Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
25 replies to this topic

#1 UpFromTheAshes

UpFromTheAshes

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 08 June 2004 - 07:48 PM

I have ad-watch running, and every time I open a browser window, some hijacking bullcrap tries to edit 4 different registry entries. It sometimes tries the same junk upon going to a different site. It tries to change my home page to "about:blank" and something called SearchAssistant starts trying to do a bunch of crap. Here's my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 5:32:35 PM, on 6/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Stardock Object Desktop\Object Desktop\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\windows\temp\H.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Ad Aware\Ad-aware 6\Ad-watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Getmail\GetMail\GetMail.exe
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\PROGRA~1\BELLSO~1\CORREC~1\CCD.exe
C:\WINDOWS\System32\WuaU.exe
C:\WINDOWS\System32\Hkc6y3Fz.exe
D:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.hotsearchbox.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bmgo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bmgo.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.upfromtheashes.net:8585/X6cf09...e12/login.cgi?_
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bmgo.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bmgo.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://hometab.bellsouth.net/
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\p1d764d6.slt\prefs.js)
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\POPUPP~1\PopLib.dll
O2 - BHO: (no name) - {A3F5A710-F2E1-4C41-A69E-90287CE4FBD7} - C:\WINDOWS\System32\bmgo.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\System32\tapicfg.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [H.exe] C:\windows\temp\H.exe
O4 - HKLM\..\Run: [2CD34@@2WQMB@P] C:\WINDOWS\System32\Lcl7.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Ad Aware\Ad-aware 6\Ad-watch.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [getmail] "C:\Program Files\Getmail\GetMail\GetMail.exe"
O4 - HKCU\..\Run: [t2embed] C:\WINDOWS\System32\t2embed.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Publisher XP\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2B4F4FA8-814A-11D7-B31B-0002A500B281} (FASetupStart Control) - http://a2.ff.fullaudio.com.edgesuite.net/f....0.40/setup.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12ccf72d0eec5cb62c03/...ip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Thanks in advance!

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 08 June 2004 - 09:47 PM

Hi there,
You have a recent version of CoolWebSearch that has to be removed in stages. For the first stage please do the following:

Step 1. Download DLLFix from:

http://downloads.subratam.org/dllfix.exe

or

http://tools.zerosrealm.com/dllfix.exe

Step 2. After it has completed downloading, navigate to the folder you saved it in and double-click on dllfix.exe.

Step 3. It will prompt you to extract the files somewhere. Type in c:\dllfix and press install.

Step 4. Navigate to c:\dllfix and double-click on start.bat

Step 5. Run Option 1 by pressing 1 then Enter. The program will now start searching.

Step 6. Once the search is complete a notepad will open called output.txt. If it doesn't open it will still be saved in the DllFix folder. Post the contents of output.txt as a reply to this post.

The thing about people

is they change

when they walk away.--Mipso


#3 UpFromTheAshes

UpFromTheAshes
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 08 June 2004 - 10:26 PM

Thanks, here it is:

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Tue 06/08/2004
11:24 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
D: "SECONDARY" (3D09:0D43) - FS:FAT clusters:16k
Total: 18 867 748 864 [18G] - Free: 1 332 101 120 [1.2G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;



Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\HLPHIC.DLL +++ File read error
\\?\C:\WINDOWS\System32\HLPHIC.DLL +++ File read error


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{41353F8B-78CE-48A5-BE44-153ED293D192}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3F5A710-F2E1-4C41-A69E-90287CE4FBD7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{42E9554B-E051-49B7-A338-A8ABA8A1FBFF}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{42E9554B-E051-49B7-A338-A8ABA8A1FBFF}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 08 June 2004 - 11:38 PM

Very good. :thumbsup:

The second stage is a bit more involved. Follow these steps:

1. Run start.bat again but this time choose option 2 (Run Fix).
Then choose option 1 (Enter Dll name Manually).

2. When it asks for the filename enter: C:\WINDOWS\System32\HLPHIC.DLL
and press return.

Let it do its thing. When it asks to reboot do so.

In your next reply post a new Output.txt (do option 1 in start.bat again ), the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder).

