There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
adware audio bios blue screen boot bsod computer connection crash dell email error excel firefox freeze freezing google hard drive hardware hijackthis install internet laptop linux malware network no sound outlook problem reboot recovery redirect router screen server slow sound speakers spyware startup trojan usb video virus vista windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
[Solved] Ok, I admit defeat. Coolsearch spyware (hijack this included) (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
Page 1 of 2 1 2
 
Thread Tools
OhNos111's Avatar
Senior Member with 125 posts.
  
Join Date: Nov 2003
05-Jun-2004, 10:23 AM #1
[Solved] Ok, I admit defeat. Coolsearch spyware (hijack this included)
Dammit! I've dealt with CoolSearch before but was able to defeat it then. It took some n00b registery editing, multiple anti-spyware app sweeps (Adaware and Webroot Spysweeper. They find the spyware, try to remove it, say it's successful, but ultimately fail. I'm assuming it's due to Coolsearch running in binary form. I remember seeing something like that when i did a quick once over in my system's registery), and a system restore but I got it off. Now it's back again and I can't get rid of it this time. I admit that I can't fix this one myself and ask for help.

I'd appreciate any help you guys can give me but, if at all possible, can you tell me what your fixes mean? I don't know much about registery or hardcore comp troubleshooting but would like to learn.


______________________________________________________________

Logfile of HijackThis v1.97.7
Scan saved at 12:51:18 AM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nbmlda.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nbmlda.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nbmlda.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nbmlda.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nbmlda.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nbmlda.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://registration.excite.com/excitereg/login.jsp?app=em&return_url=http://e6.email.excite.com/"); (C:\Program Files\Netscape\Users\someguy\prefs.js)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4359CAF3-D13B-4472-A010-7F0E70F1DFE4} - C:\WINDOWS\System32\nbmlda.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20e9126e...p/RdxIE601.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...875.0239467593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
Last edited by OhNos111 : 05-Jun-2004 10:28 AM.
Register for free to hide this ad!
OhNos111's Avatar
Senior Member with 125 posts.
  
Join Date: Nov 2003
05-Jun-2004, 10:44 AM #2
Hey, what do you know. By just snooping around the internet, I found out that the guy who wrote Hijack This also wrote a little app to remove Coolsearch from your PC. I'll download it, when I get out of work, and try it out.

http://www.securityworm.com/software...oolsearch.html
Flrman1's Avatar
Distinguished Member with 46,429 posts.
  
Join Date: Jul 2002
Location: Thomasville NC
Experience: 100% Geek
05-Jun-2004, 01:03 PM #3
Hi OhNos111


Unfortunately CWShredder will not remove this one. You have been hijacked by the most complex CWS browser hijacker ever. None of the usual removal tools will remove this one. The removal procedures are quite complex. Before I attempt to give you instructions let me ask you 3 questions,

1: How good are you with computers?

2: Do you have your XP installation Disk?

3: Is it XP Home or Pro?
__________________
If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site.
OhNos111's Avatar
Senior Member with 125 posts.
  
Join Date: Nov 2003
05-Jun-2004, 04:39 PM #4
Quote:
Originally Posted by flrman1
Hi OhNos111


Unfortunately CWShredder will not remove this one. You have been hijacked by the most complex CWS browser hijacker ever. None of the usual removal tools will remove this one. The removal procedures are quite complex. Before I attempt to give you instructions let me ask you 3 questions,

1: How good are you with computers?

2: Do you have your XP installation Disk?

3: Is it XP Home or Pro?
Answers:
1. If you tell me where to go, and what to do, I can do it.
2. Yup.
3. Pro

(Also, don't know if this has anything to do with it but, my Notepad is gone. I mean, literally gone. The shortcut icons are there but it won't open. :huh: )

Oh yeah...Did theh CWShredder scan and this is what it found:

CWShredder v1.59.0 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Guy1\Application Data
Username: Guy1

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,SearchURL
Infected data: http://sharempeg.com/find/
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://C:\WINDOWS\System32\nbmlda.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://C:\WINDOWS\System32\nbmlda.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://C:\WINDOWS\System32\nbmlda.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://C:\WINDOWS\System32\nbmlda.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: res://C:\WINDOWS\System32\nbmlda.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Infected data: res://C:\WINDOWS\System32\nbmlda.dll/sp.html (obfuscated)
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (5719 bytes, R)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (1067 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (237 bytes, A)

- END OF REPORT -
Last edited by OhNos111 : 05-Jun-2004 04:46 PM.
Flrman1's Avatar
Distinguished Member with 46,429 posts.
  
