• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Barry

About:Blank Hijack - Help please

35 posts in this topic

Hi all!

You must have a major pain with this one already but here goes again.....

I'm looking for some help removing about:blank from a friend's PC.

 

I read your FAQ and have downloaded and executed the most recent versions of CWShredder, Ad-Aware, SpyBot, TrojanHunter and HijackThis (plus the latest data files for each) as per your instructions.

 

Please find included my HijackThis log. I am most gratetful for any help you can offer. Thank you.

 

Logfile of HijackThis v1.97.7

Scan saved at 16:47:59, on 23/06/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\smsc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Echo\pfsview.exe

C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

C:\WINDOWS\System32\svchosd.exe

C:\WINDOWS\System32\scrgrd.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\wcpsvcc.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Documents and Settings\Administrator\Application Data\nhdi.exe

C:\Program Files\Echo\engine.exe

C:\Program Files\Echo\taskbar.exe

C:\WINDOWS\System32\wuauclt.exe

D:\Spyware\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {A82E72FF-16C5-42F8-BF3F-EBAE616DCB83} - C:\WINDOWS\System32\pdgm.dll

O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe

O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe

O4 - HKLM\..\Run: [ngcdxl] C:\WINDOWS\System32\kdsgjh.exe

O4 - HKLM\..\Run: [upgrade Service] C:\WINDOWS\winupd.exe

O4 - HKLM\..\Run: [Aplune Service] svchosd.exe

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKLM\..\Run: [Messanger] C:\WINDOWS\deamon.exe /i

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe

O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [QUWAWGAL] C:\WINDOWS\NPBPYBP.exe

O4 - HKCU\..\Run: [ClockSync] "C:\PROGRA~1\CLOCKS~1\Sync.exe" /q

O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvcc.exe

O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Assw] C:\Documents and Settings\Administrator\Application Data\nhdi.exe

O4 - Global Startup: CLEANPOP.LNK = C:\i386\regedit.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: SHICRILD.LNK = C:\icrtoild.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: SideStep (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.com/scj/rotation/templates/um2/x.chm::/ad.exe

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director6/cabs/SW.CAB

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadfreenow.com/sites/signed.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\Software\..\Telephony: DomainName = act.ie

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie

Share this post


Link to post
Share on other sites

Unfortunately, AdAware cannot fix the infection you have completely,.

 

Please follow these instructions first:

 

=== Step 1 - Get File Info ===

You have a CoolWebSearch variant which requires special treatment to fix.

 

Download FindnFix.exe from here:

http://freeatlast100.100free.com/index.html or

http://downloads.subratam.org/FINDnFIX.exe

 

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

 

Open the FindnFix folder and double click on !LOG!.bat

IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

 

Relax, sit back and wait a few minutes while the program collects the necessary information.

 

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

 

 

When the program is finished:

 

Open the FindnFix folder.

1. Post the contents of Log.txt in this thread.

2. Attach file Win.txt to the same post. (Please attach, do not post)

(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)

Share this post


Link to post
Share on other sites

Hi LoPhatPhuud, PGPhantom,

 

Thanks for the help.

 

This variant has also hijacked Notepad. When FindNFix was scanning, (and presumably tried to open the resulting TXT files itself), my internet dialler and IE were launched and directed to www.casinopalazzo.com instead of Notepad. So I hope the scan completed successfully.

 

Apologies, I can't see how to attach the Win.txt file so have posted it in the thread.

 

 

Here is the Log.txt file....

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

29/06/2004

11:42am up 0 days, 11:02

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\SQLHL.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 508

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group HEWLETT-H56722N\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x HEWLETT-H56722N\Administrator

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: HEWLETT-H56722N\Administrator

 

Primary Group: HEWLETT-H56722N\None

 

 

 

»»»»»»Backups created...»»»»»»

11:43am up 0 days, 11:02

29/06/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-29-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-29-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

AppInit_DLLs.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

Windows

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

=pswapdisk

TransmissionRetryTimeout

USERProcessHandleQuotaM

AppInit

DLLs.

 

**File C:\FINDnFIX\WIN.TXT

Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 Ø(ÍW ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ! àÿÿÿvk X °ºSpooler2ðÿÿÿy e s À àÿÿÿvk € =pswapdisk ° ø 8 h   Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' M USERProcessHandleQuotaM àÿÿÿ° ø 8 h   Ð Øÿÿÿvk < H p AppInit_DLLs. e Àÿÿÿc : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x

 

 

 

 

 

And Win.txt...

 

 

regf Pugf hbin „†„ ¨ÿÿÿnk, ŠÛ3:YÄ ÿÿÿÿ ÿÿÿÿÿÿÿÿ x ÿÿÿÿ 0 < r o Windows Èþÿÿsk x x ” ì

!

€ ! #

€ # ?

?

?

Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 Ø(ÍW ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ! àÿÿÿvk X °ºSpooler2ðÿÿÿy e s À àÿÿÿvk € =pswapdisk ° ø 8 h   Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' M USERProcessHandleQuotaM àÿÿÿ° ø 8 h   Ð Øÿÿÿvk < H p AppInit_DLLs. e Àÿÿÿc : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x

 

Thanks again,

 

Barry

Share this post


Link to post
Share on other sites

This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:

  • Open the "FINDnFIX\Keys1" Subfolder!
  • Locate the "MOVEit.bat" file, Right-Click on it and select => "edit". The file will open as empty text file.
  • Copy and paste the entire highlighted line in the following quote box
    (all one line) into that blank 'MOVEit' file:
    move C:\WINDOWS\System32\SQLHL.DLL C:\junkxxx\SQLHL.DLL

  • Save the file and close.
  • Get ready to restart your computer.
  • In the same folder, DoubleClick on the "FIX.bat" file.
  • You will be prompted by popup Alert to restart in 15 seconds.
  • Allow it to restart the computer!
  • On restart, Navigate to: C:\FINDnFIX\ main folder:
  • DoubleClick on the "RESTORE.bat" file.
  • It'll run and produce new log. (log1.txt) post it here!

Share this post


Link to post
Share on other sites

Hi PGPhantom,

 

Did that...

Had some fun trying to edit MOVEit.bat due to Notepad problems. Also cannot access spywareinfo.com site from the PC.

 

SpyBot-SD Resident detected 3 changes after reboot so I allowed them all guessing they were due to FIX.bat.

