Also needing about:blank hijack help hjkthis LOG provided

PUG · 08:40 PM

Had a go last month but no luck........appriciate suggestions

Logfile of HijackThis v1.97.5
Scan saved at 3:16:00 p.m., on 14/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\Explorer.EXE
C:\PROGRA~1\HotKeys\Ikeymain.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\WINNT\system32\internat.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Deluxe\MiniMavis.exe
E:\WINZIP\WZQKPICK.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINNT\Speech\Dragon\web_ie.dll
O2 - BHO: (no name) - {D9CAD550-29B0-4526-BE98-F87CB4A608C5} - C:\WINNT\system32\lae.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\HotKeys\Ikeymain.exe
O4 - HKLM\..\Run: [Dial32] C:\WINNT\dl.exe
O4 - HKLM\..\Run: [Dial33] C:\WINNT\dlm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Deluxe\MiniMavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\WINZIP\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .pdf: C:\trish\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36A318AA-90A6-4840-85B2-3085261D8BDA}: NameServer = 203.96.152.4 203.96.152.12

Styxx · 14-Jul-2004, 12:00 AM #2

Run HJT, click Scan, but checkmarks by the following, Click Fix Checked. You might also get, install updateand run the full-featured trial spyware scanner via the colored link below, I tried, used it but didn't buy, it's a good one.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

PUG · 14-Jul-2004, 12:07 AM #3

Thankyou, have deleted but it may return..... downloading spyremover now

New Log

Logfile of HijackThis v1.97.5
Scan saved at 3:59:03 p.m., on 14/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\Explorer.EXE
C:\PROGRA~1\HotKeys\Ikeymain.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\WINNT\system32\internat.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Deluxe\MiniMavis.exe
E:\WINZIP\WZQKPICK.EXE
C:\unzipped\hijackthis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\trish\Internet Explorer\IEXPLORE.EXE
C:\trish\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINNT\Speech\Dragon\web_ie.dll
O2 - BHO: (no name) - {D9CAD550-29B0-4526-BE98-F87CB4A608C5} - C:\WINNT\system32\lae.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\HotKeys\Ikeymain.exe
O4 - HKLM\..\Run: [Dial32] C:\WINNT\dl.exe
O4 - HKLM\..\Run: [Dial33] C:\WINNT\dlm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Deluxe\MiniMavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\WINZIP\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .pdf: C:\trish\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36A318AA-90A6-4840-85B2-3085261D8BDA}: NameServer = 203.96.152.4 203.96.152.12

southernlady · 14-Jul-2004, 09:00 AM #4

PUG, you need to go get the newest copy of HiJack This and rerun this. You can download the new one at: http://www.majorgeeks.com/download.php?det=3155 Liz

PUG · 14-Jul-2004, 08:35 PM #5

Hi folks, here is the new version log, (styxx) I have had no luck with the BulletProofSoft.com spyware scanner thus far, 6 regkeys keep returning....

Logfile of HijackThis v1.98.0
Scan saved at 12:25:47 p.m., on 15/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\Explorer.EXE
C:\PROGRA~1\HotKeys\Ikeymain.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\WINNT\system32\internat.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Deluxe\MiniMavis.exe
E:\WINZIP\WZQKPICK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\trish\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINNT\Speech\Dragon\web_ie.dll
O2 - BHO: (no name) - {D9CAD550-29B0-4526-BE98-F87CB4A608C5} - C:\WINNT\system32\lae.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\HotKeys\Ikeymain.exe
O4 - HKLM\..\Run: [Dial32] C:\WINNT\dl.exe
O4 - HKLM\..\Run: [Dial33] C:\WINNT\dlm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Deluxe\MiniMavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\WINZIP\WZQKPICK.EXE
O12 - Plugin for .pdf: C:\trish\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{36A318AA-90A6-4840-85B2-3085261D8BDA}: NameServer = 203.96.152.4 203.96.152.12
O18 - Filter: text/html - {F205D9EF-2630-4C9F-9BA4-41785BFC295D} - C:\WINNT\system32\lae.dll
O18 - Filter: text/plain - {F205D9EF-2630-4C9F-9BA4-41785BFC295D} - C:\WINNT\system32\lae.dll

PUG · 14-Jul-2004, 08:45 PM #6

R1 + R0 usually get rid of right.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {D9CAD550-29B0-4526-BE98-F87CB4A608C5} - C:\WINNT\system32\lae.dll

O18 - Filter: text/html - {F205D9EF-2630-4C9F-9BA4-41785BFC295D} - C:\WINNT\system32\lae.dll
O18 - Filter: text/plain - {F205D9EF-2630-4C9F-9BA4-41785BFC295D} - C:\WINNT\system32\lae.dll

Styxx · 14-Jul-2004, 10:55 PM #7

This one too, it's a domain hijacker.