Join Date: Jul 2002
Location: Thomasville NC
Experience: 100% Geek
05-Jun-2004, 05:43 PM #5
Well I guess we better try to fix notepad first.

Click on this link to download a new copy of notepad.exe. Unzip an copy to both the C:\Windows folder and the C:\Windows\System32 folder overwriting the existing file:

http://www.spywareinfo.com/~merijn/f...notepad_xp.zip



Now do the following:


Go here and download Findall.zip for XP/2k :

http://freeatlast.100free.com/index.html

You must Unzip (extract) the files first. Open the Find-all folder and doubleclick on the FIND-ALL.CMD file in the Find-All folder. Wait for it to complete and it will generate an output.txt file. Copy and paste the contents of output.txt here.

*Note: If your Antivirus is running a scriptblocker, when you run Findall.bat, you will recieve an alert warning you that the script is running. "Allow" the script to run.

After you do that and post it here do this:

Install Recovery Console:

If you have the XP installation disk, put the CD in the drive while on the internet.

Go to Start>Run and execute this command: (Copy and paste the command in and then press enter)

D:\i386\winnt32.exe /cmdcons

Where D is the CD drive Letter. If D is not the drive letter of your CD drive change it accordingly.

Go ahead and follow the steps here to bypass the Recovery Console password:

http://support.microsoft.com/default...b;EN-US;312149

After you have installed the Recovery Console and posted the log from the output.txt file, wait for further instructions.
__________________
If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site.
OhNos111's Avatar
Senior Member with 125 posts.
  
Join Date: Nov 2003
07-Jun-2004, 03:18 AM #6
Here's the Find All log.

Quote:
--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.3 -6/07 @@@***==--


Mon Jun 07 02:17:23 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "Primary" (DCE7:99F0) - FS:NTFS clusters:4k
Total: 120 023 252 992 [112G] - Free: 4 497 657 856 [4.2G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q818529;Q330994;Q822925;Q828750;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-18-2001 regedt32.exe


»»PC uptime:
2:17am up 0 days, 0:24

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\LOGKGIP.DLL +++ File read error
\\?\C:\WINDOWS\System32\LOGKGIP.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
632 smss.exe
684 csrss.exe Title:
708 winlogon.exe Title: NetDDE Agent
780 services.exe Svcs: Eventlog,PlugPlay
792 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
1032 svchost.exe Svcs: RpcSs
1152 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitching Compatibility,helpsvc,HidServ,Iprip,lanmanserver,lanmanworkstation,Netman,N la,RasAuto,RasMan,Schedule,seclogon,SENS,ShellHWDetection,srservice,TapiSrv ,TermService,Themes,TrkWks,upl
1312 svchost.exe Svcs: Dnscache
1360 svchost.exe Svcs: Alerter,LmHosts,RemoteRegistry,SSDPSRV,WebClient
1608 spoolsv.exe Svcs: Spooler
316 CTsvcCDA.EXE Svcs: Creative Service for CDROM Access
496 NAVAPSVC.EXE Svcs: navapsvc
588 nvsvc32.exe Svcs: NVSvc
840 tcpsvcs.exe Svcs: SimpTcp
1200 snmp.exe Svcs: SNMP
1348 NOPDB.EXE Svcs: Speed Disk service
1392 svchost.exe Svcs: stisvc
1524 MsPMSPSv.exe Svcs: WMDM PMSP Service
1060 explorer.exe Title: Program Manager
1368 NAVAPW32.EXE Title: Norton AntiVirus
1412 WFXSWTCH.exe Title: LOGINOUTTEST
1328 WFXSNT40.EXE Title: WinFax Port Starter
1500 Imgicon.exe Title:
1912 DAP.exe Title:
1944 CTHELPER.EXE Title: CtHelper
1108 CTNotify.exe Title: Disc Detector
156 realsched.exe Title: Notification Wnd for RNAdmin
168 ctfmon.exe Title:
664 SpySweeper.exe Title:
332 rundll32.exe Title: MediaCenter
1132 CTLTray.exe Title:
1056 CTLTask.exe Title: CTLTask
1472 Mediadet.exe Title: Dialog
2528 iexplore.exe Title: NASIOC Forums - powered by vBulletin - Microsoft Internet Explorer
2796 iexplore.exe Title: Search results for windows notepad - Reviews and free downloads at Download.com - Microsoft Internet Explorer
3052 CsRemnd.exe
3620 odmj.dat Title: OleMainThreadWndName
1776 099xLwyiO.exe Title:
2064 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
1400 ntvdm.exe
3376 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{0000CC75-ACF3-4cac-A0A9-DD3868E06852}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