 

However, I had to do another reboot and SpyBot again detected changes. They were 1) Global Browser Toolbar - Deleted, 2) Browser Page - Value Changed and 3) Browser Page - Value Changed - msn.com -> about:blank. Not sure if these matter at this stage of the process, but you may need to know??

 

Anyway, here is new log Log1.txt

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

29/06/2004

4:05pm up 0 days, 0:02

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»

Scanning for file(s)...

 

»»»»»»» (1) »»»»»»»

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

No matches found.

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

 

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

 

Search text: ÝSTREAMINGDEVICESETUP2Þ ®CASE Insensitive Match

No Files to Search

 

Run Time(sec) 0

 

move C:\WINDOWS\System32\SQLHL.DLL C:\junkxxx\SQLHL.DLL

 

 

»»Permissions:

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x HEWLETT-H56722N\Administrator

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: HEWLETT-H56722N\Administrator

 

Primary Group: HEWLETT-H56722N\None

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: BUILTIN\Administrators

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 508

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

---------- WIN.TXT

AppInit_DLLs.

 

---------- NEWWIN.TXT

AppInit_DLLs.

**File C:\FINDnFIX\NEWWIN.TXT

**File C:\FINDnFIX\NEWWIN.TXT

00001338: 01 00 00 00 01 00 70 00 . 5F 44 4C 4C 73 2E 00 65 ......p. _DLLs..e

**File C:\FINDnFIX\NEWWIN.TXT

|ñÐÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 Ø(ÍW ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ! àÿÿÿvk X °ºSpooler2ðÿÿÿy e s À àÿÿÿvk € =pswapdisk ° ø 8 h   Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' M USERProcessHandleQuotaM àÿÿÿ° ø 8 h   Ð Øÿÿÿvk < H p AppInit_DLLs. e Àÿÿÿc : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x ‹Ž‹?;Ãr wIyñ3Àë¸ÿÿÿÿë¸ _^[]ÃU‹ì?ì V?…øþÿÿWPè?ýÿÿ¾€ ?…øþÿÿVÿuPèSúÿÿ?…|ÿÿÿPèoýÿÿV?…|ÿÿÿÿuPè7úÿÿÿu?…tþÿÿPè‚ýÿÿ?…øþÿÿP?…|ÿÿÿP?…tþÿÿP?…ðýÿÿPè†ýÿÿƒÄ83É?…oþÿÿ‹}Šˆ9AH;Î|ò_^ÉÃU‹ì?ì€ €e€ j~?E‚hÿ PÆE?èaùÿÿ?EìPÿuÿuè“ ?E€Pÿuÿuÿuè)ÿÿÿƒÄ(ÉÃU‹ì?ì €e€ j~?E‚hÿ PÆE?èùÿÿ?EìPÿuÿuèL ÿu?… ÿÿÿPÿuÿuèþûÿÿ?… ÿÿÿh€ P?E€PèùÿÿƒÄ4÷ØÀ@ÉÃU‹ì?ì€ €e€ Vj~?E‚hÿ PÆE?èµøÿÿ‹u?EØPÿuVèæ ÿu?EØVVjPèâ ?EìPÿuVèÉ ?E€Pÿuÿuÿuè_þÿÿƒÄH^ÉÃU‹ì?ì €¥ ÿÿÿ Vj~?…ÿÿÿhÿ PÆ…ÿÿÿèEøÿÿ‹u?…lÿÿÿPÿuVès ÿu?E€Pÿuÿuè(ûÿÿ?E€jXP?… ÿÿÿPèGøÿÿƒÄ4…ÀuO?EìjP?…lÿÿÿPè.øÿÿƒÄ…Àu6ÿu?EØVVjPè+ ?EìPÿuVè ?EìjP?EØPèû÷ÿÿƒÄ,÷ØÀ@ë2À^ÉÃU‹ì?ì SVW3Û3À¿ ˆ„üþÿÿ@;Çrôˆ]ÿˆ]þ3ö‹Æ3Ò÷u‹E?Œ5üþÿÿŠŠˆUý EþF¶EþŠ”üþÿÿ;÷?„üþÿÿˆŠMýˆrÄ‹E…Àv]‹u‹}+þ‰EëŠ]þEÿ¶EÿœüþÿÿŠ”üþÿÿ?„üþÿÿ¶Ëˆ]Šœ

Share this post


Link to post
Share on other sites

You should have two copies of notepad - One in c:\windows and one in c:\windows\system32. Check the properties of each - The correct one should be 64.5 KB (66,048 bytes). If one is not, replace it with the other.

 

To finish this step ...

 

Open the FINDnFIX\Files2< Subfolder and run the => "ZIPZAP.bat" file. It will quickly clean the rest.

When done, Restart your computer and Delete and entire 'FINDnFIX' file+folder(s) From C:\.

Post a follow up HijackThis log when done!

 

You'll be prompted to email the results - Please do so.

Share this post


Link to post
Share on other sites

Hi PGPhantom,

 

Both versions of Notepad.exe were 66,048 bytes, but C:/Windows/system32 version had a creation date of 01 January 1980, so suspected that was the dodgy one and replaced it with the other. That's now fine.

 

I e-mailed the JunkXXX.zip file as requested.

 

Here is the new HJT log...

 

Logfile of HijackThis v1.97.7

Scan saved at 17:47:57, on 29/06/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\smsc.exe

C:\Program Files\Echo\pfsview.exe

C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

C:\WINDOWS\System32\svchosd.exe

C:\WINDOWS\System32\scrgrd.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Echo\engine.exe

C:\Documents and Settings\Administrator\Application Data\nhdi.exe

C:\WINDOWS\svchost.exe

C:\WINDOWS\System32\NDrv.exe

C:\Program Files\Echo\taskbar.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\Spyware\HijackThis\HijackThis.exe

D:\Spyware\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe

O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe

O4 - HKLM\..\Run: [ngcdxl] C:\WINDOWS\System32\kdsgjh.exe

O4 - HKLM\..\Run: [upgrade Service] C:\WINDOWS\winupd.exe

O4 - HKLM\..\Run: [Aplune Service] svchosd.exe

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKLM\..\Run: [Messanger] C:\WINDOWS\deamon.exe /i

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe

O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\rukyuucj.exe

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [QUWAWGAL] C:\WINDOWS\NPBPYBP.exe

O4 - HKCU\..\Run: [ClockSync] "C:\PROGRA~1\CLOCKS~1\Sync.exe" /q

O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Assw] C:\Documents and Settings\Administrator\Application Data\nhdi.exe

O4 - HKCU\..\Run: [Wandows Deafult Configuration] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvcc.exe

O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe

O4 - Global Startup: CLEANPOP.LNK = C:\i386\regedit.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: SHICRILD.LNK = C:\icrtoild.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: SideStep (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.com/scj/rotation/templates/um2/x.chm::/ad.exe

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director6/cabs/SW.CAB

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadfreenow.com/sites/signed.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\Software\..\Telephony: DomainName = act.ie

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie

Share this post


Link to post
Share on other sites

Okay, let's get the rest cleared up ...