O17 - HKLM\System\CCS\Services\Tcpip\..\{36A318AA-90A6-4840-85B2-3085261D8BDA}: NameServer = 203.96.152.4 203.96.152.12

PUG · 14-Jul-2004, 11:00 PM #8

Q? when I have pressed fix and done a new scan then gieven to you whats the best thing to do, should I go to Explorer and change Home URL then restart comp? whats the next step.

Logfile of HijackThis v1.98.0
Scan saved at 2:53:18 p.m., on 15/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\Explorer.EXE
C:\PROGRA~1\HotKeys\Ikeymain.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\WINNT\system32\internat.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Deluxe\MiniMavis.exe
E:\WINZIP\WZQKPICK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\trish\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINNT\Speech\Dragon\web_ie.dll
O2 - BHO: (no name) - {D9CAD550-29B0-4526-BE98-F87CB4A608C5} - C:\WINNT\system32\lae.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\HotKeys\Ikeymain.exe
O4 - HKLM\..\Run: [Dial32] C:\WINNT\dl.exe
O4 - HKLM\..\Run: [Dial33] C:\WINNT\dlm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Deluxe\MiniMavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\WINZIP\WZQKPICK.EXE
O12 - Plugin for .pdf: C:\trish\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{36A318AA-90A6-4840-85B2-3085261D8BDA}: NameServer = 203.96.152.4 203.96.152.12

PUG · 14-Jul-2004, 11:32 PM #9

Logfile of HijackThis v1.98.0
Scan saved at 3:26:07 p.m., on 15/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\Explorer.EXE
C:\PROGRA~1\HotKeys\Ikeymain.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\WINNT\system32\internat.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Deluxe\MiniMavis.exe
E:\WINZIP\WZQKPICK.EXE
C:\Program Files\BulletProofSoft.com\SpywareRemover\Spyware.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\FA656A79.DLL
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINNT\Speech\Dragon\web_ie.dll
O2 - BHO: (no name) - {D9CAD550-29B0-4526-BE98-F87CB4A608C5} - C:\WINNT\system32\lae.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\HotKeys\Ikeymain.exe
O4 - HKLM\..\Run: [Dial32] C:\WINNT\dl.exe
O4 - HKLM\..\Run: [Dial33] C:\WINNT\dlm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Deluxe\MiniMavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\WINZIP\WZQKPICK.EXE
O12 - Plugin for .pdf: C:\trish\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{36A318AA-90A6-4840-85B2-3085261D8BDA}: NameServer = 203.96.152.4 203.96.152.12
O18 - Filter: text/html - {EFF7994B-9A79-489D-A67F-3FA301CDC8F3} - C:\WINNT\system32\lae.dll
O18 - Filter: text/plain - {EFF7994B-9A79-489D-A67F-3FA301CDC8F3} - C:\WINNT\system32\lae.dll

Flrman1 · 15-Jul-2004, 06:53 PM **#10**

Pug,

You have a hijack which can be removed using CWShredder but will be reinstalled by a hidden file. So first we have to find the hidden file and remove it.

Here is what we need to do:

Since you run Windows 2000 and do not have reg.exe installed automatically, we will have to install reg.exe so we can run the batch file that will give us the name of the hidden file.

Pop your install CD in the drive and look for the support\tools folder.

See if there is a copy of reg.exe in there and if so while holding the right mouse button down, drag and drop it into system32. Then release the mouse and choose copy from the menu.

After installing reg.exe do this:

Copy the contents of the quote box to Notepad.
Name the file Appinit.bat
Save as type All Files
Save on the Desktop.

Quote:

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Attach the windows.txt file here to your next post please.
----------------

Also which file system? FAT32 or NTFS? Check the properties of the C Drive in my computer to get the file system.

PUG · 18-Jul-2004, 08:46 PM **#11**

Hi flrman1, thanks for info.(away over weekend)

Have found reg.exe in a .zip called support.cab on CD.

I then draged it using left button into system32 foder.(not quite what you wrote but its there. Other way didnt work)

Then created Appinit.bat and heres the attatched windoze.txt

Cheers x fingers

PUG · 18-Jul-2004, 08:55 PM **#12**

Please attach little file I am being a good boy!

Flrman1 · 18-Jul-2004, 09:06 PM **#13**

We're going to identify the hidden file a different way.

Please do this:

Click here to download FindNFix.

Extract it (it should autoextract to C:\FindnFix when you double click it)

Go to the C:\FindnFix folder and doubleclick on !LOG!.BAT and let it run. It will generate a log.txt file. Copy and paste log.txt back here in your next reply.

