1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Browser Hanging

Discussion in 'Web & Email' started by Frogman, Sep 19, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Frogman

    Frogman Thread Starter

    Joined:
    Sep 19, 2004
    Messages:
    14
    Hi Folks.

    I am really stuggling with a problem with my browser hanging every time I use it. It's generally after about 10 minutes of being logged on. I assumed it was some sort of virus but I have done a full virus check using Panda Titanium Antivirus and I have also done a spyware check using Spyware Doctor. Neither of which have highlighted any problems. I am using Windows XP with Service Pack 2 loaded and AOL 9.0, I would really appriciate somebody looking at my HiJackThis Log to see if there is anything I have missed ( probably loads !!! :D )

    Kind Regards

    Logfile of HijackThis v1.97.7
    Scan saved at 16:18:39, on 19/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\system32\CTSvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    C:\Program Files\VoyagerTest\fts.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Spyware Doctor\spydoctor.exe
    C:\Program Files\AOL 9.0\aoltray.exe
    C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
    C:\Converted Music\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {545E062F-98F2-4E50-8FA5-C3FDC01209DF} - C:\WINDOWS\system32\fodj.dll (file missing)
    O3 - Toolbar: aststbexqxq - {356b3e47-d6e2-469e-b929-dd0e95576a27} - C:\DOCUME~1\Paul\APPLIC~1\eagrjkuqf.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [WinLogin] win32x.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093775714218
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38196.6133564815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,294
    First Name:
    Wayne
  3. Frogman

    Frogman Thread Starter

    Joined:
    Sep 19, 2004
    Messages:
    14
    Hi, thanks for replying. I have downloaded the up to date version and here is the new info.
    Any help would be greatly appriciated (y)

    Logfile of HijackThis v1.98.2
    Scan saved at 19:28:30, on 19/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\system32\CTSvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    C:\Program Files\VoyagerTest\fts.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Spyware Doctor\spydoctor.exe
    C:\Program Files\AOL 9.0\aoltray.exe
    C:\Program Files\AOL 9.0\waol.exe
    C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
    C:\Program Files\AOL 9.0\shellmon.exe
    C:\Program Files\Common Files\AOL\aoltpspd.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\Converted Music\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Claire\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CPubIE Object - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {545E062F-98F2-4E50-8FA5-C3FDC01209DF} - C:\WINDOWS\system32\fodj.dll (file missing)
    O3 - Toolbar: aststbexqxq - {356b3e47-d6e2-469e-b929-dd0e95576a27} - C:\DOCUME~1\Paul\APPLIC~1\eagrjkuqf.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [WinLogin] win32x.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093775714218
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{87F567F1-967F-447F-88D4-F50B460AEC47}: NameServer = 195.93.49.134
    O18 - Filter: text/html - {2F0DC8C3-5BFA-4703-8D9C-DA17FD09EAB2} - C:\WINDOWS\system32\fodj.dll
    O18 - Filter: text/plain - {2F0DC8C3-5BFA-4703-8D9C-DA17FD09EAB2} - C:\WINDOWS\system32\fodj.dll
    O20 - AppInit_DLLs: C:\WINDOWS\System32\comgacd.dll
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,884
    Hi and welcome to TSG,

    Download this: http://downloads.subratam.org/FINDnFIX.exe
    Extract it (it should autoextract to C:\FindnFix when you double click it)

    Go to the C:\FindnFix folder and doubleclick on !LOG!.BAT and let it run. It will generate a log.txt file. Copy and paste the log.txt back here in your next reply.

    Anyone else with a similar problem, do NOT attempt to follow these instructions on your own. Expert help is required to interpret the log and deleting the wrong file can cause serious damage to your system!
     
  5. Frogman

    Frogman Thread Starter

    Joined:
    Sep 19, 2004
    Messages:
    14
    Hi

    Thanks for the reply, here is the log.txt

    Again, thanks for any help it is much appriciated :)


    Sun 19 Sep 04 22:25:01

    »»»»»»»»»»»»»»»»»»***LOG!***(*updated *9/1*)»»»»»»»»»»»»»»»»

    *System:
    Microsoft Windows XP Professional 5.1 Service Pack 2 (Build 2600)
    *IE version:
    6.0.2900.2180 SP2

    The type of the file system is NTFS.


