Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
14 replies to this topic

#1 satyros

satyros

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 20 May 2004 - 04:09 PM

Logfile of HijackThis v1.97.7
Scan saved at 11:33:27 PM, on 5/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\PV92Tray.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis(backup)\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Ubisoft register.lnk = C:\Program Files\UBISOFT\Register\schedule.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_1\msxml4.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8115.0884953704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab


StartupList report, 5/21/2004, 12:09:34 AM
StartupList version: 1.52
Started from : C:\Downloads\hijackthis(backup)\hijackthis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\PV92Tray.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis(backup)\hijackthis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
Ubisoft register.lnk = C:\Program Files\UBISOFT\Register\schedule.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

PCTVOICE = pctspk.exe
PV92TRAY = PV92Tray.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
AVGCtrl = C:\Program Files\AVPersonal\AVGNT.EXE /min
CloneCDElbyCDFL = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
WinFast Schedule = C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
Services Process = C:\WINDOWS\system32\config\services.exe
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
NCLaunch = C:\WINDOWS\NCLAUNCH.EXe
SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SIMAQU~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Download Program Files:

[XML DOM Document 4.0]
InProcServer32 = %SystemRoot%\System32\msxml4.dll
CODEBASE = file://C:\TempEI4\EI40_1\msxml4.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8115.0884953704

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[Secure Delivery]
CODEBASE = http://www.gamespot.com/KDX/kdx.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://chat.msn.com/bin/msnchat45.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLB1A2B.EXE


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
System: C:\WINDOWS\system32\system32.dll

--------------------------------------------------
End of report, 5,652 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:44 PM

Posted 20 May 2004 - 04:59 PM

I want you to fix some of those entries. Please do the following:


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe

Reboot your computer into Safe Mode and delete the following files:

Then delete these
C:\WINDOWS\system32\config\services.exe

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#3 satyros

satyros
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 21 May 2004 - 10:52 AM

thank you very much for replying so fast, but I did exactly what you said and nothing happened.On your reply check this:
Reboot your computer into Safe Mode and delete the following files:

Then delete these
C:\WINDOWS\system32\config\services.exe
Maybe I'm missing something. you say delete the following files, you don't mention any file and then you say: and then delete the file servises.exe. After doing what you said the file servises.exe no longer exist but hijack this keeps finding the entries you told me to fix. What am I doing wrong?

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:44 PM

Posted 21 May 2004 - 10:56 AM

Sorry ignore the first delete this. I do want you to delete :

C:\WINDOWS\system32\config\services.exe

as that is a virus or trojan of some sort.

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

I also want you to follow these steps:

Download CWShredder from:

http://www.merijn.org/files/cwshredder.zip

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

To get the best results it is recommended that you run it in safe mode. Reboot windows and press F8 at boot/windows startup, usually right after the beep. Then select safe mode.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CoolWeb Shredder


When this is done post a new hijackthis log

#5 satyros

satyros
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 21 May 2004 - 12:37 PM

CWShredder found nothing

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:44 PM

Posted 21 May 2004 - 12:46 PM

Please post a new hijackthis log

#7 satyros

satyros
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 21 May 2004 - 12:49 PM

Logfile of HijackThis v1.97.7
Scan saved at 8:48:48 PM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\PV92Tray.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Ubisoft register.lnk = C:\Program Files\UBISOFT\Register\schedule.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_1\msxml4.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8115.0884953704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B414CD13-24B4-4820-B639-EE514720E29F}: NameServer = 195.170.0.2 195.170.2.1

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:44 PM

Posted 21 May 2004 - 03:20 PM

Lets try this:

Boot into safe mode.

Navigate to c:\windows\system32

If these 3 files exists delete them:

appsys.exe
shimvwr.dll
system32.dll

Go to c:\windows\system32\config:

Delete:

config.exe
services.exe

Reboot run hijackthis. Remove all of the greatsearch.biz entries. Then post a new hijackthis log. If this does not work for you we will need to find the appropriate dll's

#9 satyros

satyros
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 22 May 2004 - 05:39 AM

none of them exists.we've tried everything.Is this always too hard?

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:44 PM

Posted 22 May 2004 - 06:32 PM

Unfortunately for some spyware/hijackers it is very difficult to remove. Trust me we have not been working on yours for long, but I am confident we can eventually remove it.


Any idea what PV92Tray.exe is?

Can you send me that file so I can make sure it is legit? Send it to submit-malware@bleepingcomputer.com. Make sure to put it in a zip file first or i wont get it.

It can be found in c:\windows\PV92Tray.exe or c:\windows\system32\PV92Tray.exe

#11 satyros

satyros
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 23 May 2004 - 01:26 PM

it si a tray icon for my modem.nothing to worry about

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:44 PM

Posted 23 May 2004 - 03:34 PM

Ok lets try this method:

Step 1. Download DLLFix from:

http://downloads.subratam.org/dllfix.exe

or

http://tools.zerosrealm.com/dllfix.exe

Step 2. After it has completed downloading, navigate to the folder you saved it in and double-click on dllfix.exe.

