving files I don't know where they came from...0-0...)

*Note: Reg backup restore will not work if current user

doesn't have 'Admin privileges'! (view »»Group/user section)

 

 

Sun Jun 20 16:45:48 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Versi¢n 5.1.2600]

'Find-All' is running from Drive:

C: "" (311A:1D08) - FS:FAT clusters:32k

Total: 40 006 156 288 [37G] - Free: 9 586 147 328 [8.9G]

 

 

»»IE version and Service packs:

6.0.2600.0 C:\Archivos de programa\Internet Explorer\Iexplore.exe

--a-- W32i APP ESN 6.0.2600.0 shp 91,136 08-24-2001 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;Q316059;q319182;Q321232;Q323759;Q328970;Q324929;Q810847;Q813489;Q818529;Q822925

;Q828750;Q824145;Q832894;

 

»»Google:

2.0.111.0 C:\Archivos de programa\google\googletoolbar1.dll

--a-- W32i DLL ENU 2.0.111.0 shp 770,048 05-04-2004 googletoolbar1.dll

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Archivos de programa\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe

6.4.9.1120 C:\Archivos de programa\Windows Media Player\mplayer2.exe

--a-- W32i APP ESN 6.4.9.1120 shp 4,639 08-24-2001 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s):

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ESN 5.1.2600.0 shp 67,072 08-24-2001 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ESN 5.1.2600.0 shp 67,072 08-24-2001 notepad.exe

 

»» Regedit* version(s):

5.1.2600.0 C:\WINDOWS\regedit.exe

--a-- W32i APP ESN 5.1.2600.0 shp 139,776 08-24-2001 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-24-2001 regedt32.exe

 

 

»»PC uptime:

4:45pm up 0 days, 0:28

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\WINLF.DLL +++ File read error

\\?\C:\WINDOWS\System32\WINLF.DLL +++ File read error

 

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Tasks (services):

0 System Process

4 System

340 SMSS.EXE

416 CSRSS.EXE Title:

440 WINLOGON.EXE Title: NetDDE Agent

496 SERVICES.EXE Svcs: Eventlog,PlugPlay

508 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

692 SVCHOST.EXE Svcs: RpcSs

820 SVCHOST.EXE Svcs: AudioSrv,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompatibility

,helpsvc,HidServ,lanmanserver,lanmanworkstation,Netman,Nla,RasAuto,RasMan,Schedu

l

e,seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upl

o

admgr,W32Time

980 SVCHOST.EXE Svcs: Dnscache

1008 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient

1184 EXPLORER.EXE Title: Program Manager

1264 SPOOLSV.EXE Svcs: Spooler

1392 CCEVTMGR.EXE Svcs: ccEvtMgr

1452 HPCDTray.exe Title: HPCDTray_Wnd

1460 Directcd.exe Title: DirectCD

1472 realsched.exe Title: Notification Wnd for RNAdmin

1484 P2P Networking.eP2P Networking UpdateTitle: P2P Networking Update

1492 ccApp.exe Title: Norton AntiVirus

1544 POINT32.EXE Title:

1552 QTTASK.EXE Title: QTPlayer Tray Icon

1560 MsgPlus.exe Title: MPWnd_Hooker

1568 MMTASK.EXE Title: OleMainThreadWndName

1584 CTFMON.EXE Title:

1608 TeaTimer.exe Title:

180 navapsvc.exe Svcs: navapsvc

196 msnmsgr.exe Title:

316 NPROTECT.EXE Svcs: NProtectService

2832 MOZILLA.EXE Title:

924 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

3140 ntvdm.exe

3028 msmsgs.exe Title:

3188 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B5EA026-7B06-471A-BEB3-C5E2B893973B}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"=""

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Usuarios

(IO) ALLOW Read BUILTIN\Usuarios

(NI) ALLOW Read BUILTIN\Usuarios avanzados

(IO) ALLOW Read BUILTIN\Usuarios avanzados

(NI) ALLOW Full access BUILTIN\Administradores

(IO) ALLOW Full access BUILTIN\Administradores

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administradores

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Usuarios

Read BUILTIN\Usuarios avanzados

Full access BUILTIN\Administradores

Full access NT AUTHORITY\SYSTEM

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Winlogon\notify:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

 

»»UserInit value:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

 

5.1.2600.0 C:\WINDOWS\System32\userinit.exe

--a-- W32i APP ESN 5.1.2600.0 shp 22,016 08-24-2001 userinit.exe

 

»»Group/user settings:

 

 

User: [EDUARDO\Rosillo], is a member of:

 

BUILTIN\Administradores

\Everyone

 

User is a member of group EDUARDO\Ninguno.