PUG · 18-Jul-2004, 09:43 PM **#14**

Hi, downloaded and ran FindnFix but it wasnt working so RE-DOWNLOADED and presto....see below ----

PS..NTFS.. forgot to post.

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
and is the destination for the file to be moved..
-*Previous directions will no longer work...
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s)
6.0.2600.0000
The type of the file system is NTFS.
C: is not dirty.

Mon 19 Jul 04 13:36:22
1:36pm up 0 days, 0:15

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
*For *Helpers/Mods and/or users that are not familiar with any of the
items on the scan results- I recommend using an alternative, once
you know what to look for!
»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/16)»»»»»»»»»»»»»»»»

»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINNT\System32\HLPNIEF.DLL +++ File read error
\\?\C:\WINNT\System32\HLPNIEF.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
HLPNIEF.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINNT\SYSTEM32\
hlpnief.dll Tue 8 Jun 2004 13:56:16 A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\HLPNIEF.DLL

»»»»»(*5*)»»»»»
**File C:\WINNT\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... HLPNIEF.DLL .....57344 08.06.2004

»»»»»(*6*)»»»»»
fgrep: can't open input C:\WINNT\SYSTEM32\HLPNIEF.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...

C:\WINNT\SYSTEM32\
hlpnief.dll Tue 8 Jun 2004 13:56:16 A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\HLPNIEF.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

»»Member of...: (Admin logon required!)
User is a member of group SAR-4QGSHPLS3D7\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»»»»»»Backups created...»»»»»»
1:37pm up 0 days, 0:16
Mon 19 Jul 04 13:37:24

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-19-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-19-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_

C:\FINDNFIX\
JUNKXXX Mon 19 Jul 2004 13:36:22 .D... <Dir>

1 item found: 0 files, 1 directory.

»»Performing string scan....
00001150: ?
00001190: ` 8 @
000011D0: vk < \ AppInit_DLLsa n C : \ W I N N T \ s
00001210:y s t e m 3 2 \ h l p n i e f . d l l vk h "
00001250

eviceNotSelectedTimeout 1 5 ` vk '
00001290: o GDIProcessHandleQuota n vk i Spooler
000012D0: y e s g \ vk , swapdisk vk 0
00001310: R TransmissionRetryTimeout 9 0 ` vk '
00001350: g USERProcessHandleQuotaO 7W| C
00001390: <C B U U W| 9W| U Ag C [Ag C
000013D0:P U $ B B 7C d U d U hto uAgd U B d U P U $ B
00001410: B @.C D U hk W d U x U HAg h B B
00001450: d U B 3 $ KS x C x x x C C
00001490: C 2 C 2 w <C C U wg <C C
000014D0: C x k w w C ^g F C J Ag
00001510: D x C x x x C @Bge p# My ^
00001550: L ] H C My ? U U U w(% w U 7W|
00001590: C <C B U U W| 9W| ( U Ag
000015D0: C [Ag C $ B B 7C p U p U hto

---------- WIN.TXT
AppInit_DLLsa
--------------
--------------
$011E8: AppInit_DLLsa
$01250: DeviceNotSelectedTimeout
$01298: GDIProcessHandleQuota
$01318: TransmissionRetryTimeout
$01358: USERProcessHandleQuotaO
--------------
--------------
C:\WINNT\system32\hlpnief.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 60 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINNT\system32\hlpnief.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 4e 00 54 00 | C.:.\.W.I.N.N.T.
0010 5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 33 00 | \.s.y.s.t.e.m.3.
0020 32 00 5c 00 68 00 6c 00 70 00 6e 00 69 00 65 00 | 2.\.h.l.p.n.i.e.
0030 66 00 2e 00 64 00 6c 00 6c 00 00 00 | f...d.l.l...

Flrman1 · 18-Jul-2004, 09:49 PM **#15**

Be sure to Follow the next set of steps carefully, in the exact order specified.

Get ready to restart:
First doubleClick on the FIX.bat file in the C:\FINDnFIX\Keys1 folder.
Wait for the popup -Alert to restart your computer in 15 seconds.

After the computer restarts and you are back in Windows, navigate to C:\Windows\System32 folder:
Locate and select the HLPNIEF.DLL file (as it will be visible)
And use the folder's top menu and got to Edit >
Move to Folder...
Select the C:\FINDnFIX\junkxxx as destination and move
the HLPNIEF.DLL there.
-----------------------------------------------------------------------------------------------------------

Now look in the C:\FINDnFIX folder and locate the RESTORE.bat file. Doubleclick it to run it.

Wait for it to run and it will and it will produce a 'log1.txt' file! Copy that log and paste it here!

-----------------------------------------------------------------------------------------------------------

*Note:
Do not change/move around or
tamper with any of the file(s) folder(s) and path
included in the 'FINDnFIX' folder.

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)