    MS-DOS Version 5.00.500

    *command.com test passed!

    __________________________________
    !!*Creating backups...!!

    The operation completed successfully
    22:25:00.53 19/09/2004
    __________________________________

    *Local time:
    19 September 2004 (19/09/2004)
    22:25, GMT Daylight Time
    *Uptime:
    22:25:02 up 0 days, 3:46:45

    *Path:
    C:\FINDnFIX
    ----------------------------------------------------
    »»Member of...: ("ADMIN" logon + group match required!)

    User is a member of group PAULS\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.
    User is a member of group \LOCAL.
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Group BUILTIN\Administrators matches list.
    Group BUILTIN\Users matches list.

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    User: [PAULS\Claire], is a member of:

    BUILTIN\Administrators
    \Everyone

    Running in WORKSTATION MODE.

    SystemDrive is C:
    SystemRoot is C:\WINDOWS
    Logon Domain is PAULS
    Administrator's Name is Claire
    Computer Name is PAULS
    LOGON SERVER is \\PAULS

    »»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
    The list will produce a small database of files that will match certain criteria.
    Ex: read only files, s/h files, last modified date. size, etc.
    The filters provided and registry scan should match the
    corresponding file(s) listed.
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Unless the file match the entire criteria, it should not be pointed to remove
    without attempting to confirm it's nature!
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
    If in doubt, always search the file(s) and properties according to criteria!

    The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

    ______________________________________________________________________________
    ***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
    ______________________________________________________________________________

    ......Scanning for file(s)...
    *Note! The list(s) may include legitimate files!
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»»»» (*1*) »»»»» .........
    »»Read access error(s)...

    C:\WINDOWS\SYSTEM32\COMGACD.DLL +++ File read error
    \\?\C:\WINDOWS\System32\COMGACD.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    COMGACD.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    No matches found.

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»»»(*5*)»»»»»
    ¯ Access denied ® ..................... COMGACD.DLL .....57344 14.07.2004

    »»»»»(*6*)»»»»»
    fgrep: can't open input C:\WINDOWS\SYSTEM32\COMGACD.DLL

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...
    *List of files and specs according to 'size' :
    *Note: Not all files listed here are infected, but *may include* the
    name and spces of the offending file...
    ___________________________________________________________________________
    Path: C:\WINDOWS\SYSTEM32 Including: *.DLL

    127. Comgacd Dll 57,344 . . . . A 7-14-04 9:32 pm
    249. Dpwsockx Dll 57,344 . . . . A 8-04-04 8:56 am
    667. Msasn1 Dll 57,344 . . . . A 8-04-04 8:56 am
    1104. Sgecom~1 Dll 57,344 . . . . A 4-30-04 10:52 am
    221. Dmloader Dll 35,840 . . . . A 8-04-04 8:56 am
    390. Imgutil Dll 35,840 . . . . A 8-04-04 8:56 am
    447. Jgmd400 Dll 35,840 . . . . A 2-25-04 2:58 pm
    1230. Umandlg Dll 35,840 . . . . A 8-04-04 8:56 am
    245. Dpvacm Dll 21,504 . . . . A 8-04-04 8:56 am
    305. Feclient Dll 21,504 . . . . A 8-04-04 8:56 am

    ____________________________________________________________________________
    *By size and date...


    C:\WINDOWS\SYSTEM32\
    comgacd.dll Wed 14 Jul 2004 21:32:22 A.... 57,344 56.00 K
    dpwsockx.dll Wed 4 Aug 2004 8:56:42 A.... 57,344 56.00 K
    msasn1.dll Wed 4 Aug 2004 8:56:42 A.... 57,344 56.00 K
    sgecom~1.dll Fri 30 Apr 2004 10:52:42 A.... 57,344 56.00 K

    4 items found: 4 files, 0 directories.
    Total of file sizes: 229,376 bytes 224.00 K

    C:\WINDOWS\SYSTEM32\
    dmloader.dll Wed 4 Aug 2004 8:56:42 A.... 35,840 35.00 K
    imgutil.dll Wed 4 Aug 2004 8:56:42 A.... 35,840 35.00 K
    umandlg.dll Wed 4 Aug 2004 8:56:46 A.... 35,840 35.00 K