User is a member of group \Todos.

User is a member of group BUILTIN\Administradores.

User is a member of group BUILTIN\Usuarios.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Usuarios autentificados.

 

»»ACLs list:

C:\junkxxx No permissions are set. All user have full control.

ERROR: No hay más archivos.

 

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

R C:\WINDOWS\System32\Drivers\etc\hosts

-r--- - - - - - 975 07-14-2003 hosts

------

»»Rehash:

 

»Strings found:

 

Sun Jun 20 16:47:45 2004 -- ++Find-All backups:

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-20-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-20-2004 findallappinit.reg

A C:\Find-All\winBackup.hiv

A C:\Find-All\Fileslist\modules.txt

A C:\Find-All\Fileslist\services.txt

A C:\Find-All\Fileslist\drivers.txt

A C:\Find-All\Fileslist\windows.txt

A C:\Find-All\Fileslist\copyhosts.txt

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

This is the windows.txt file

 

 

regf Pugf hbin ¨ÿÿÿnk, 0·Ý90OÄ ÿÿÿÿ ÿÿÿÿÿÿÿÿ 8 x ÿÿÿÿ 0 < „å¼V WindowsœÈþÿÿsk x x ” ì

!

€ ! #

€ # ?

?

?

Øÿÿÿvk < Ø fùAppInit_DLLsÖ?æGÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ w i n l f . d l l ° Ðÿÿÿvk P ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 _£ûóðÿÿÿ9 0 È Ðÿÿÿvk €' zGDIProcessHandleQuota"þàÿÿÿvk À °ºSpooler2ðÿÿÿy e s Ð ° p è àÿÿÿvk € =pswapdiskÐÿÿÿvk ` R¿TransmissionRetryTimeoutàÿÿÿ° p è X Ðÿÿÿvk €' f8USERProcessHandleQuotañxx

Share this post


Link to post
Share on other sites

=== Unlock and Show Hidden dll ===

Download the following: (freeware)

'Salamand.zip' from:

http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

 

Download 'Registrat Lite' from here:

http://www.resplendence.com/reglite

 

Download the attached 'FixReg.zip'

 

Unzip 'Salamand.zip' to its own folder.

 

Install 'Registrar Lite'.

 

Unzip 'FixReg.zip' to the Desktop.

 

Now we are going to get rid of the hidden DLL that is causing all the problems.

 

First we need to make it visible:

Copy and paste this line to reglite's address bar. Then press 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Rename the Folder Windows to NotWindows

(the folder is highlighted as a purple folder in the left hand pane of Reglite)

 

Click "AppInit_DLLs" again and clear the data value:

C:\WINDOWS\System32\WINLF.DLL < -- delete this line ,

'Apply' and 'ok' to set.

 

Rename theNotWindows folder back to its original name Windows

Restart your computer.

 

 

=== Locate, Move, and Delete Hidden dll ===

Run Salamand.exe.

 

Using the Menu Items at the top, do the following:

(wherever 'enter' is used, you may cut and paste the bold faced text instead)

a. Left --> Change Drive --> select 'C:'

b. Right --> Change Drive --> select 'C:'

c. Commands --> Create Directory --> enter junk --> press 'OK'

d. Options --> Command Line (be sure it is checked)

e. Commands --> Change Directory --> enter C:\windows\system32 --> press 'OK'

f. Commands --> Find Files… --> press 'Edit'; in 'Search For' enter WINLF.DLL, Uncheck 'Include subdirectories', press 'OK', press 'Start'; the file will be listed in the lower pane.

g. Press 'Focus'

h. Files --> Move/Rename --> enter c:\junk, press 'OK'

i. Left --> Change Drive --> select 'C:'

 

Into the narrow command window at the bottom (starts with 'c:\>')