3. Run CWShredder. Direct Download of CWShredder If that link doesn't work, try this page:
http://www.zerosrealm.com/downloads.php

After you download the program, unzip it into a directory (folder). Boot into Safe Mode to run it.

Please view this tutorial for details: How to remove CoolWebSearch with CoolWeb Shredder

4. Back in Normal mode, download Ad-aware.
Ad-Aware Tutorial
Make the following changes to the settings in Ad-aware.
1. Click Settings (Gear at the top) > Tweaks > click the + sign next to Scanning Engine to expand & check "Unload recognized processes during scanning."
2. In the same window, expand Cleaning Engine & check
"Let Windows remove files in use after reboot." and
"Automatically try to unregister objects prior to deletion"
3.Click the "Scanning" button.
4. Under Drives & Folders, select "Scan within Archives".
5. Click "Check for updates now" and download any available.
6. Press "Scan Now".
7. Confirm that "Use Custom scanning options" & "Activate In-Depth Scan" are checked.
8. Now press "Next" to let Ad-aware scan your drives.
Allow the program to fix what it finds.

5. When done post a fresh HijackThis log along with the logs from DllFix mentioned earlier. The next stage will be to clean up any leftovers, which you will probably have some.

The thing about people

is they change

when they walk away.--Mipso


#5 UpFromTheAshes

UpFromTheAshes
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 09 June 2004 - 12:00 AM

First, let me thank you so much for your help.

That having been said, patience is not one of my strong suits, so after you alerted me to the CWS, I went and found CWShredder on my own. That seemed to take care of all of the junk that happened upon opening a browser.

I still had something else that was triggering ad-watch occasionally, and after doing some research I found that apparently I had some form of the peper trojan as well (although I can't figure out how that isn't found by NAV). I downloaded peperfix.exe, ran that, and used HJT to remove the O4 entry manually.

So far, so good. I've rebooted a few times and ad-watch isn't giving me the peper alert anymore. I'm getting no more hijack messages when surfing. I dled all the latest security updates from microsoft to close the holes that I assume let this happen in the first place.

I could post another HJT log if you think there might be something left.

Again, I apologize for jumping the gun. I'm sure you hate trying to help people like me! :thumbsup:

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 09 June 2004 - 12:12 AM

Well, in this case it's no biggie. Several things need to be done, and the order they are done in is not as important as getting them ALL done. Most important you need to run DllFix as I instructed in my last post. It's the only way to keep about: blank from coming back even after you think it's gone away.

Then do as I say. :thumbsup: Run CWShredder again in safe mode, followed by AdAware configured as posted and then post those logs. I know there are other things that need to be fixed with HijackThis.

The thing about people

is they change

when they walk away.--Mipso


#7 UpFromTheAshes

UpFromTheAshes
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 09 June 2004 - 10:39 AM

OK, here we go:

Here's the output.txt:

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Wed 06/09/2004
10:50 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
D: "SECONDARY" (3D09:0D43) - FS:FAT clusters:16k
Total: 18 867 748 864 [18G] - Free: 1 329 610 752 [1.2G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;



Locked or 'Suspect' file(s) found...
* result\\?\C:\WINDOWS\System32\HLPHIC.DLL
* result: not locked...C:\WINDOWS\System32\HLPHIC.DLL


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{41353F8B-78CE-48A5-BE44-153ED293D192}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Can't open Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

2 - The system cannot find the file specified.









Here's the logs.txt:

CWSDLL/Searchx Appinit Fix By Shadowwar
Version 3.00 060404
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Wed 06/09/2004
10:34 AM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Deleting Filter text
Windows XP Detected
Fatal Error Directory File could not be found
This will Happen if you Run this file manually!
Its Designed to run from start.bat