  1. Please download Symantec's Sasser Worm Removal program and run it to remove the sasser infection that you have.
  2. Run either of these free online virus scans.

[*]Go into "Add/Remove Programs" and look for nay of the following and uninstall them: "My Way", "My Way Search", "My Search".

[*]How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.

[*]Run HijackThis, click on "Scan" and then place a check mark in the following boxes (If they still exist), And click on "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html

O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll

O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe

O4 - HKLM\..\Run: [ngcdxl] C:\WINDOWS\System32\kdsgjh.exe

O4 - HKLM\..\Run: [upgrade Service] C:\WINDOWS\winupd.exe

O4 - HKLM\..\Run: [Aplune Service] svchosd.exe

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKLM\..\Run: [Messanger] C:\WINDOWS\deamon.exe /i

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe

O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u

O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\rukyuucj.exe

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe

O4 - HKCU\..\Run: [QUWAWGAL] C:\WINDOWS\NPBPYBP.exe

O4 - HKCU\..\Run: [ClockSync] "C:\PROGRA~1\CLOCKS~1\Sync.exe" /q

O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKCU\..\Run: [Assw] C:\Documents and Settings\Administrator\Application Data\nhdi.exe

O4 - HKCU\..\Run: [Wandows Deafult Configuration] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvcc.exe

O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe

O4 - Global Startup: CLEANPOP.LNK = C:\i386\regedit.exe

O4 - Global Startup: SHICRILD.LNK = C:\icrtoild.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.com/scj/rotation/templates/um2/x.chm::/ad.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cab

[*]Please reboot into safe mode - How do I boot into "Safe" mode?

[*]The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.

  1. DIRECTORY CONTENTS (But not the directory)
    • C:\Windows\Temp\
    • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
    • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
    • Empty your "Recycle Bin"

[*]DIRECTORIES

  • C:\PROGRA~1\MyWay\

[*]FILES

  • C:\WINDOWS\System32\NDrv.dll
  • C:\WINDOWS\avserve2.exe
  • C:\WINDOWS\System32\kdsgjh.exe
  • C:\WINDOWS\winupd.exe
  • scrgrd.exe
  • smsc.exe
  • C:\WINDOWS\deamon.exe
  • C:\WINDOWS\mstasks2.exe
  • C:\WINDOWS\System32\rukyuucj.exe
  • scrgrd.exe
  • C:\WINDOWS\NPBPYBP.exe
  • C:\PROGRA~1\CLOCKS~1\Sync.exe
  • scrgrd.exe
  • C:\Documents and Settings\Administrator\Application Data\nhdi.exe
  • C:\WINDOWS\svchost.exe
  • C:\WINDOWS\System32\NDrv.exe
  • C:\WINDOWS\System32\wcpsvcc.exe
  • C:\i386\regedit.exe
  • C:\icrtoild.exe

[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.

Share this post


Link to post
Share on other sites

Barry, based on your logs the procedure didn't work at all!

The file wasn't moved and your hiv is still infected...

 

»»»*»»» Scanning for moved file... »»»*»»»

 

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

 

Search text: ÝSTREAMINGDEVICESETUP2Þ ®CASE Insensitive Match

No Files to Search

 

 

---------- NEWWIN.TXT

 

AppInit_DLLs. e Àÿÿÿc : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x ‹Ž‹?;Ãr wIyñ3Àë

 

However, FINDnFIX makes certain backups.

Considering your loads of trojans, there is no point following

this process untill ALL else is gone!

I suggest you get some good disinfection, follow the

last set of steps and post follow up hijackthis log!

Your AboutBlank problem is still there, but should be

taken care of at a later stage!

Share this post


Link to post
Share on other sites

Hi freeatlast, PGPhantom,

 

Made some progress today, but still lots to do I think. freeatlast, I couldn't install any Anti-Virus software, so I attempted to follow instructions in PGPhantom's last post to try and get the AV installed....

 

Couldn't run Symantec Sasser Fix - keeps crashing....

Couldn't run either of the online Virus scanners.

Ran CWShredder 1.59.0.1 and cleaned some stuff. (SpyBot subsequently detected and blocked sp.html and about:blank re-entry attempts).

Ran HijackThis and cleaned the entries as per PGPhantom's last post.

Deleted the files and folders in Safe Mode as per PGPhantom's instructions.

BUT, I couldn't find some of the files, in particular SCRGRD.exe. Nasty f****r....

 

Also couldn't find:

 

C:\WINDOWS\System32\NDrv.dll

C:\WINDOWS\avserve2.exe

C:\WINDOWS\System32\kdsgjh.exe

C:\WINDOWS\winupd.exe

scrgrd.exe

C:\PROGRA~1\CLOCKS~1\Sync.exe

C:\WINDOWS\svchost.exe (except in SYSTEM32 directory so left it there :unsure: )

C:\WINDOWS\System32\wcpsvcc.exe

C:\icrtoild.exe

 

I did find some of the above in the Windows/Prefetch directory with "some HEX number.pf" extensions, so deleted those, NPBPYBP.exe.vir was found, so deleted that aswell:unsure:

 

After this, I finally managed to install Norton Internet Security 2004 and eventually got LiveUpdate to run. However, I can't run Norton AntiVirus to clean any viruses. Keep getting an exception error that their website says is supposed to be fixed in the latest version of NAV.

 

Both Norton and SpyBot flagged SCRGRD.exe on re-boot, so I set it to block and delete it every time. Dunno if that will prevent it re-appearing or not.

 

Sorry everything is a bit all over the shop :scratchhead:

 

Also, I can't run Windows Update to get latest security patches.

