Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Me Get Rid Of CoolWebSearch & About Blank


  • This topic is locked This topic is locked
24 replies to this topic

#1 Tony

Tony

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 24 May 2004 - 04:33 PM

Web Master Please Help Me. My computer is corrupt with Search Assistant which always trys to set my home page to About Blank.

I have scanned it with Adware, Spy Sweeper, Pest Patrol, Spy Bot, CWShredder, and HijackThis. All of the programs finds Search Assistant and Cool Web Search and About Blank. However when I delete the offending files and reg keys and log back on the computer it returns again.

I have performed these scans in both normal and safe mode. I am ready to through this computer out the window!!!!!! Please help.

Attached is the latest HiJackThis Log. This was after I did a clean with all the programs mentioned above. I then logged back into the computer and Spy Sweeper popped up saying my homepage was trying to be changed to About Blank. I did another scan with HiJackThis and this is that log.

I am using W2000 SP4.

Logfile of HijackThis v1.97.7
Scan saved at 11:03:53 PM, on 5/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\vptray.exe
C:\Documents and Settings\cary.P1GZ\My Documents\DOWNLOADS\DOWNLOADS\HIJACK\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ghpndaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ghpndaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ghpndaa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = WEB.DE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Thank you in advance for any help you can provide.

Edited by Tony, 24 May 2004 - 04:45 PM.


BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:17 AM

Posted 24 May 2004 - 04:51 PM

Hi Tony and welcome to BC.

Just for your information, you're supposed to have a SearchAssistant--it is one element of your browser that is being hijacked. Think of it as a secretary with a gun to her head.

That being said, About: blank is one of the toughest hijackers out there to get rid of. I think we can do it, but no guarantees. First tho I need you to post your entire HijackThis log. When you open the log, do this: click Edit>Select All, Edit>Copy, then paste the whole thing in your next reply.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 Tony

Tony
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 26 May 2004 - 03:06 PM

Thanks for your reply. I had posted the complete Hijack log in my initial message.

However here it is again along with my Adware log. I am infected with the CoolWebSearch and About Blank again. It is as if I am going around in circles!! Scan delete, surf for an hour or two and it all comes right back again.

Here is the Hijackthis log

Logfile of HijackThis v1.97.7
Scan saved at 9:54:17 PM, on 5/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\vptray.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\cary.P1GZ\My Documents\DOWNLOADS\DOWNLOADS\HIJACK\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\winnt\system32\ajfpl.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\winnt\system32\ajfpl.dll/sp.html (obfuscated)
O2 - BHO: (no name) - {C0A644C7-3DB2-4788-994C-8DADA30AF592} - C:\WINNT\system32\dmaiig.dll



Here is my Adware Log and as you can see it is filled with CoolWebSearch bugs.

I again would like to thank you in advance for any assistance you can provide.


Adware Log.

Ad-aware 6 Scanning Result, 5-26-2004 9:55:40 PM
------------------------------------------------
Vendor Type Category Object Comment
CoolWebSearch RegValue Malware HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Internet Explorer\Main\ "HOMEOldSP"
CoolWebSearch RegKey Malware HKEY_CLASSES_ROOT:CLSID\{AB368E3F-6F63-480F-A1E4-23EA42D53F49}\ c:\winnt\system32\dmaiig.dll
CoolWebSearch File Malware c:\winnt\system32\dmaiig.dll
CoolWebSearch RegKey Malware HKEY_CLASSES_ROOT:CLSID\{C0A644C7-3DB2-4788-994C-8DADA30AF592}\ c:\winnt\system32\dmaiig.dll
CoolWebSearch RegKey Malware HKEY_CLASSES_ROOT:PROTOCOLS\Filter\text/html\ c:\winnt\system32\dmaiig.dll
CoolWebSearch RegKey Malware HKEY_CLASSES_ROOT:PROTOCOLS\Filter\text/plain\ c:\winnt\system32\dmaiig.dll
CoolWebSearch RegKey Malware HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C0A644C7-3DB2-4788-994C-8DADA30AF592}\ c:\winnt\system32\dmaiig.dll
Tracking Cookie File Data Miner c:\documents and settings\alice\cookies\alice@cgi-bin[2].txt



Thank you kindly,

Tony

#4 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 26 May 2004 - 03:39 PM

Step 1. Download DLLFix from one of the following links. Save it to a folder on your root drive, which is C:\ for most people:

http://downloads.subratam.org/dllfix.exe

or

http://tools.zerosrealm.com/dllfix.exe

Step 2. After it has completed downloading, navigate to the folder you saved it in and double-click on dllfix.exe.