    3 items found: 3 files, 0 directories.
    Total of file sizes: 107,520 bytes 105.00 K

    C:\WINDOWS\SYSTEM32\
    dpvacm.dll Wed 4 Aug 2004 8:56:42 A.... 21,504 21.00 K
    feclient.dll Wed 4 Aug 2004 8:56:42 A.... 21,504 21.00 K

    2 items found: 2 files, 0 directories.
    Total of file sizes: 43,008 bytes 42.00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\COMGACD.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\DPWSOCKX.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\MSASN1.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\SGECOM~1.DLL
    SNiF 1.34 statistics

    Matching files : 4 Amount in bytes : 229376
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\DMLOADER.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\IMGUTIL.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\UMANDLG.DLL
    SNiF 1.34 statistics

    Matching files : 3 Amount in bytes : 107520
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\DPVACM.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\FECLIENT.DLL
    SNiF 1.34 statistics

    Matching files : 2 Amount in bytes : 43008
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»


    BHO search and other files...

    fgrep: can't open input C:\WINDOWS\SYSTEM32\COMGACD.DLL


    No matches found.

    "C:\WINDOWS\system32\"
    rtipxmib.dll 4 Aug 2004 31744 "rtipxmib.dll"

    1 item found: 1 file, 0 directories.
    Total of file sizes: 31,744 bytes 31.00 K

    --*sp.html in temp folder was NOT FOUND!--

    *Filter keys search...
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
    CLSID = {2F0DC8C3-5BFA-4703-8D9C-DA17FD09EAB2}

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain
    CLSID = {2F0DC8C3-5BFA-4703-8D9C-DA17FD09EAB2}

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 512

    »»Checking for AppInit_DLLs (empty) value...
    ________________________________
    !"AppInit_DLLs"=""!

    Value does not match
    ________________________________

    »»Comparing *saved* key with *original*...

    REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

    Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

    No differences found.

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\comgacd.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = C:\WINDOWS\System32\comgacd.dll
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    »»Performing string scan....
    00001150: ?
    00001190: vk @ f AppInit_
    000011D0:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ c o m g a c
    00001210:d . d l l allL vk X UDeviceNotSelecte
    00001250:dTimeout 1 5 ( W 9 0 ! vk ' z
    00001290:GDIProcessHandleQuota" vk Spooler2 y e
    000012D0:s ( x vk =pswapdisk
    00001310: vk h R TransmissionRetryTimeout ( x
    00001350: ` vk ' \ USERProcessHandleQuota0
    00001390:p
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:
    00001590:
    000015D0:

    ---------- WIN.TXT
    fùAppInit_DLLs֍æG¸ÿÿÿC
    --------------
    --------------
    $011C8: AppInit_DLLs
    $0123F: UDeviceNotSelectedTimeout
    $0128F: zGDIProcessHandleQuota
    $01328: TransmissionRetryTimeout
    $01378: USERProcessHandleQuota0
    --------------
    --------------
    C:\WINDOWS\System32\comgacd.dll
    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\WINDOWS\\System32\\comgacd.dll"
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    .............
    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 64 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : "C:\WINDOWS\System32\comgacd.dll"
    0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
    0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
    0020 6d 00 33 00 32 00 5c 00 63 00 6f 00 6d 00 67 00 | m.3.2.\.c.o.m.g.
    0030 61 00 63 00 64 00 2e 00 64 00 6c 00 6c 00 00 00 | a.c.d...d.l.l...
    -----------------------

    »»»»»»Backups list...»»»»»»
    22:28:54 up 0 days, 3:50:37
    -----------------------
    Sun 19 Sep 04 22:28:54


    C:\FINDNFIX\
    keyback.hiv Sun 19 Sep 2004 22:25:02 A.... 8,192 8.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 8,192 bytes 8.00 K

    C:\FINDNFIX\KEYS1\
    winkey.reg Sun 19 Sep 2004 22:25:02 A.... 321 0.31 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 321 bytes 0.31 K

    *Temp backups...