 

Here's the latest HJT log....

 

Logfile of HijackThis v1.97.7

Scan saved at 17:59:42, on 30/06/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Echo\pfsview.exe

C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE

C:\Program Files\Echo\engine.exe

C:\Program Files\Echo\taskbar.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

D:\Spyware3\HijackThis\HijackThis29.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe

O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKCU\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: SideStep (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {11111111-1111-1111-1111-111111111157} -

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director6/cabs/SW.CAB

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadfreenow.com/sites/signed.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\Software\..\Telephony: DomainName = act.ie

O17 - HKLM\System\CCS\Services\Tcpip\..\{E661BB84-A34C-4374-907A-3F93A2A2A30B}: NameServer = 159.134.237.6 159.134.248.17

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie

 

The Samaritans won't even accept my calls any more!!!!

Help please...

Share this post


Link to post
Share on other sites

First:

1. Adjust your security settings for ActiveX:]

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the

second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

 

 

Second:

2. Download and install the following free programs

a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

b. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm

 

 

Third:

Please go here and do an AV scan at one (preferably two) of the following:

Panda's Active Scan

http://www.pandasoftware.com/activescan/co...n_principal.htm

 

Trend Micro (PC-cillin) - Free on-line Scan

http://housecall.antivirus.com

 

RAV Antivirus Online Scan

http://www.ravantivirus.com/scan/

 

eTrust AV web scanner (Computer Associates)

http://www3.ca.com/virusinfo/virusscan.aspx

 

 

Fourth:

You can download Notepad from here:

http://www.spywareinfo.com/~merijn/winfiles.html#notepad

 

 

Fifth:

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

 

Check the following items in HijackThis.

O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

 

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe

O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe

 

O16 - DPF: {11111111-1111-1111-1111-111111111157} -

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

 

 

 

Close all windows except HijackThis and click Fix checked.

 

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)

C:\Windows\Syhstem32\scrgrd.exe

 

 

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406

**Show Hidden and System files and folders

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

 

Reboot in normal mode.

 

Run HiJackThis again and post a new log in this thread.

Share this post


Link to post
Share on other sites

Hi LoPhatPhuud,

 

I appreciate your perseverance.

 

First:

1. Although logged in as Administrator, I couldn't adjust the security settings for ActiveX controls. I did as instructed but the following keeps happening...

 

In the ActiveX section, I set the first option, 'Download signed controls', to 'Prompt; which it appeared to do fine and clicked OK. However, when I go back in to check it, it is immediately set back to 'Disable'.

 

I tried to do it through the Control Panel, where it appears to maintain the setting I change it to, but when I again look at the options through Internet Explorer, it is always reset to 'Disable'.

 

Second:

2. I downloaded and installed both SpyWareBlaster and IE/Spyad. SpyWareBlaster installed OK, but crashed when attempting to download the latest definition files.

 

Third:

Can't enable the ActiveX control download (pls see first above), so I can't get any of the online virus scanners to run. Tried them all.

 

I did manage to get Norton AntiVirus (with the latest definitions) to run and it found about 50 threats, 17 of which could not be deleted.

 

Fourth:

Downloaded and replaced the two suspect versions of Notepad OK.

 

Fifth:

Fixed all the items in HJT, plus a number of SP.HTML and about:blank entries and another suspect .dll with a creation date of today.

 

Rebooted in Safe Mode but (after unchecking the boxes for hiding known file extensions and hiding protected operating system files), I still could not see

C:\Windows\Syhstem32\scrgrd.exe. Ran a full system search as well as a visual search.

 

Rebooted in normal mode.

about:blank is now back as home page.

 

:rofl:

 

Here's the new HJT log.

 

Logfile of HijackThis v1.97.7

Scan saved at 16:15:38, on 01/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Echo\pfsview.exe

C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Echo\engine.exe

C:\Program Files\Echo\taskbar.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

D:\HijackThis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe

O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: SideStep (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {11111111-1111-1111-1111-111111111157} -

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director6/cabs/SW.CAB

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadfreenow.com/sites/signed.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\Software\..\Telephony: DomainName = act.ie

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie

 

Thanks for you help

Share this post


Link to post
Share on other sites

Barry

 

I believe and idea what the problem is and I need to check, Please bear with us.

 

Download the following file:

http://tools.zerosrealm.com/pv.zip

 

Unzip the file to the desktop (it will make its own folder)

 

Be sure at least one Internet Explorer window is open

 

Open the PV folder and double click on 'runme.bat'

 

Select Option 2

 

Notepad will open with a log file.

 

Post the log file in this thread

Share this post


Link to post
Share on other sites

Hi LoPhatPhuud,

 

I'm more than happy to bear with you :thumbsup:

 

Am really grateful for your time, effort and patience.

 

Here's the PV Log file as requested...

 

Module information for 'IEXPLORE.EXE'

MODULE BASE SIZE PATH

IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer

ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL

kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL

msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL

USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL

GDI32.dll 77c70000 253952 C:\WINDOWS\system32\GDI32.dll 5.1.2600.132 (xpclnt_qfe.021108-2107) GDI Client DLL

ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API

RPCRT4.dll 78000000 450560 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.109 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime

SHLWAPI.dll 63180000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2730.1200 Shell Light-weight Utility Library

SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2737.800 Shell Doc Object and Control Library

IMM32.DLL 76390000 106496 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows XP IMM32 API Client DLL

LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack

USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll 1.0407.2600.0 (xpclient.010817-1148) Uniscribe Unicode script processor

sqlhl.dll 61c00000 61440 c:\windows\system32\sqlhl.dll

comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library

THSec.dll 61000000 114688 C:\Program Files\TrojanHunter 3.9\THSec.dll

oleaut32.dll 77120000 569344 C:\WINDOWS\system32\oleaut32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT and Windows 95 Operating Systems

OLE32.DLL 771b0000 1114112 C:\WINDOWS\system32\OLE32.DLL 5.1.2600.115 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows

SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll

comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library

uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library

asOEHook.dll 10000000 196608 C:\PROGRA~1\COMMON~1\SYMANT~1\ANTISPAM\asOEHook.dll 2004.1.03.7 AntiSpam OE Hook

MSVCR70.dll 7c000000 344064 C:\WINDOWS\System32\MSVCR70.dll 7.00.9466.0 Microsoft® C Runtime Library

BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library

shdoclc.dll a80000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library

browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library

appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library

CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42

COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42

VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries

WININET.dll 63000000 610304 C:\WINDOWS\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32

CRYPT32.dll 762c0000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto API32

MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs

Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface

cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI

CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent

SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API

NISShExt.dll ea0000 131072 C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll 7.0.0.177 NIS Shell Extension

NavShExt.dll ec0000 98304 C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll 10.00.13 Norton AntiVirusNAVShellExt Module

ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)

MSVCP70.dll 7c080000 487424 C:\WINDOWS\System32\MSVCP70.dll 7.00.9466.0 Microsoft® C++ Runtime Library

AcroIEHelper.dll f50000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX

SDHelper.dll f60000 765952 C:\Program Files\Spybot - Search & Destroy\SDHelper.dll 1, 3, 0, 12 Bad download blocker

olepro32.dll 5edd0000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft ® OLE Property Support DLL

urlmon.dll 1a400000 495616 C:\WINDOWS\system32\urlmon.dll 6.00.2736.2300 OLE32 Extensions for Win32

mshtml.dll 63580000 2777088 C:\WINDOWS\System32\mshtml.dll 6.00.2737.800 Microsoft ® HTML Viewer

MSRATING.dll 5ff20000 143360 C:\WINDOWS\System32\MSRATING.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Ratings and Local User Management DLL

WSOCK32.dll 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL

WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL

WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT

msratelc.dll 5ff50000 69632 C:\WINDOWS\System32\msratelc.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Ratings and Local User Management DLL

MLANG.dll 74770000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL

msimtf.dll 746f0000 167936 C:\WINDOWS\System32\msimtf.dll 5.1.2600.0 (xpclient.010817-1148) Active IMM Server DLL

MSCTF.dll 74720000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) MSCTF Server DLL

MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file

msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component

Module information for 'IEXPLORE.EXE'

MODULE BASE SIZE PATH

IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer

ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL

kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL

msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL

USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL

GDI32.dll 77c70000 253952 C:\WINDOWS\system32\GDI32.dll 5.1.2600.132 (xpclnt_qfe.021108-2107) GDI Client DLL

ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API

RPCRT4.dll 78000000 450560 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.109 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime

SHLWAPI.dll 63180000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2730.1200 Shell Light-weight Utility Library

SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2737.800 Shell Doc Object and Control Library

IMM32.DLL 76390000 106496 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows XP IMM32 API Client DLL

LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack

USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll 1.0407.2600.0 (xpclient.010817-1148) Uniscribe Unicode script processor

sqlhl.dll 61c00000 61440 c:\windows\system32\sqlhl.dll

comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library

THSec.dll 61000000 114688 C:\Program Files\TrojanHunter 3.9\THSec.dll

oleaut32.dll 77120000 569344 C:\WINDOWS\system32\oleaut32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT and Windows 95 Operating Systems

OLE32.DLL 771b0000 1114112 C:\WINDOWS\system32\OLE32.DLL 5.1.2600.115 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows

SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll

comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library

uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library

asOEHook.dll 10000000 196608 C:\PROGRA~1\COMMON~1\SYMANT~1\ANTISPAM\asOEHook.dll 2004.1.03.7 AntiSpam OE Hook

MSVCR70.dll 7c000000 344064 C:\WINDOWS\System32\MSVCR70.dll 7.00.9466.0 Microsoft® C Runtime Library

BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library

shdoclc.dll a80000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library

browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library

appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library

CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42

COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42

VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries

WININET.dll 63000000 610304 C:\WINDOWS\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32

CRYPT32.dll 762c0000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto API32

MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs

Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface

cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI

CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent

SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API

NISShExt.dll ea0000 131072 C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll 7.0.0.177 NIS Shell Extension

NavShExt.dll ec0000 98304 C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll 10.00.13 Norton AntiVirusNAVShellExt Module

ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)

MSVCP70.dll 7c080000 487424 C:\WINDOWS\System32\MSVCP70.dll 7.00.9466.0 Microsoft® C++ Runtime Library

AcroIEHelper.dll f50000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX

SDHelper.dll f60000 765952 C:\Program Files\Spybot - Search & Destroy\SDHelper.dll 1, 3, 0, 12 Bad download blocker

olepro32.dll 5edd0000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft ® OLE Property Support DLL

urlmon.dll 1a400000 495616 C:\WINDOWS\system32\urlmon.dll 6.00.2736.2300 OLE32 Extensions for Win32

mshtml.dll 63580000 2777088 C:\WINDOWS\System32\mshtml.dll 6.00.2737.800 Microsoft ® HTML Viewer

MSRATING.dll 5ff20000 143360 C:\WINDOWS\System32\MSRATING.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Ratings and Local User Management DLL

WSOCK32.dll 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL

WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL

WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT

msratelc.dll 5ff50000 69632 C:\WINDOWS\System32\msratelc.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Ratings and Local User Management DLL

MLANG.dll 74770000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL

msimtf.dll 746f0000 167936 C:\WINDOWS\System32\msimtf.dll 5.1.2600.0 (xpclient.010817-1148) Active IMM Server DLL

MSCTF.dll 74720000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) MSCTF Server DLL

MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file

msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component

netapi32.dll 71c20000 315392 C:\WINDOWS\System32\netapi32.dll 5.1.2600.122 (xpclnt_qfe.021108-2107) Net Win32 API DLL

MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL

drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider

ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Lan Manager

NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes

NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes

NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL

SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL

davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL

sti.dll 73ba0000 73728 C:\WINDOWS\System32\sti.dll 5.1.2600.0 (XPClient.010817-1148) Still Image Devices client DLL

CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL

WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL

serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver

umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module

wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper

msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper

MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter

midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper

RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.0 (xpclient.010817-1148) Remote Access API

rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager

TAPI32.dll 76eb0000 172032 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows Telephony API Client DLL

rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities

mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider

wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL

USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv

DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL

winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL

WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL

rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper

iepeers.dll 66e50000 241664 C:\WINDOWS\System32\iepeers.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer Peer Objects

WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver

mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft ® HTML Editing Component

scrauth.dll 2630000 122880 C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll 1, 1, 1, 131 ScriptBlocking Authenticator

ScrBlock.dll 2650000 131072 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll 1, 1, 1, 131 ScriptBlocking

wintrust.dll 76c30000 176128 C:\WINDOWS\System32\wintrust.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs

IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper

rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider

jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll 5.6.0.8513 Microsoft ® JScript

SXS.DLL 75e90000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5

Share this post


Link to post
Share on other sites

Would you please post a new HiJackThis log in this thread as well as the following:

 

Download this file:

www.zerosrealm.com/downloads/pv.zip

 

Unzip to the desktop (It will create its own folder)

 

Open the PV folder and double click on runme.bat

 

Select Option 8, then Option 4 and post the log in this thread.