»»UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

»»Group/user settings:


User: [DRAGONSPIRIT\Guy1], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group DRAGONSPIRIT\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\AdministratorsOI)(CI)F
NT AUTHORITY\SYSTEMOI)(CI)F
DRAGONSPIRIT\Guy1:F
CREATOR OWNEROI)(CI)(IO)F
BUILTIN\UsersOI)(CI)R
BUILTIN\UsersCI)(special access

FILE_APPEND_DATA

BUILTIN\UsersCI)(special access

FILE_WRITE_DATA


ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright (C) 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 5,719 05-23-2004 hosts
------
»»Rehash:

»Strings found:

Mon Jun 07 02:17:34 2004 -- ++Find-All backups:
c:\findal~1\winBackup.hiv
--a-- - - - - - 8,192 06-07-2004 winbackup.hiv
c:\findal~1\windows.txt
--a-- - - - - - 8,192 06-07-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-07-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-07-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows


OhNos111's Avatar
Senior Member with 125 posts.
  
Join Date: Nov 2003
07-Jun-2004, 03:31 AM #7
Oooh boy. I just got an error trying to install Recovery console.

Quote:
The installation did not complete correctly.

It is possible that Windows XP startup files in the root directory were missing or in use during the installation. Please close any applications that might be using those files.

I'm going to restart and try again.

[edit]: Ok, got Recovery Console installed...Waiting for further orders SIR!!!
Last edited by OhNos111 : 07-Jun-2004 03:47 AM.
Flrman1's Avatar
Distinguished Member with 46,429 posts.
  
Join Date: Jul 2002
Location: Thomasville NC
Experience: 100% Geek
07-Jun-2004, 09:34 PM #8
You should first print the instructions before booting to the Recovery Console.

Because XP will not always show you hidden files and folders by default.
Reset your search settings first.

Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
_______________________________________________________________________

First download hiving.zip from here:

http://forums.techguy.org/attachment...chmentid=33308

unzip it.

After unzipping hiving.zip, open the hiving folder and click on the hiving.bat and let it run.

After the hiving.bat file completes, restart your computer

_______________________________________________________________________

Now Copy and paste the contents of the quote box to Notepad. Save as go.txt

Save the file in C:\windows
Quote:
attrib -r C:\WINDOWS\System32\LOGKGIP.DLL
attrib -h C:\WINDOWS\System32\LOGKGIP.DLL
attrib -s C:\WINDOWS\System32\LOGKGIP.DLL
del C:\WINDOWS\System32\LOGKGIP.DLL
Reboot. You will get a menu. Choose Recovery Console. To do that use the arrow keys to move through the menu and when Recovery Console is highlighted, press enter. You'll be asked which Install you want to repair. If you only have one OS installed you will only have one option like so:

1: C:\Windows

Press the 1 key and then hit the Enter key.