    "C:\Documents and Settings\Claire\Local Settings\Temp\Backs2\"
    keyback2.hi_ 19 Sep 2004 8192 "keyback2.hi_"
    winkey2.re_ 19 Sep 2004 321 "winkey2.re_"

    2 items found: 2 files, 0 directories.
    Total of file sizes: 8,513 bytes 8.31 K
    -D---- JUNKXXX 00000000 22:25.02 19/09/2004
    A----- STARTIT .BAT 00000060 22:25.02 19/09/2004

    ________________________________________________________________________________
    ***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
    AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
    MINIMAL REQUIREMENTS INCLUDE:
    _________XP HOME/PRO; SP1; IE6/SP1
    _________2K/SP4; IE6/SP1
    ________________________________________________________________________________
    »»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»
    -----END------
    Sun 19 Sep 04 22:28:57
    
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,884
    Ok we have identified the hidden file that keeps loading the hijack. This will take a couple more steps to fix.

    Be sure to follow the next set of steps carefully, in the exact order specified.

    IMPORTANT! DISABLE YOUR ANTI-VIRUS PROTECTION TO AVOID ANY CONFLICTS!

    Get ready to restart:

    First doubleclick on the FIX.bat file in the 'FINDnFIX' folder.
    Wait for the popup alert to restart your computer in 15 seconds.

    On restart, navigate to C:\Windows\System32 folder:

    Locate and select the comgacd.dll file (as it will be visible)
    and use the folder's top menu and got to Edit > Move to Folder...

    Select the C:\FINDnFIX\junkxxx as destination and move the comgacd.dll file there.

    Now look in the C:\FINDnFIX folder and locate the RESTORE.bat file. Doubleclick it to run it.

    Wait for it to run and it will produce a 'log1.txt' file! Copy that log and paste it here!
     
  7. Frogman

    Frogman Thread Starter

    Joined:
    Sep 19, 2004
    Messages:
    14
    Hi, I think it's possible something went wrong.

    I followed the instructions, first I couldn't find the Fix.Bat then found it in the Keys1 directory, I assume that is correct. I ran it and it asked me to reboot..fine, but when I looked for the comgacd.dll in the windows\system32 directory I couldn't find it.

    Am I going wrong somewhere ?

    Regards
     
  8. Frogman

    Frogman Thread Starter

    Joined:
    Sep 19, 2004
    Messages:
    14
    OK I have tried again and still couldn't find that file here is the log it created anyway

    Mon 20 Sep 04 21:25:55

    »»»»»»»»»»»»»»»»»»***LOG2!(*updated *9/1*)***»»»»»»»»»»»»»»»»

    *System:
    Microsoft Windows XP Professional 5.1 Service Pack 2 (Build 2600)
    *IE version:
    6.0.2900.2180 SP2

    The type of the file system is NTFS.

    ___________________________________________
    !!Restoring backups!!

    Error: Access is denied.


    Error: Access is denied.

    21:25:45.53 20/09/2004
    ___________________________________________

    *Local time:
    20 September 2004 (20/09/2004)
    21:25, GMT Daylight Time
    *Uptime:
    21:25:58 up 0 days, 3:27:09

    *path:
    C:\FINDnFIX
    Running in WORKSTATION MODE.

    SystemDrive is C:
    SystemRoot is C:\WINDOWS
    Logon Domain is PAULS
    Administrator's Name is Claire
    Computer Name is PAULS
    LOGON SERVER is \\PAULS
    ------------------------------------------


    This log will confirm if the file was successfully moved, and/or
    the right file was selected...

    Scanning for file(s) in System32...

    »»»»»»» (1) »»»»»»»
    \\?\C:\WINDOWS\SYSTEM32\COMGACD.DLL +++ File read error
    C:\WINDOWS\System32\COMGACD.DLL +++ File read error

    »»»»»»» (2) »»»»»»»
    COMGACD.DLL Can't Open!

    »»»»»»» (3) »»»»»»»

    No matches found.
    Unknown/hidden files...

    No matches found.

    »»»»»»» (4) »»»»»»»
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»»»(5)»»»»»
    ¯ Access denied ® ..................... COMGACD.DLL .....57344 14.07.2004

    »»»»»(6)»»»»»
    fgrep: can't open input C:\WINDOWS\SYSTEM32\COMGACD.DLL

    »»»»»»» Search by size And Date...