 

.

Share this post


Link to post
Share on other sites

Hi LoPhatPhuud,

 

I'm away on holiday from today until Monday the 12th, so I won't be able to do anything during that time. As soon as I return, I will get back to this fix. Talk to you then. Thanks again.

 

Here are the latest logs as requested...

 

Logfile of HijackThis v1.97.7

Scan saved at 12:05:25, on 03/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Echo\pfsview.exe

C:\Program Files\Echo\engine.exe

C:\Program Files\Echo\taskbar.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\HPWHTBX.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

O2 - BHO: (no name) - {E304C252-30D5-4B97-8650-CE7F37434ACD} - C:\WINDOWS\System32\ipcpl.dll

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe

O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: SideStep (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {11111111-1111-1111-1111-111111111157} -

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director6/cabs/SW.CAB

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadfreenow.com/sites/signed.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\Software\..\Telephony: DomainName = act.ie

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie

 

 

 

And Proto.txt...

 

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/html]

"CLSID"="{F8EAB454-851A-4A78-AA34-42FEF93D5490}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/plain]

"CLSID"="{F8EAB454-851A-4A78-AA34-42FEF93D5490}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

Share this post


Link to post
Share on other sites

Hi LoPhatPhuud,

 

I'm back in action.

Have you had a chance to look at my latest logs?

 

Barry

Share this post


Link to post
Share on other sites

Sam, we need to remove the HiJacker but I want to determine which way to go.

 

First:

=== Step 1 - Get File Info ===

You have a CoolWebSearch variant which requires special treatment to fix.

 

Download FindnFix.exe from here:

=== Step 1 - Get File Info ===

You have a CoolWebSearch variant which requires special treatment to fix.

 

Download FindnFix.exe from here:

http://freeatlast100.100free.com/ or

http://downloads.subratam.org/FINDnFIX.exe

 

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

 

Open the FindnFix folder and double click on !LOG!.bat

IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

 

Relax, sit back and wait a few minutes while the program collects the necessary information.

 

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

 

 

When the program is finished:

 

Open the FindnFix folder.

1. Post the contents of Log.txt in this thread.

2. Attach file Win.txt to the same post. (Please attach, do not post)

(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)

 

or

http://downloads.subratam.org/FINDnFIX.exe

 

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

 

Open the FindnFix folder and double click on !LOG!.bat

IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

 

Relax, sit back and wait a few minutes while the program collects the necessary information.

 

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

 

 

When the program is finished:

 

Open the FindnFix folder.

1. Post the contents of Log.txt in this thread.

2. Attach file Win.txt to the same post. (Please attach, do not post)

(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)

 

 

Then:

There is a new version of HiJackThis available (198.0).

 

Download *Hijack This!*

http://209.133.47.12/~merijn/files/HijackThis.exe

http://downloads.net-integration.net/HijackThis.exe

http://www.computercops.biz/downloads-file-328.html

 

Install the new version, run it, and post a new log in this thread.

Share this post


Link to post
Share on other sites

Hi LoPhatPhuud,

 

FindNFix is no longer available from those sites, so I am using the same version that I downloaded about two weeks ago.

 

Here are the latest log files as requested.

 

1) Log.TXT...

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

12/07/2004

7:25pm up 11 days, 3:18

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\SQLHL.DLL +++ File read error

\\?\C:\WINDOWS\System32\SQLHL.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 508

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group HEWLETT-H56722N\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x HEWLETT-H56722N\Administrator

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: HEWLETT-H56722N\Administrator

 

Primary Group: HEWLETT-H56722N\None

 

 

 

»»»»»»Backups created...»»»»»»

7:27pm up 11 days, 3:20

12/07/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 07-12-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-12-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

AppInit_DLLs.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

Windows

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

=pswapdisk

TransmissionRetryTimeout

USERProcessHandleQuotaM

AppInit

DLLs.

 

**File C:\FINDnFIX\WIN.TXT

Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 Ø(ÍW ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ! àÿÿÿvk X °ºSpooler2ðÿÿÿy e s À àÿÿÿvk € =pswapdisk ° ø 8 h   Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' M USERProcessHandleQuotaM àÿÿÿ° ø 8 h   Ð Øÿÿÿvk < H p AppInit_DLLs. e Àÿÿÿc : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x

 

 

Apologies, I can't see how to attach a file so have to post this.

 

2) Win.TXT...

 

 

regf ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¯Š˜™ hbin ¨ÿÿÿnk, 0õŠ‘ê]Ä ÿÿÿÿ ÿÿÿÿÿÿÿÿ x ÿÿÿÿ 0 < r o Windows Èþÿÿsk x x ” ì

!

€ ! #

€ # ?

?

?

Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 Ø(ÍW ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ! àÿÿÿvk X °ºSpooler2ðÿÿÿy e s À àÿÿÿvk € =pswapdisk ° ø 8 h   Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' M USERProcessHandleQuotaM àÿÿÿ° ø 8 h   Ð Øÿÿÿvk < H p AppInit_DLLs. e Àÿÿÿc : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x

 

 

3) HijackThis.LOG (From new version 1.98.0.0)

 

Logfile of HijackThis v1.98.0

Scan saved at 19:31:21, on 12/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Echo\pfsview.exe

C:\Program Files\Echo\engine.exe

C:\Program Files\Echo\taskbar.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\HPWHTBX.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\explorer.exe

D:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

O2 - BHO: (no name) - {E304C252-30D5-4B97-8650-CE7F37434ACD} - C:\WINDOWS\System32\ipcpl.dll

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe

O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {11111111-1111-1111-1111-111111111157} -

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadfreenow.com/sites/signed.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\Software\..\Telephony: DomainName = act.ie

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie

O18 - Filter: text/html - {F8EAB454-851A-4A78-AA34-42FEF93D5490} - C:\WINDOWS\System32\ipcpl.dll

O18 - Filter: text/plain - {F8EAB454-851A-4A78-AA34-42FEF93D5490} - C:\WINDOWS\System32\ipcpl.dll

Share this post


Link to post
Share on other sites

=== Unlock and Show Hidden dll ===

Download the following: (freeware)

'Salamand.zip' from:

http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

 

Download 'Registrar Lite' from here:

http://www.resplendence.com/reglite

 

Unzip 'Salamand.zip' to its own folder.