Step 3. It will prompt you to extract the files somewhere. Type in c:\dllfix and press install.

Step 4. Navigate to c:\dllfix, open the folder and double-click on start.bat

Step 5. Run Option 1 by pressing 1on the keyboard. The program will now start searching.

Step 6. Once the search is complete a text file should open with the name Output.txt. Copy and Paste the contents of this text file to your next reply to this post.

#5 Tony

Tony
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 27 May 2004 - 12:46 PM

Here are the logs from dllfix as requested.


When starting dllfix and after pressing 1 and confirming I wanted to continue I received the following error.

Window name: 16 bit MS Dos Subsystem

Within the window: C:\WINNT\CurrentControlSet\Control\VirtualDiviceDrivers. VDD.
Virtual Device Driver format in the registry. Choose 'Close' to
terminate the application.

I selected Ignore and dllfix went ahead a run. Here is the Output log from dllfix when I selected Ignore.

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Thu 05/27/2004
7:38p

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (C08D:9FE4) - FS:NTFS clusters:512
Total: 80 023 716 352 [75G] - Free: 74 909 172 736 [70G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
7.10.0.3074 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll


*PC uptime:
7:38pm up 0 days, 0:34
Locked or 'Suspect' file(s) found...
\\?\C:\WINNT\System32\LOGBIMJ.DLL +++ File read error
\\?\C:\WINNT\System32\LOGBIMJ.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
10142 1344 norm PermissionDlg
6034e 1308 norm SysFader
2030e 1324 norm Event-log. Doubleclick or Hit enter on an entry for details.
102ec 1344 norm Privacy Info Dialog
20046 1308 norm _Shell_TrayWnd
10170 1344 norm AutoVPNAlertDlg
10136 1344 norm ViolationDlg
10016 188 high NetDDE Agent
80342 1484 norm C:\WINNT\system32\cmd.exe
203ae 1308 norm dllfix
10118 1392 norm frmDialogMedium
200aa 1392 norm Webroot Spy Sweeper ™
10116 1392 norm frmDialogSmall
10114 1392 norm Parent Dialog Form
10112 1392 norm Downloads Screen
10108 1392 norm frmssSpyNews
10102 1392 norm First time use
100fe 1392 norm About Screen
100f6 1392 norm Quarantine Directory screen
100e6 1392 norm Options Screen
100e2 1392 norm frmssResults
100dc 1392 norm Removal Screen
100d6 1392 norm frmssSweep
100d2 1392 norm frmssMainScreen
1009c 1392 norm frmSplashScreen
20090 1392 norm Spysweeper
102ae 1464 norm Help Me Get Rid Of CoolWebSearch & About Blank - Microsoft Internet Explorer
d0072 1308 norm MCI command handling window
b0372 1308 norm Timer
20366 1332 norm MCI command handling window
10330 1464 norm MCI command handling window
102e8 1464 norm DDE Server Window
30070 1344 norm ZoneAlarm Pro
200a2 1352 norm CM_camera
2008e 1244 norm Norton AntiVirus Corporate Edition
10088 1308 norm CSC Notifications Window
1007e 1308 norm Power Meter
2007c 1308 norm Connections Tray
2007a 1308 norm MS_WebcheckMonitor
2004a 1308 norm DDE Server Window
10036 568 norm Scan
10034 568 norm ACTION
10032 568 norm VPIPCLINK
1002e 728 norm SYSTEM AGENT COM WINDOW
1001a 188 high MM Notify Callback
102bc 1464 norm SysFader
100c2 1324 norm Hint
200a0 1324 norm Lavasoft Ad-watch
40078 1324 norm Ad-watch
10058 1308 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62}]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C0A644C7-3DB2-4788-994C-8DADA30AF592}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{AB368E3F-6F63-480F-A1E4-23EA42D53F49}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{AB368E3F-6F63-480F-A1E4-23EA42D53F49}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM





=============================================

Here is the dllfix log when I selected OK to 'Close' the program. It run anway.

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Thu 05/27/2004
7:47p

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (C08D:9FE4) - FS:NTFS clusters:512
Total: 80 023 716 352 [75G] - Free: 74 908 777 984 [70G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
7.10.0.3074 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll


*PC uptime:
7:47pm up 0 days, 0:43
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
20046 1308 norm _Shell_TrayWnd
10142 1344 norm PermissionDlg
102ec 1344 norm Privacy Info Dialog
6034e 1308 norm SysFader
2030e 1324 norm Event-log. Doubleclick or Hit enter on an entry for details.
10170 1344 norm AutoVPNAlertDlg
10136 1344 norm ViolationDlg
10016 188 high NetDDE Agent
a0342 292 norm C:\WINNT\system32\cmd.exe
203ae 1308 norm dllfix
102ae 1464 norm BleepingComputer.com -> Replying in Help Me Get Rid Of CoolWebSearch & About Bl
10118 1392 norm frmDialogMedium
200aa 1392 norm Webroot Spy Sweeper ™
10116 1392 norm frmDialogSmall
10114 1392 norm Parent Dialog Form
10112 1392 norm Downloads Screen
10108 1392 norm frmssSpyNews
10102 1392 norm First time use
100fe 1392 norm About Screen
100f6 1392 norm Quarantine Directory screen
100e6 1392 norm Options Screen
100e2 1392 norm frmssResults
100dc 1392 norm Removal Screen
100d6 1392 norm frmssSweep
100d2 1392 norm frmssMainScreen
1009c 1392 norm frmSplashScreen
20090 1392 norm Spysweeper
d0072 1308 norm MCI command handling window
b0372 1308 norm Timer
20366 1332 norm MCI command handling window
10330 1464 norm MCI command handling window
102e8 1464 norm DDE Server Window
30070 1344 norm ZoneAlarm Pro
200a2 1352 norm CM_camera
2008e 1244 norm Norton AntiVirus Corporate Edition
10088 1308 norm CSC Notifications Window
1007e 1308 norm Power Meter
2007c 1308 norm Connections Tray
2007a 1308 norm MS_WebcheckMonitor
2004a 1308 norm DDE Server Window
10036 568 norm Scan
10034 568 norm ACTION
10032 568 norm VPIPCLINK
1002e 728 norm SYSTEM AGENT COM WINDOW
1001a 188 high MM Notify Callback
102bc 1464 norm SysFader
100c2 1324 norm Hint
200a0 1324 norm Lavasoft Ad-watch
40078 1324 norm Ad-watch
a0380 1484 norm Untitled - Notepad
8035a 1568 norm Untitled - Notepad
10058 1308 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62}]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C0A644C7-3DB2-4788-994C-8DADA30AF592}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{AB368E3F-6F63-480F-A1E4-23EA42D53F49}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{AB368E3F-6F63-480F-A1E4-23EA42D53F49}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




Again Thank you for your help.

Tony

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:17 AM

Posted 27 May 2004 - 01:14 PM

ollow these steps:

Run start.bat again but this time choose option 2.
Then choose option 1.

When it asks for the filename enter: C:\WINNT\System32\LOGBIMJ.DLL
and press return.

Let it do its thing. WHen it asks to reboot do so.

Then post a new Output.txt (do option 1 in start.bat again ), the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder) and a fresh HijackThis Log.

#7 Tony

Tony
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 27 May 2004 - 01:56 PM

Here are the logs as requested.

logs.txt

CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Thu 05/27/2004
8:44p

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Adding Back Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully


Restoring Cleaned Appinit Value

The operation completed successfully

Deleting Filter text
Running from C:\DLLFIX\dllfix
Unlocking Locked File
Processing File Manually
C:\WINNT\system32\LOGBIM3.DLL
Md5 Check of C:\WINNT\system32\LOGBIM3.DLL

Md5 tested As
File was found but md5 didnt match
MD5 was:
Resetting file attributes
Processing ACL of: <\\?\C:\WINNT\system32\LOGBIM3.DLL>

SetACL finished with error(s):
SetACL error message: The call to SetNamedSecurityInfo () failed
Operating system error message: The system cannot find the file specified.


File was zipped for submission to Shadowwar
File is located at C:\DLLFIX\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.


===============================================

Here is the new Output.txt log

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Thu 05/27/2004
8:51p

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (C08D:9FE4) - FS:NTFS clusters:512
Total: 80 023 716 352 [75G] - Free: 74 908 406 272 [70G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
7.10.0.3074 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll


*PC uptime:
8:51pm up 0 days, 0:04
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
10304 1268 norm Switches Monitoring On or Off
102d0 1248 norm SysFader
4003a 1248 norm _Shell_TrayWnd
10176 1328 norm AutoVPNAlertDlg
1013e 1328 norm ViolationDlg
1015a 1328 norm PermissionDlg
10018 188 high NetDDE Agent
302f4 1404 norm C:\WINNT\system32\cmd.exe
50044 1248 norm dllfix
10306 1248 norm MCI command handling window
10126 1188 norm frmDialogMedium
3009a 1188 norm Webroot Spy Sweeper ™
10120 1188 norm frmDialogSmall
1011a 1188 norm Parent Dialog Form
10114 1188 norm Downloads Screen
1010e 1188 norm frmssSpyNews
10108 1188 norm First time use
10104 1188 norm About Screen
100fc 1188 norm Quarantine Directory screen
100ec 1188 norm Options Screen
100e8 1188 norm frmssResults
100e2 1188 norm Removal Screen
100dc 1188 norm frmssSweep
100d8 1188 norm frmssMainScreen
100c2 1188 norm frmSplashScreen
100be 1188 norm Spysweeper
102c2 752 norm Untitled - Notepad
50046 1248 norm Timer
10130 1328 norm ZoneAlarm Pro
2009c 996 norm CM_camera
100bc 1360 norm Norton AntiVirus Corporate Edition
1008a 1248 norm CSC Notifications Window
10080 1248 norm Power Meter
1007c 1248 norm Connections Tray
1007a 1248 norm MS_WebcheckMonitor
3003e 1248 norm DDE Server Window
1002c 512 norm Scan
1002a 512 norm ACTION
10028 512 norm VPIPCLINK
10024 632 norm SYSTEM AGENT COM WINDOW
1001a 188 high MM Notify Callback
100b6 1268 norm Hint
30092 1268 norm Lavasoft Ad-watch
3008e 1268 norm Ad-watch
1005a 1248 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62}]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C0A644C7-3DB2-4788-994C-8DADA30AF592}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{AC6831CA-ED84-45EC-AC73-1B186C3E182A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{AC6831CA-ED84-45EC-AC73-1B186C3E182A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




==============================================

Here is the new HijackThis log.

Logfile of HijackThis v1.97.7
Scan saved at 8:54:10 PM, on 5/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\vptray.exe
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\cary.P1GZ\My Documents\DOWNLOADS\DOWNLOADS\HIJACK\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {C0A644C7-3DB2-4788-994C-8DADA30AF592} - C:\WINNT\system32\dmaiig.dll

========================================

When running dllfix I am still receiving this error.

Within the window: C:\WINNT\CurrentControlSet\Control\VirtualDiviceDrivers. VDD.
Virtual Device Driver format in the registry. Choose 'Close' to
terminate the application.

It doesen't matter if I click Ignore or Close dllfix still runs.





Thanks for helping me get this mess cleaned up.

Tony

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:17 AM

Posted 27 May 2004 - 02:36 PM

Is that your full hijackthis log?

#9 Tony

Tony
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 27 May 2004 - 02:38 PM

Yes. When I am finished scanning I click on save log and a text window opens with the log results inside the note pad.

Tony

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:17 AM

Posted 27 May 2004 - 02:46 PM

Fix these in Hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {C0A644C7-3DB2-4788-994C-8DADA30AF592} - C:\WINNT\system32\dmaiig.dll

Then I want you to see if you can delete this file:

C:\WINNT\System32\LOGBIMJ.DLL

Then reboot and post a new log.

#11 Tony

Tony
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 27 May 2004 - 02:56 PM

O. K. I fixed what you said fix. However I could not delete the logbimi.dll It said Access denied the source file might be in use.

Tony

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:17 AM

Posted 27 May 2004 - 03:32 PM

OK reboot into safe mode and try to delete that file there.

Then reboot and post a new log

#13 Tony

Tony
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 27 May 2004 - 04:29 PM

I was able to delet the logbimj.dll file.

Here is the new HijackThis log.

Logfile of HijackThis v1.97.7
Scan saved at 11:25:52 PM, on 5/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\vptray.exe
C:\Documents and Settings\cary.P1GZ\My Documents\DOWNLOADS\DOWNLOADS\HIJACK\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\winnt\system32\ajfpl.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\winnt\system32\ajfpl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {836CE1ED-4CE2-4F0E-AF5D-F824CAC27381} - C:\WINNT\system32\dmaiig.dll

Thanks
Tony

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:17 AM

Posted 27 May 2004 - 04:54 PM

Fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\winnt\system32\ajfpl.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\winnt\system32\ajfpl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {836CE1ED-4CE2-4F0E-AF5D-F824CAC27381} - C:\WINNT\system32\dmaiig.dll

Reboot, start internet explorer, shut down internet explorer and post one more log

#15 Tony

Tony
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 28 May 2004 - 12:32 AM

Here is the new HijackThis log


Logfile of HijackThis v1.97.7
Scan saved at 7:14:05 AM, on 5/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mobsync.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\vptray.exe
C:\Documents and Settings\cary.P1GZ\My Documents\DOWNLOADS\DOWNLOADS\HIJACK\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dmaiig.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\winnt\system32\ajfpl.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\winnt\system32\ajfpl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {49E38CD8-197D-4BA8-A9B7-A81501E0AD7B} - C:\WINNT\system32\dmaiig.dll



Thanks
Tony




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users