Once Recovery Console has loaded you should now be at a prompt like this:

C:\Windows>


Type this and press enter:

Batch C:\windows\go.txt

Dos is particular about spaces. Here it is again with the space you need to add.

Batch space C:\windows\go.txt

If the batch works, you will get no error messages and you will be back at a C:> prompt. If you get an error message you need to post back with the message.

Type Exit to restart.

________________________________________________________________________


Once you are back in Windows do the following:



Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

When it is finished restart your computer.



Go here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

___________________________________________________________________________ _______

After all that run Findall.bat again and post another output.txt log along with another Hijack This log.
__________________
If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site.
Last edited by flrman1 : 07-Jun-2004 09:40 PM.
OhNos111's Avatar
Senior Member with 125 posts.
  
Join Date: Nov 2003
09-Jun-2004, 03:52 AM #9
Quote:
Originally Posted by flrman1
.
I've gotten as far as

Quote:
attrib -r C:\WINDOWS\System32\LOGKGIP.DLL
attrib -h C:\WINDOWS\System32\LOGKGIP.DLL
attrib -s C:\WINDOWS\System32\LOGKGIP.DLL
del C:\WINDOWS\System32\LOGKGIP.DLL
But could not open those .DLL's. I just get "Access denied." Strange thing is that I am the system Administrator. (Win XP pro)

Oh yeah...What is that "attrib -h" stuff?
Flrman1's Avatar
Distinguished Member with 46,429 posts.
  
Join Date: Jul 2002
Location: Thomasville NC
Experience: 100% Geek
09-Jun-2004, 07:38 AM #10
The "attrib -h" is to strip the hidden attribute from the file.

Please post another Hijack This log and another output.txt log.
OhNos111's Avatar
Senior Member with 125 posts.
  
Join Date: Nov 2003
10-Jun-2004, 12:02 AM #11
Find all log

Quote:
--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.3 -6/07 @@@***==--


Wed Jun 09 23:00:12 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "Primary" (DCE7:99F0) - FS:NTFS clusters:4k
Total: 120 023 252 992 [112G] - Free: 3 949 432 832 [3.7G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q818529;Q330994;Q822925;Q828750;Q832894;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-18-2001 regedt32.exe


»»PC uptime:
11:00pm up 0 days, 0:03

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\LOGKGIP.DLL +++ File read error
\\?\C:\WINDOWS\System32\LOGKGIP.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
636 smss.exe
684 csrss.exe Title:
708 winlogon.exe Title: NetDDE Agent
752 services.exe Svcs: Eventlog,PlugPlay
764 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
940 svchost.exe Svcs: RpcSs
1040 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitching Compatibility,helpsvc,HidServ,Iprip,lanmanserver,lanmanworkstation,Netman,N la,RasAuto,RasMan,Schedule,seclogon,SENS,SharedAccess,ShellHWDetection,srse rvice,TapiSrv,TermService,Them
1264 svchost.exe Svcs: Dnscache
1296 svchost.exe Svcs: Alerter,LmHosts,RemoteRegistry,SSDPSRV,WebClient
1432 spoolsv.exe Svcs: Spooler
236 explorer.exe Title: Program Manager
492 NAVAPW32.EXE Title: Norton AntiVirus
504 WFXSWTCH.exe Title: LOGINOUTTEST
512 WFXSNT40.EXE Title: WinFax Port Starter
528 Imgicon.exe Title:
368 DAP.exe Title:
616 CTHELPER.EXE Title: CtHelper
624 CTNotify.exe Title: Disc Detector
652 ctfmon.exe Title:
664 SpySweeper.exe Title:
680 rundll32.exe Title: MediaCenter
932 CTLTray.exe Title:
956 CTLTask.exe Title: CTLTask
992 alg.exe Svcs: ALG
1012 CTsvcCDA.EXE Svcs: Creative Service for CDROM Access
1340 NAVAPSVC.EXE Svcs: navapsvc
1348 Mediadet.exe Title: Dialog
1484 nvsvc32.exe Svcs: NVSvc
116 tcpsvcs.exe Svcs: SimpTcp
256 snmp.exe Svcs: SNMP
1248 NOPDB.EXE Svcs: Speed Disk service
1556 svchost.exe Svcs: stisvc
1620 MsPMSPSv.exe Svcs: WMDM PMSP Service
1948 Efp5.exe Title:
2064 Jfj1OLf7.exe Title:
2496 Netscp.exe Title: Tech Support Guy Forums - Ok, I admit defeat. Coolsearch spyware (hijack this included) - Netscape
2704 iexplore.exe Title: Google - Microsoft Internet Explorer
3276 Notepad.exe Title: hijackthis2 - Notepad
3312 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3352 ntvdm.exe
3464 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{0000CC75-ACF3-4cac-A0A9-DD3868E06852}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