 

Install 'Registrar Lite'.

 

 

Now we are going to get rid of the hidden DLL that is causing all the problems.

 

First we need to make it visible:

Copy and paste this line to reglite's address bar. Then press 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Rename the Folder Windows to NotWindows

(the folder is highlighted as a purple folder in the left hand pane of Reglite)

 

Click "AppInit_DLLs" again and clear the data value:

C:\WINDOWS\System32\SQLHL.DLL < -- delete this line ,

'Apply' and 'ok' to set.

 

Rename the NotWindows folder back to its original name Windows

Restart your computer.

 

 

=== Locate, Move, and Delete Hidden dll ===

Run Salamand.exe.

 

Using the Menu Items at the top, do the following:

(wherever 'enter' is used, you may cut and paste the bold faced text instead)

a. Left --> Change Drive --> select 'C:'

b. Right --> Change Drive --> select 'C:'

c. Commands --> Create Directory --> enter junk --> press 'OK'

d. Options --> Command Line (be sure it is checked)

e. Commands --> Change Directory --> enter C:\windows\system32 --> press 'OK'

f. Commands --> Find Files… --> press 'Edit'; in 'Search For' enter SQLHL.DLL, Uncheck 'Include subdirectories', press 'OK', press 'Start'; the file will be listed in the lower pane.

g. Press 'Focus'

h. Files --> Move/Rename --> enter c:\junk, press 'OK'

i. Left --> Change Drive --> select 'C:'

 

Into the narrow command window at the bottom (starts with 'c:\>')

Copy and paste the following command, then press 'Enter'

 

cacls %SYSTEMDRIVE%\junk\*.dll /t /e /g Administrators:f & cacls %SYSTEMDRIVE%\junk /t /e /g Administrators:f

(you should get 'Processed…' confirmation message)

 

Copy and paste the following command, then press 'Enter'

attrib -r \\?\%SYSTEMDRIVE%\junk\*.dll & ren \\?\%SYSTEMDRIVE%\junk\*.dll *.111

(there should be no confirmation message)

 

In the left pane:

a. Click on the 'junk' folder

b. Files --> Delete, press 'Yes'

 

 

=== Fix Registry Permissions ===

Download the attached 'FixRegPro.zip'

 

Unzip 'FixRegPro.zip' to the Desktop.

 

Double Click on the 'FixReg' folder.

Double Click on the 'FixReg.bat' file.

Post the 'last.txt' to this thread.

 

Open the 'Find-All' folder

Double Click on 'Find-All.bat'

Post the 'output'txt' in this thread.

 

 

=== Clean Remaining Infection ===

Please Download CoolWebShredder, from

http://www.merijn.org/files/cwshredder.zip

http://www.zerosrealm.com/downloads/CWShredder.zip

 

Extract CWShredder to its own folder,

Click the 'Fix ->' button.

Make sure you let it fix all CWS Remnants.

 

Next:

Download the latest version of Ad-Aware at

http://www.lavasoft.de/software/adaware/

 

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp.com/howto/updref/index.html

 

Select 'custom options'.

Select your drive, scan and fix all it finds.

 

Last:

Post a new HiJackThis log in this thread.

FixRegPro.zip

Share this post


Link to post
Share on other sites

Hi LoPhatPhuud,

 

Bad news I'm afraid...this is a tricksy DLL!!!

 

Despite repeated attempts, Registrar Lite is not able to remove SQLHL.DLL from the Appinit_DLLs value field. I followed instructions exactly - copy and paste of address, rename of Windows folder, and deleted the line C:\WINDOWS\System32\SQLHL.DLL from the Value field, clicked Apply and OK to set. It appears deleted, but on reboot, or restart of Registrar Lite the value remains there.

 

I didn't think it would work without successful completion of step 1, but I tried anyway to locate and delete SQLHL.DLL using Salamand. When I Start the Search, SQLHL.DLL is not found.

 

Have included the latest log files from FindNFix and HijackThis although they are probably the same as the last pass.

 

Please don't give up :wave:

 

 

Log.TXT

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

14/07/2004

3:17pm up 0 days, 0:10

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\SQLHL.DLL +++ File read error

\\?\C:\WINDOWS\System32\SQLHL.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 508

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access HEWLETT-H56722N\Administrator

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access HEWLETT-H56722N\Administrator

 

 

»»Member of...: (Admin logon required!)

User is a member of group HEWLETT-H56722N\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x HEWLETT-H56722N\Administrator

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: HEWLETT-H56722N\Administrator

 

Primary Group: HEWLETT-H56722N\None

 

 

 

»»»»»»Backups created...»»»»»»

3:19pm up 0 days, 0:11

14/07/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 07-12-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-12-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

AppInit_DLLs.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

Windows

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

=pswapdisk

TransmissionRetryTimeout

USERProcessHandleQuotaM

AppInit

DLLs.

 

**File C:\FINDnFIX\WIN.TXT

Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 Ø(ÍW ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ! àÿÿÿvk X °ºSpooler2ðÿÿÿy e s À àÿÿÿvk € =pswapdisk ° ø 8 h   Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' M USERProcessHandleQuotaM àÿÿÿ° ø 8 h   Ð Øÿÿÿvk < H p AppInit_DLLs. e Àÿÿÿc : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x

 

 

Win.TXT

 

regf ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¯Š˜™ hbin ¨ÿÿÿnk, 0õŠ‘ê]Ä ÿÿÿÿ ÿÿÿÿÿÿÿÿ x ÿÿÿÿ 0 < r o Windows Èþÿÿsk x x ” ì

!

€ ! #

€ # ?

?

?

Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 Ø(ÍW ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ! àÿÿÿvk X °ºSpooler2ðÿÿÿy e s À àÿÿÿvk € =pswapdisk ° ø 8 h   Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' M USERProcessHandleQuotaM àÿÿÿ° ø 8 h   Ð Øÿÿÿvk < H p AppInit_DLLs. e Àÿÿÿc : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x

 

HijackThis.LOG

 

 

Logfile of HijackThis v1.98.0

Scan saved at 15:21:52, on 14/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Echo\pfsview.exe

C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Echo\engine.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\Program Files\Echo\taskbar.exe

C:\WINDOWS\System32\wuauclt.exe

D:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

O2 - BHO: (no name) - {E304C252-30D5-4B97-8650-CE7F37434ACD} - C:\WINDOWS\System32\ipcpl.dll

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe

O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {11111111-1111-1111-1111-111111111157} -

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadfreenow.com/sites/signed.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\Software\..\Telephony: DomainName = act.ie

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie

O18 - Filter: text/html - {F8EAB454-851A-4A78-AA34-42FEF93D5490} - C:\WINDOWS\System32\ipcpl.dll

O18 - Filter: text/plain - {F8EAB454-851A-4A78-AA34-42FEF93D5490} - C:\WINDOWS\System32\ipcpl.dll

 

Thanks,

 

Barry

Share this post


Link to post
Share on other sites

Please delete the FindnFix folder from your computer. The author has requested that we not use it and I will respect her wishes.

 

I know the method I gave you works and from your reply, I belevie there was a mistake no your end, but I need confirmation. I do not see where you renamed the key Not Windows back to Windows. Failure to do that will result in re-installation of the entry, which appears happened.

 

Here are the steps summarized:

 

1. Using Reglist, go to this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

2. In the left pane, click on purple folder and rename the Windows key to Not Windows.

 

3. Double click on the AppInint_dlls value and erase the file name.

 

4. Save the change.

 

5. Rename the key Not Windows back to WIndows and save the change.

 

6. Reboot

 

 

Follow the steps I posted earlier and then post back here.

Share this post


Link to post
Share on other sites

Hi LoPhatPhuud,

 

I definitely did rename the Folder back to Windows.

No doubt.

 

Barry

Share this post


Link to post
Share on other sites

Hi LoPhatPhuud,

 

To make 110% sure, I performed the procedure again renaming the Not Windows folder back to Windows. No change. The DLL continues to reappear in Appinit_DLLs after reboot and Salamand cannot find it.

 

Have deleted and will no longer use FindNFix as requested.

 

Thanks,

 

Barry

Share this post


Link to post
Share on other sites

I Woiuld hazard a guess that some form of registry protection is writing the value back. Possibly Spybot S&D Tea-timer, or perhas psometihng in NAV 2004.

 

Disconnect from the internet, boot in safe mode and then run the first steps of the procedure. Aftger renaming the key back to Windows go ahead and boot bakc to normal. The nyou can reconnect to the internet.

 

I think Spybot is probablythe culprit but insafe mode, nothing should be ruinning

Share this post


Link to post
Share on other sites

LoPhatPhuud,

 

YOU THE MAN ;)

 

It was SpyBot preventing the registry change (even in Safe Mode). Uninstalled SpyBot and was able to Delete the registry value.

 

As soon as I found SQLHL.DLL with Salamand, Norton AV found and automatically deleted it as a Trojan. I hope it's completely gone??? I executed the rest of the commands in Salamand anyway to complete the exercise.

 

Here's the LOG file from FixRegPro.bat...

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

 

CWShredder found and fixed a number of items including the CW.SearchX variant.

Similarly, AdAware found and cleaned a number of items.

 

 

Here's the latest HijackThis Log...

 

Logfile of HijackThis v1.98.0

Scan saved at 12:30:46, on 15/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\Program Files\Echo\pfsview.exe

C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Echo\engine.exe

C:\Program Files\Echo\taskbar.exe

D:\HijackThis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe

O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {11111111-1111-1111-1111-111111111157} -

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadfreenow.com/sites/signed.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\Software\..\Telephony: DomainName = act.ie

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie

 

Thanks,

 

Barry

Share this post


Link to post
Share on other sites

Barry,

 

I do think we are there. Some minor cleanup.

 

=== Short Fix ===

 

Check the following items in HiJackThis:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

 

O16 - DPF: {11111111-1111-1111-1111-111111111157} -

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}

 

Close all open windows except HiJackThis and press 'Fix Checked'.

 

Reboot.

 

Then:

You are running an outdated and therefore unsafe version of Internet Explorer.

You NEED to upgrade to IE 6.0 SP1

http://v4.windowsupdate.microsoft.com/en/default.asp

 

(Make sure you get the correct language version for your operating system! ).

 

Next, go to the Windows Update site, and download and install ALL Critical Updates on offer.

That will fix innumerable bugs, update a large number of important system files, and plug many security holes.

 

This step is mandatory if you are to avoid Gaobot, Sasser, and Help file exploit

 

 

Last:

Let's run one last HijackThis log to be sure.

Share this post


Link to post
Share on other sites

Hi LoPhatPhuud,

 

Looks like you got it!!

 

I fixed the items with HJT and installed all available critical Windows updates.

Here's the latest HJT Log...

 

Logfile of HijackThis v1.98.0

Scan saved at 16:31:02, on 16/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Echo\pfsview.exe

C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Echo\engine.exe

C:\Program Files\Echo\taskbar.exe

C:\Program Files\Messenger\msmsgs.exe

D:\HijackThis\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe

O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadfreenow.com/sites/signed.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie

O17 - HKLM\Software\..\Telephony: DomainName = act.ie

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie

Share this post


Link to post
Share on other sites

Good job guys ,but I'm a betting man ,And i bet it will be back .:)

Share this post


Link to post
Share on other sites

I don't bet, but I do not believe it will be back either.

 

At last, your system is clean and free of spyware! Want to keep it that way?

 

Here are some simple steps you can take to reduce the chance of infection in the future.

 

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!

Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

 

1. Adjust your security settings for ActiveX:]

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the

second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

 

2. Download and install the following free programs

a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html

c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm

 

1. Install Spyware Detection and Removal Programs:

You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.

a. AdAware: http://www.lavasoft.de/

b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

 

 

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

 

 

Good luck, and thanks for coming to our forums for help with your security and malware issues.

Share this post


Link to post
Share on other sites

LoPhatPhuud,

 

Many thanks for your help.

You played a stormer ;)

 

Take care,

 

Barry

 

P.S. I will be making a donation.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0