Step 3. It will prompt you to extract the files somewhere. Type in c:\dllfix and press install.

Step 4. Navigate to c:\dllfix and double-click on start.bat

Step 5. Run Option 1 by pressing 1. The program will now start searching.

Step 6. Once the search is complete a text file should open with the name Output.txt. Copy and Paste the contents of this text file to a reply to this post

#13 satyros

satyros
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 25 May 2004 - 11:17 AM

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Tue 05/25/2004
07:14 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (3866:2438) - FS:NTFS clusters:4k
Total: 120 023 252 992 [112G] - Free: 107 603 218 432 [100G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3805.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
7:14pm up 0 days, 1:16
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
110516 1608 norm SysFader
30096 1608 norm Start Menu
10092 1608 norm CiceroUIWndFrame
30046 1608 norm _Shell_TrayWnd
20400 1952 norm GetRight Monitor
1015c 1872 norm CiceroUIWndFrame
1014c 1872 norm TF_FloatingLangBar_WndTitle
10028 472 high NetDDE Agent
1f045e 1100 norm AntiVir Guard - W A R N I N G
7025e 424 norm Status window
c029c 424 norm Kazaa Lite K++ - [Search]
21022a 1024 norm Download file
1d0438 1024 norm HACKERS WORLD - Opera
50444 1024 norm HijackThis Log: Please help Diagnose - Opera
a0518 1276 norm C:\WINDOWS\System32\cmd.exe
160512 1608 norm dllfix
d0554 2024 norm MCI command handling window
3043a 1024 norm OpTaskbar
30434 1024 norm Opera
20408 1952 norm _#32770
a028c 1892 norm MSNMSGRPassportLogin
e0276 1892 norm MSBLNetConn
200d6 1608 norm Power Meter
101b0 1892 norm ActiveMovie Window
101ae 1892 norm ActiveMovie Window
101aa 1892 norm MSP PNP Notification Window
101a4 1892 norm CRTCClient
10186 1892 norm CRTCIMService
10236 1608 norm MCI command handling window
10222 1608 norm Connections Tray
10220 1964 norm frmDialogMedium
1021e 1964 norm frmDialogSmall
1021c 1964 norm Parent Dialog Form
1021a 1964 norm Downloads Screen
10214 1964 norm frmssSpyNews
1020e 1964 norm First time use
1020a 1964 norm About Screen
10202 1964 norm Quarantine Directory screen
101f2 1964 norm Options Screen
101ee 1964 norm frmssResults
101e0 1964 norm Removal Screen
101da 1964 norm frmssSweep
101d6 1964 norm frmssMainScreen
300d2 1964 norm Webroot Spy Sweeper ™
200d8 1608 norm MS_WebcheckMonitor
1016a 1964 norm frmSplashScreen
10168 1964 norm Spysweeper
10164 1804 norm WinFast Schedule Reminder
10154 1920 norm Northcode File Launcher
1014a 1804 norm ActiveMovie Window
10156 1892 norm DDE Server Window
10124 1836 norm MediaCenter
10114 1744 norm HSP56 SpkPhone
100c2 1788 norm iTunes Helper
100c0 1752 norm HSP56 V92
100b8 1752 norm SystemTrayDemo
90052 1608 norm DDE Server Window
40054 1156 norm NVSVCPMMWindowClass
100dc 1764 norm AntiVir Personal Edition - Guard
200d0 2024 norm NoAds
10098 1608 norm Program Manager
30048 1608 norm M
30044 1608 norm Default IME
e051c 1100 norm Default IME
f0240 424 norm M
902a8 424 norm Default IME
304e0 1024 norm M
40450 1024 norm Default IME
1c04ee 1608 norm M
110552 1608 norm Default IME
100aa 1608 norm M
3005e 1608 norm Default IME
1004f6 2024 norm Default IME
30410 1484 norm Default IME
20456 1952 norm M
d0372 1952 norm Default IME
60262 1608 norm M
300da 1608 norm Default IME
101be 1892 norm Default IME
101ac 1892 norm Default IME
10238 1608 norm Default IME
201d8 1964 norm Default IME
10166 1804 norm Default IME
1015e 1920 norm Default IME
10152 1804 norm Default IME
1011c 1836 norm Default IME
10116 1744 norm Default IME
100c4 1788 norm Default IME
100ba 1752 norm Default IME
30056 1156 norm Default IME
10134 1872 norm Default IME
10178 2024 norm M
10172 2024 norm Default IME
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:44 PM

Posted 25 May 2004 - 11:34 AM

Post another hijackthis log please. I did see something that wasnt there previously.

While you do that I am going to research further. Well get this sucker off your machine somehow

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:44 PM

Posted 25 May 2004 - 08:32 PM

You can also try this:

Run start.bat from dllfix.exe again, this time choose option number 2 ( Run Fix), and then option number 2 (Run fix without dll name).

Your computer will now restart and search the dll as its booting up.

When you are backup and running post a new hijackthis log and the logs.txt that was generated when you reboot that is found in the dllfix dirtectory.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users