»»UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

»»Group/user settings:


User: [DRAGONSPIRIT\Guy1], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group DRAGONSPIRIT\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\AdministratorsOI)(CI)F
NT AUTHORITY\SYSTEMOI)(CI)F
DRAGONSPIRIT\Guy1:F
CREATOR OWNEROI)(CI)(IO)F
BUILTIN\UsersOI)(CI)R
BUILTIN\UsersCI)(special access

FILE_APPEND_DATA

BUILTIN\UsersCI)(special access

FILE_WRITE_DATA


ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright (C) 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 0 06-09-2004 hosts
------
»»Rehash:

»Strings found:

Wed Jun 09 23:00:20 2004 -- ++Find-All backups:
c:\findal~1\winBackup.hiv
--a-- - - - - - 8,192 06-09-2004 winbackup.hiv
c:\findal~1\windows.txt
--a-- - - - - - 8,192 06-09-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-07-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-07-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



Hijack this Log

Quote:
Logfile of HijackThis v1.97.7
Scan saved at 10:59:18 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Efp5.exe
C:\WINDOWS\System32\Jfj1OLf7.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://registration.excite.com/excitereg/login.jsp?app=em&return_url=http://e6.email.excite.com/"); (C:\Program Files\Netscape\Users\someguy\prefs.js)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [5W@CDCL3STM@Y7] C:\WINDOWS\System32\UltBua.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20e9126e...p/RdxIE601.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...875.0239467593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
Flrman1's Avatar
Distinguished Member with 46,429 posts.
  
Join Date: Jul 2002
Location: Thomasville NC
Experience: 100% Geek
10-Jun-2004, 07:54 AM #12
This time I am going to have you manually type the commands instead of runnung the bat file.

You should first print the instructions before booting to the Recovery Console.

Because XP will not always show you hidden files and folders by default.
Reset your search settings first.

Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

_______________________________________________________________________

First download hiving.zip from here:

http://forums.techguy.org/attachment...chmentid=33308

unzip it.

After unzipping hiving.zip, open the hiving folder and click on the hiving.bat and let it run.

After the hiving.bat file completes, restart your computer

_______________________________________________________________________

Reboot. You will get a menu. Choose Recovery Console. To do that use the arrow keys to move through the menu and when Recovery Console is highlighted, press enter. You'll be asked which Install you want to repair. If you only have one OS installed you will only have one option like so:

1: C:\Windows

Press the 1 key and then hit the Enter key.

Once Recovery Console has loaded you should now be at a prompt like this:

C:\Windows>

At this prompt you will type in the follwing commands:

Type this and press enter:

del C:\WINDOWS\System32\LOGKGIP.DLL

Spaces are important in these commands. There is a space between each command switch and the file path. Here it is with those:

del space C:\WINDOWS\System32\LOGKGIP.DLL

Let it do the delete. (See ***Note if you receive an error when executing this command)


***Note: If C:\WINDOWS\System32\LOGKGIP.DLL is set as a hidden, system or read only file, you may have to clear these attributes. If you get a message that the hidden or system file cannot be removed use this command to clear the attributes and press enter. Then execute the del command again.

Type:

attrib -r C:\WINDOWS\System32\LOGKGIP.DLL

(With the spaces here is that command again....
attrib space -r space C:\WINDOWS\System32\LOGKGIP.DLL)

Hit Enter

Then type:

del C:\WINDOWS\System32\LOGKGIP.DLL

(This one is..... del space C:\WINDOWS\System32\LOGKGIP.DLL)

Hit Enter.