    *List of files specs according to size:
    *Note: Not all files listed here are infected!
    ____________________________________________________________________________
    Path: C:\WINDOWS\SYSTEM32 Including: *.DLL

    127. Comgacd Dll 57,344 . . . . A 7-14-04 9:32 pm
    249. Dpwsockx Dll 57,344 . . . . A 8-04-04 8:56 am
    667. Msasn1 Dll 57,344 . . . . A 8-04-04 8:56 am
    1104. Sgecom~1 Dll 57,344 . . . . A 4-30-04 10:52 am
    221. Dmloader Dll 35,840 . . . . A 8-04-04 8:56 am
    390. Imgutil Dll 35,840 . . . . A 8-04-04 8:56 am
    447. Jgmd400 Dll 35,840 . . . . A 2-25-04 2:58 pm
    1230. Umandlg Dll 35,840 . . . . A 8-04-04 8:56 am
    245. Dpvacm Dll 21,504 . . . . A 8-04-04 8:56 am
    305. Feclient Dll 21,504 . . . . A 8-04-04 8:56 am

    ____________________________________________________________________________

    C:\WINDOWS\SYSTEM32\
    comgacd.dll Wed 14 Jul 2004 21:32:22 A.... 57,344 56.00 K
    dpwsockx.dll Wed 4 Aug 2004 8:56:42 A.... 57,344 56.00 K
    msasn1.dll Wed 4 Aug 2004 8:56:42 A.... 57,344 56.00 K
    sgecom~1.dll Fri 30 Apr 2004 10:52:42 A.... 57,344 56.00 K

    4 items found: 4 files, 0 directories.
    Total of file sizes: 229,376 bytes 224.00 K

    C:\WINDOWS\SYSTEM32\
    dmloader.dll Wed 4 Aug 2004 8:56:42 A.... 35,840 35.00 K
    imgutil.dll Wed 4 Aug 2004 8:56:42 A.... 35,840 35.00 K
    umandlg.dll Wed 4 Aug 2004 8:56:46 A.... 35,840 35.00 K

    3 items found: 3 files, 0 directories.
    Total of file sizes: 107,520 bytes 105.00 K

    C:\WINDOWS\SYSTEM32\
    dpvacm.dll Wed 4 Aug 2004 8:56:42 A.... 21,504 21.00 K
    feclient.dll Wed 4 Aug 2004 8:56:42 A.... 21,504 21.00 K

    2 items found: 2 files, 0 directories.
    Total of file sizes: 43,008 bytes 42.00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\COMGACD.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\DPWSOCKX.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\MSASN1.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\SGECOM~1.DLL
    SNiF 1.34 statistics

    Matching files : 4 Amount in bytes : 229376
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\DMLOADER.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\IMGUTIL.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\UMANDLG.DLL
    SNiF 1.34 statistics

    Matching files : 3 Amount in bytes : 107520
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\DPVACM.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\FECLIENT.DLL
    SNiF 1.34 statistics

    Matching files : 2 Amount in bytes : 43008
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    BHO search and other files...

    fgrep: can't open input C:\WINDOWS\SYSTEM32\COMGACD.DLL


    No matches found.

    "C:\WINDOWS\system32\"
    rtipxmib.dll 4 Aug 2004 31744 "rtipxmib.dll"

    1 item found: 1 file, 0 directories.
    Total of file sizes: 31,744 bytes 31.00 K


    No matches found.

    --*sp.html in temp folder was NOT FOUND!--

    *Filter keys search...
    REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html' (2)

    --(*text/html Subkey was NOT FOUND!)--

    REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain' (2)

    --(*text/plain Subkey was NOT FOUND!)--

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»»*»»» Scanning for moved file... »»»*»»»



    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.*

    fgrep: no files found for C:\FINDNFIX\JUNKXXX\*.*


    Analyzer v1.36 by Boogie Copyright (C) 1997 ESP Team
    Files: C:\FINDNFIX\JUNKXXX\*.*
    Ä
    Ä


    Volume: Local Disk * DDIR * 9:29 pm | Mon, 9-20-04
    Ser #: 1C95-22B9 DOS Ver. 5.00 61% Used space
    Path: C:\FINDNFIX\JUNKXXX All files selected

    No files found.

    No. of files: 0 | List size: 0
    Disk size: 976.5 M | Actual spc: 0
    Bytes free: 396,906,496 | Conserved space: 0

    File not found - C:\FINDnFIX\junkxxx\*.*

    CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
    MD5 Message Digest Algorithm by RSA Data Security, Inc.