...and here's the most current HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 11:34:08 AM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Stardock Object Desktop\Object Desktop\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\windows\temp\H.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Ad Aware\Ad-aware 6\Ad-watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Getmail\GetMail\GetMail.exe
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\BELLSO~1\CORREC~1\CCD.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Spyware removal\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bmgo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bmgo.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://louisville.theinsiders.com/index.html?
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bmgo.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://hometab.bellsouth.net/
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\p1d764d6.slt\prefs.js)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\POPUPP~1\PopLib.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [H.exe] C:\windows\temp\H.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Ad Aware\Ad-aware 6\Ad-watch.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [getmail] "C:\Program Files\Getmail\GetMail\GetMail.exe"
O4 - HKCU\..\Run: [t2embed] C:\WINDOWS\System32\t2embed.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Publisher XP\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2B4F4FA8-814A-11D7-B31B-0002A500B281} (FASetupStart Control) - http://a2.ff.fullaudio.com.edgesuite.net/f....0.40/setup.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12ccf72d0eec5cb62c03/...ip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8146.8700115741
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 AM

Posted 09 June 2004 - 01:19 PM

Please do this:

Run start.bat from dllfix.exe again, this time choose option number 2 ( Run Fix), and then option number 2 (Run fix without dll name).

Your computer will now restart and search the dll as its booting up.

When you are backup and running post a new hijackthis log and the logs.txt that was generated when you reboot that is found in the dllfix dirtectory.

#9 UpFromTheAshes

UpFromTheAshes
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 09 June 2004 - 05:53 PM

Ok, when I tried to do that, it copied 5 files, then said:

Backing up registry hive.

Error: the system was unable to find the specified registry key or value.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 AM

Posted 09 June 2004 - 08:28 PM

Download RKDetector, unzip it to your desktop.
In the RKDetector folder you unzipped you will see rkdetector.exe and tcp.dll, hold down your contol key and left click each of these files once so they both end up highlighted at the same time. Next right click one of them and choose copy.
Go to Start>Run and type %windir% and hit enter. The window that open will be the systemroot folder (windows or winnt, depending on the system). Right click an open area in that window and choose paste. You should see rkdetector.exe and tcp.dll appear on the file list there.
Once that is done go to Start>Run and type command and press enter.
In the following commands {s}=press the space bar one time
At the command prompt type the following
cd{s}desktop press enter
rkdetector.exe{s}>{s}rkdetector.txt press enter
The command window will go blank for a minute or so, when the prompt comes back type
exit and press enter.
Find the file on your desktop called rkdetector.txt and look at the last 6 lines, if they all say "Found: 0" then let us know nothing was found. If something was found then paste the entire contents of the file as a reply to this thread.

#11 UpFromTheAshes

UpFromTheAshes
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 09 June 2004 - 09:46 PM

-Gathering Service list Information... ( Found: 0 Hidden Services)
-Searching for wrong Service Paths.... ( Found: 0 wrong Services )
-Searching for Rootkit Modules........ ( Found: 0 Suspicious modules )
-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)

I'm getting a good feeling here! :thumbsup:

By the way, I am astounded by the amount of knowledge you guys have about this stuff.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 AM

Posted 09 June 2004 - 11:49 PM

Doing some research on this one. I will get back to you tomorrow on it.

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 AM

Posted 10 June 2004 - 03:02 PM

Can you please do something for me.

Click on start, then run, and in the field type cmd.exe and press ok.

You should now be at a dos prompt. At this prompt type the following:

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" > output.txt

and press enter. When it is done, type notepad output.txt and paste the contents of the file to a reply to this post.

#14 UpFromTheAshes

UpFromTheAshes
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 11 June 2004 - 09:42 AM

Well, like a bad penny it has turned up again. Everything was fine last night, but when I got to my PC just now, ad-watch had about 7 registration modifications waiting for me to review.

As it is, every 30-90 seconds there are 5 different registry entries that are trying to be changed, dealing with SearchBar, SearchAssistant, and CustomizeSearch. They are evidently on a timer, as they don't seem to be tied to any action on my part.

I just tried to do what you requested, and it tells me "Error: The system was unable to find the specified registry key or value". I thought maybe I mistyped it, so I used regedit to go in and look, and that key isn't there.

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 AM

Posted 11 June 2004 - 09:57 AM

Ok I was informed on how to get this fixed up for you. Please follow these steps:

Download VX2Finder from this link:

http://tools.zerosrealm.com/VX2Finder.exe

or

http://www.downloads.subratam.org/VX2Finder.exe

Run Vx2Finder and click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users