If after you have removed the Read Only attribute with the above command and still get an error use the following command to remove the hidden attribute and then try the del command again.

attrib -h C:\WINDOWS\System32\LOGKGIP.DLL

Hit Enter.

Then type the del command again:

del C:\WINDOWS\System32\LOGKGIP.DLL

Hit Enter.

If you still receive an error after removing the hidden attribute use this command:

attrib -s C:\WINDOWS\System32\LOGKGIP.DLL

Then type the del command again:

del C:\WINDOWS\System32\LOGKGIP.DLL

*Note: If you are successful in deleting the file after any one of these steps there is no need to execute all the subsequent commands. The goal is to successfully delete that hidden file. Only proceed to the next command if the deletion fails after removing the read only attribute etc...

***Now you have deleted the hidden file that keeps loading the hijack.***

Type Exit to restart.

_______________________________________________________________________
Once you are back in Windows do the following:



Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

When it is finished restart your computer.



Go here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

______________________________________________________________________

After all that run Findall.bat again and post another output.txt and windows.txt file log along with another Hijack This log.
__________________
If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site.
OhNos111's Avatar
Senior Member with 125 posts.
  
Join Date: Nov 2003
11-Jun-2004, 12:38 AM #13
Ok...Did all that and here are the Hijack this log and Find all log; not sure what you meant by "windows.txt" file log.


Quote:
Logfile of HijackThis v1.97.7
Scan saved at 11:35:54 PM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DopwS4t.exe
C:\WINDOWS\System32\Hxb1.exe
C:\Hijack This\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://registration.excite.com/excitereg/login.jsp?app=em&return_url=http://e6.email.excite.com/"); (C:\Program Files\Netscape\Users\someguy\prefs.js)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [5W@CDCL3STM@Y7] C:\WINDOWS\System32\ZkvIQ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20e9126e...p/RdxIE601.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...875.0239467593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab


Quote:
--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.3 -6/07 @@@***==--


Thu Jun 10 23:34:48 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "Primary" (DCE7:99F0) - FS:NTFS clusters:4k
Total: 120 023 252 992 [112G] - Free: 3 790 303 232 [3.5G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q818529;Q330994;Q822925;Q828750;Q832894;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-18-2001 regedt32.exe


»»PC uptime:
11:34pm up 0 days, 1:02

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\LOGL.DLL +++ File read error
\\?\C:\WINDOWS\System32\LOGL.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
632 smss.exe
684 csrss.exe Title:
708 winlogon.exe Title: NetDDE Agent
752 services.exe Svcs: Eventlog,PlugPlay
764 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
944 svchost.exe Svcs: RpcSs
1044 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitching Compatibility,helpsvc,HidServ,Iprip,lanmanserver,lanmanworkstation,Netman,N la,RasAuto,RasMan,Schedule,seclogon,SENS,SharedAccess,ShellHWDetection,srse rvice,TapiSrv,TermService,Them
1260 svchost.exe Svcs: Dnscache
1284 svchost.exe Svcs: Alerter,LmHosts,RemoteRegistry,SSDPSRV,WebClient
1432 spoolsv.exe Svcs: Spooler
236 explorer.exe Title: Program Manager
480 NAVAPW32.EXE Title: Norton AntiVirus
488 WFXSWTCH.exe Title: LOGINOUTTEST
496 WFXSNT40.EXE Title: WinFax Port Starter
512 Imgicon.exe Title:
276 DAP.exe Title: Dialog
600 CTHELPER.EXE Title: CtSpkHlp
368 CTNotify.exe Title: Disc Detector
624 ctfmon.exe Title:
648 SpySweeper.exe Title: Spysweeper
676 rundll32.exe Title: MediaCenter
672 Mediadet.exe Title: Dialog
112 CTLTray.exe Title: Dialog
824 CTLTask.exe Title: CTLTask
1096 alg.exe Svcs: ALG
1132 CTsvcCDA.EXE Svcs: Creative Service for CDROM Access
1328 NAVAPSVC.EXE Svcs: navapsvc
1464 nvsvc32.exe Svcs: NVSvc
348 tcpsvcs.exe Svcs: SimpTcp
252 snmp.exe Svcs: SNMP
1548 NOPDB.EXE Svcs: Speed Disk service
1644 svchost.exe Svcs: stisvc
1720 MsPMSPSv.exe Svcs: WMDM PMSP Service
1732 DopwS4t.exe Title:
1816 Hxb1.exe Title:
2448 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
2396 ntvdm.exe
2528 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{0000CC75-ACF3-4cac-A0A9-DD3868E06852}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