Copy and paste the following command, then press 'Enter'

 

cacls %SYSTEMDRIVE%\junk\*.dll /t /e /g Administrators:f & cacls %SYSTEMDRIVE%\junk /t /e /g Administrators:f

(you should get 'Processed…' confirmation message)

 

Copy and paste the following command, then press 'Enter'

attrib -r \\?\%SYSTEMDRIVE%\junk\*.dll & ren \\?\%SYSTEMDRIVE%\junk\*.dll *.111

(there should be no confirmation message)

 

In the left pane:

a. Click on the 'junk' folder

b. Files --> Delete, press 'Yes'

 

 

Double Click on the 'FixReg' folder.

Double Click on the 'FixReg.bat' file.

Post the 'last.txt' to this thread.

 

Open the 'Find-All' folder

Double Click on 'Find-All.bat'

Post the 'output'txt' in this thread.

 

 

=== Clean Remaining Infection ===

Please Download CoolWebShredder, from

http://www.merijn.org/files/cwshredder.zip

http://www.zerosrealm.com/downloads/CWShredder.zip

 

Extract CWShredder to its own folder,

Click the 'Fix ->' button.

Make sure you let it fix all CWS Remnants.

 

Next:

Download the latest version of Ad-Aware at

http://www.lavasoft.de/software/adaware/

 

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp.com/howto/updref/index.html

 

Select 'custom options'.

Select your drive, scan and fix all it finds.

 

Last:

Post a new HiJackThis log in this thread.

Share this post


Link to post
Share on other sites

Sorry, forgot to attach it, doh!

 

Name has been changed to FixRegPro,zip but all the rest is the same.

 

Here it is!

FixRegPro.zip

Share this post


Link to post
Share on other sites

This is last.txt

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

Share this post


Link to post
Share on other sites

Output.txt

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10.1 -6/10 @@@***==--

 

»»»»»»Find-All recent updates:»»»»»»

*Size of Windows key

*Winlogon\notify

*UserInit value

*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)

*Versions of major keys and windows files

*list of active services and drivers (\'FilesList')

*Note:

If using 'Find-All' to clean, be sure to include the link to your

post in the forum!! (I keep recieving files I don't know where they came from...0-0...)

*Note: Reg backup restore will not work if current user

doesn't have 'Admin privileges'! (view »»Group/user section)

 

 

Sun Jun 20 22:15:39 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Versi¢n 5.1.2600]

'Find-All' is running from Drive:

C: "" (311A:1D08) - FS:FAT clusters:32k

Total: 40 006 156 288 [37G] - Free: 9 656 827 904 [9.0G]

 

 

»»IE version and Service packs:

6.0.2600.0 C:\Archivos de programa\Internet Explorer\Iexplore.exe

--a-- W32i APP ESN 6.0.2600.0 shp 91,136 08-24-2001 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;Q316059;q319182;Q321232;Q323759;Q328970;Q324929;Q810847;Q813489;Q818529;Q822925

;Q828750;Q824145;Q832894;

 

»»Google:

2.0.111.0 C:\Archivos de programa\google\googletoolbar1.dll

--a-- W32i DLL ENU 2.0.111.0 shp 770,048 05-04-2004 googletoolbar1.dll

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Archivos de programa\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe

6.4.9.1120 C:\Archivos de programa\Windows Media Player\mplayer2.exe

--a-- W32i APP ESN 6.4.9.1120 shp 4,639 08-24-2001 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s):

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ESN 5.1.2600.0 shp 67,072 08-24-2001 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ESN 5.1.2600.0 shp 67,072 08-24-2001 notepad.exe

 

»» Regedit* version(s):

5.1.2600.0 C:\WINDOWS\regedit.exe

--a-- W32i APP ESN 5.1.2600.0 shp 139,776 08-24-2001 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-24-2001 regedt32.exe

 

 

»»PC uptime:

10:15pm up 0 days, 0:20

 

»»Locked or 'Suspect' file(s) found...