»»UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

»»Group/user settings:


User: [DRAGONSPIRIT\Guy1], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group DRAGONSPIRIT\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\AdministratorsOI)(CI)F
NT AUTHORITY\SYSTEMOI)(CI)F
DRAGONSPIRIT\Guy1:F
CREATOR OWNEROI)(CI)(IO)F
BUILTIN\UsersOI)(CI)R
BUILTIN\UsersCI)(special access

FILE_APPEND_DATA

BUILTIN\UsersCI)(special access

FILE_WRITE_DATA


ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright (C) 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 0 06-09-2004 hosts
------
»»Rehash:

»Strings found:

Thu Jun 10 23:34:56 2004 -- ++Find-All backups:
c:\findal~1\winBackup.hiv
--a-- - - - - - 8,192 06-10-2004 winbackup.hiv
c:\findal~1\windows.txt
--a-- - - - - - 8,192 06-10-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-07-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-07-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



Also, I've noticed some virus apps running in my startup list, so I baleeted them. (something like sjadbot.exe and more) I don't know if it will matter but I did another Hijack this and another Find all scan. Since I don't want a fittybillion page post, I'll just give you the link.

Hijack this
Find All log
Last edited by OhNos111 : 11-Jun-2004 06:11 PM.
Flrman1's Avatar
Distinguished Member with 46,429 posts.
  
Join Date: Jul 2002
Location: Thomasville NC
Experience: 100% Geek
12-Jun-2004, 10:18 PM #14
Try this:

Download this tool:

http://tools.zerosrealm.com/dllfix.exe

Its a self extracting zip. Just click on it and it will self extract.

IMPORTANT!: Before you run this tool please close ALL running programs and ALL Windows except dllfix.

Open the dllfix folder and click on the start.bat.

*Note: If your Antivirus is running a scriptblocker, when you run this tool, you will probably recieve an alert warning you that the script is running. "Allow" the script to run.

In the window that pops up Hit the 2 key on your keyboard and hit Enter. In the next menu hit the 1 key on your keybard and hit the Enter key again.

you will arrive at a prompt like this:

Enter full name and hit Enter C:\Windows\System32\

Enter this file name and hit enter:

LOGL.DLL

It will do it's cleanup and give a 15 second countdown and when Windows restarts it will automatically run the second.bat file. Just let it run. When it completes post another output.txt log and another Hijack This log.
__________________
If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site.
OhNos111's Avatar
Senior Member with 125 posts.
  
Join Date: Nov 2003
25-Jun-2004, 01:37 AM #15
Quote:
Originally Posted by flrman1
Try this:

Download this tool:

http://tools.zerosrealm.com/dllfix.exe

Its a self extracting zip. Just click on it and it will self extract.

IMPORTANT!: Before you run this tool please close ALL running programs and ALL Windows except dllfix.
.

First, I'd like to thank you guys for your continuted help. Second, that link you gave downloaded an app called "AboutBuster." I don't know if it's the correct one but I ran it anyway. Problem is, it gave me a run time error. I think it was Runtime error 79: File access/denied or something like that.

Just incase it's necessary, here's another Find All and Hijack this log.

Find All log
Hijack This log
Closed Thread Bookmark and Share
Page 1 of 2 1 2

Smart Search

Find your solution!

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 01:26 PM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.