 

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Tasks (services):

0 System Process

4 System

340 SMSS.EXE

416 CSRSS.EXE Title:

440 WINLOGON.EXE Title: NetDDE Agent

484 SERVICES.EXE Svcs: Eventlog,PlugPlay

496 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

660 SVCHOST.EXE Svcs: RpcSs

736 SVCHOST.EXE Svcs: AudioSrv,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompatibility

,helpsvc,HidServ,lanmanserver,lanmanworkstation,Netman,Nla,RasAuto,RasMan,Schedu

l

e,seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upl

o

admgr,W32Time

848 SVCHOST.EXE Svcs: Dnscache

864 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient

1088 SPOOLSV.EXE Svcs: Spooler

1128 CCEVTMGR.EXE Svcs: ccEvtMgr

1388 EXPLORER.EXE Title: Program Manager

1588 NAVAPSVC.EXE Svcs: navapsvc

1600 NPROTECT.EXE Svcs: NProtectService

1688 HPCDTray.exe Title: HPCDTray_Wnd

1720 Directcd.exe Title: DirectCD

1728 realsched.exe Title: Notification Wnd for RNAdmin

1736 P2P Networking.eP2P Networking UpdateTitle: P2P Networking Update

1744 ccApp.exe Title: Norton AntiVirus

1776 POINT32.EXE Title:

1784 QTTASK.EXE Title: QTPlayer Tray Icon

1792 MsgPlus.exe Title: MPWnd_Hooker

1800 MMTASK.EXE Title: OleMainThreadWndName

1808 CTFMON.EXE Title:

1840 TeaTimer.exe Title:

320 MSNMSGR.EXE Title:

3504 MOZILLA.EXE Title:

3512 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

3624 ntvdm.exe

3948 msmsgs.exe Title:

224 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B5EA026-7B06-471A-BEB3-C5E2B893973B}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"=""

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Usuarios

(ID-IO) ALLOW Read BUILTIN\Usuarios

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Usuarios avanzados

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Usuarios avanzados

(ID-NI) ALLOW Full access BUILTIN\Administradores

(ID-IO) ALLOW Full access BUILTIN\Administradores

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access EDUARDO\Rosillo

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Usuarios

QWCEN-DS-- BUILTIN\Usuarios avanzados

Full access BUILTIN\Administradores

Full access NT AUTHORITY\SYSTEM

Full access EDUARDO\Rosillo

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Winlogon\notify:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

 

»»UserInit value:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

 

5.1.2600.0 C:\WINDOWS\System32\userinit.exe

--a-- W32i APP ESN 5.1.2600.0 shp 22,016 08-24-2001 userinit.exe

 

»»Group/user settings:

 

 

User: [EDUARDO\Rosillo], is a member of:

 

BUILTIN\Administradores

\Everyone

 

User is a member of group EDUARDO\Ninguno.

User is a member of group \Todos.

User is a member of group BUILTIN\Administradores.

User is a member of group BUILTIN\Usuarios.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Usuarios autentificados.

 

»»ACLs list:

C:\junkxxx No permissions are set. All user have full control.

ERROR: No hay más archivos.

 

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

R C:\WINDOWS\System32\Drivers\etc\hosts

-r--- - - - - - 975 07-14-2003 hosts

------

»»Rehash:

 

»Strings found:

 

Sun Jun 20 22:16:42 2004 -- ++Find-All backups:

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-20-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-20-2004 findallappinit.reg

A C:\Find-All\winBackup.hiv

A C:\Find-All\Fileslist\modules.txt

A C:\Find-All\Fileslist\services.txt

A C:\Find-All\Fileslist\drivers.txt

A C:\Find-All\Fileslist\windows.txt

A C:\Find-All\Fileslist\copyhosts.txt

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Great, that infection is gone. Please post a new HiJackThis log in this thread so I can review and so any other necessary cleanup.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 11:16:05 p.m., on 20/06/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Archivos de programa\Norton AntiVirus\navapsvc.exe

C:\Archivos de programa\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Archivos de programa\HP CD-Writer\Mmenu\hpcdtray.exe

C:\Archivos de programa\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe

C:\Archivos de programa\Microsoft Hardware\Mouse\point32.exe

C:\Archivos de programa\QuickTime\qttask.exe

C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe

C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe

C:\Archivos de programa\MSN Messenger\msnmsgr.exe

C:\ARCHIV~1\mozilla.org\Mozilla\Mozilla.exe

C:\ARCHIV~1\MESSEN~1\msmsgs.exe

C:\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xrd.best.cd/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {1B5EA026-7B06-471A-BEB3-C5E2B893973B} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [TkBellExe] C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [mmtask] C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Archivos de programa\mozilla.org\Mozilla\Mozilla.exe" -turbo

O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: NeoTrace It! (HKCU)

O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsoradulto.com/SysWebTelecom.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7252.7185416667

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

First:

Check the following Items in HiJackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

O2 - BHO: (no name) - {1B5EA026-7B06-471A-BEB3-C5E2B893973B} - (no file)

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

 

Close all open windows except HiJackThis and press 'Fix Checked'

 

 

Second:

I recommend that you uninstall P2P Networking through Add/Remove Programs.

If/when asked whether you also want to remove Altnet components, say 'Yes'.

 

P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.

 

Subsequently remove the P2P Networking folder in C:\Windows\System32, if still there.

 

 

Third:

You are running an outdated and therefore unsafe version of Internet Explorer.

You NEED to upgrade to IE 6.0 SP1

http://v4.windowsupdate.microsoft.com/en/default.asp

 

(Make sure you get the correct language version for your operating system! ).

 

Next, go to the Windows Update site, and download and install ALL Critical Updates on offer.

That will fix innumerable bugs, update a large number of important system files, and plug many security holes.

 

This step is mandatory if you are to avoid Gaobot, Sasser, and Help file exploits.

 

 

Last:

Run HiJackThis again and post a new log in this thread for review.

Share this post


Link to post
Share on other sites

My computer is running a lot better, here is the HijackThis Log:

 

Logfile of HijackThis v1.97.7

Scan saved at 04:06:26 p.m., on 21/06/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Archivos de programa\HP CD-Writer\Mmenu\hpcdtray.exe

C:\Archivos de programa\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe

C:\Archivos de programa\Norton AntiVirus\navapsvc.exe

C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe

C:\Archivos de programa\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Archivos de programa\Microsoft Hardware\Mouse\point32.exe

C:\Archivos de programa\QuickTime\qttask.exe

C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe

C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe

C:\Archivos de programa\mozilla.org\Mozilla\Mozilla.exe

C:\Archivos de programa\MSN Messenger\msnmsgr.exe

C:\ARCHIV~1\MESSEN~1\msmsgs.exe

C:\Hijack This\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {1B5EA026-7B06-471A-BEB3-C5E2B893973B} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [TkBellExe] C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [mmtask] C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Archivos de programa\mozilla.org\Mozilla\Mozilla.exe" -turbo

O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: NeoTrace It! (HKCU)

O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsoradulto.com/SysWebTelecom.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7252.7185416667

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

Almost there, just a little cleanup and we are finished.

 

Check the following in HiJackTHis:

O2 - BHO: (no name) - {1B5EA026-7B06-471A-BEB3-C5E2B893973B} - (no file)

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

 

O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsoradulto.com/SysWebTelecom.cab

 

Close all open Windows except HiJackThis and press 'Fix CHecked'

 

You are running an outdated and therefore unsafe version of Internet Explorer.

You NEED to upgrade to IE 6.0 SP1

http://v4.windowsupdate.microsoft.com/en/default.asp

 

(Make sure you get the correct language version for your operating system! ).

 

Next, go to the Windows Update site, and download and install ALL Critical Updates on offer.

That will fix innumerable bugs, update a large number of important system files, and plug many security holes.

 

This step is mandatory if you are to avoid Gaobot, Sasser, and Help file exploits.

 

 

 

At last, your system is clean and free of spyware! Want to keep it that way?

 

Here are some simple steps you can take to reduce the chance of infection in the future.

 

1. Visit Windows Update:

Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

 

1. Adjust your security settings for ActiveX:

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

 

2. Download and install the following free programs]

a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html

c. IE/Spyad: http://www.staff.uiuc.edu/~ehowes/resource.htm

 

1. Install Spyware Detection and Removal Programs:

You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.

a. AdAware: http://www.lavasoft.de/

b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

 

 

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

 

 

 

Good luck, and thanks for coming to our forums for help with your security and malware issues.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0