    File name Size Date Time MD5 Hash
    ________________________________________________________________________

    CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

    C:\FINDNFIX\JUNKXXX
    No files found


    #######################################################
    *Known files are...
    --------------------
    File: ((56k; (57,344 bytes)
    CRC-32 : D5C9FB2E
    MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
    --------------------
    File: ((35k; (35,840 bytes)
    CRC-32 : 33081C8B
    MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE
    --------------------
    File: ((21k; (21,504 bytes)
    CRC-32 : 2258F59E
    MD5 : EFEE2CB3 B342A351 51802356 9637F8E6
    #######################################################
    »»Permissions:
    ERROR: There are no more files.

    Directory "C:\FINDnFIX\junkxxx\."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x PAULS\Claire
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: PAULS\Claire

    Primary Group: PAULS\None

    Directory "C:\FINDnFIX\junkxxx\.."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x PAULS\Claire
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: PAULS\Claire

    Primary Group: PAULS\None




    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

    »»Checking for AppInit_DLLs (empty) value...
    ________________________________
    !"AppInit_DLLs"=""!

    Value does not match
    ________________________________

    »»Comparing *saved* key with *original*...

    REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

    Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

    String value "AppInit_DLLs" in key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" different ("C:\WINDOWS\System32\comgacd.dll" vs. "")

    »»Dumping Values:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
    (ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-NI) ALLOW Full access PAULS\Claire
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    QWCEN-DS-- BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM
    Full access PAULS\Claire



    00001150: $ ? 6EI j#_ck
    00001190: 6EI j#_ck 6EI j#_ck
    000011D0: vk DeviceNotSelectedTimeout 1 5
    00001210: vk ' S GDIProcessHandleQuota o
    00001250: 9 0 sHandl vk leSpooler y e s
    00001290: vk =pswapdisk ` vk
    000012D0: P R TransmissionRetryTimeout vk ' T
    00001310:USERProcessHandleQuota ` H vk
    00001350:mad: p AppInit_DLLs C : \ W I N D O W S \ S y s
    00001390:t e m 3 2 \ c o m g a c d . d l l H
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:

    ---------- NEWWIN.TXT
    AppInit_DLLs
    --------------
    --------------
    $011F0: DeviceNotSelectedTimeout
    $01238: GDIProcessHandleQuota
    $012E0: TransmissionRetryTimeout
    $0130F: TUSERProcessHandleQuota
    $01360: AppInit_DLLs
    --------------
    --------------
    C:\WINDOWS\System32\comgacd.dll
    --------------
    --------------
    d.... 0 Sep 19 22:25 .
    d.... 0 Sep 19 22:25 ..

    2 files found occupying -1024 bytes


    ===============================================================================
    0 bytes 0 cps
    Files: 0 Records: 0 Matches: 0 Elapsed Time: 00:00:00.07

    VDIR v1.00
    Path: C:\FINDNFIX\JUNKXXX\*.*
    ---------------------------------------+---------------------------------------
    . <dir> 09-19-:4 22:25|.. <dir> 09-19-:4 22:25
    ---------------------------------------+---------------------------------------
    2 files totaling 0 bytes consuming 0 bytes of disk space.
    27807744 bytes available on Drive C: Volume label: Local Disk

    ...File dump...


    Detecting...

    C:\FINDnFIX\junkxxx
    Finished Detecting...
    =========================================
    0 C:\FINDnFIX\junkxxx (DIR Total)

    Owner No. Files Total Size
    =========================================
    ________________________________________________________________________________
    ***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
    AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
    MINIMAL REQUIREMENTS INCLUDE:
    _________XP HOME/PRO; SP1; IE6/SP1
    _________2K/SP4; IE6/SP1
    ________________________________________________________________________________
    »»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»
    Mon 20 Sep 04 21:29:06
    -----END-----
    
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,884
    Did you have all files unhidden when you searched for that file? If not, then try step 2 again after doing the following:

    Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK"
     
  10. Frogman

    Frogman Thread Starter

    Joined:
    Sep 19, 2004
    Messages:
    14
    Hi again,

    Ok I think the problem was I had "Hide protected operating system files" and "Hide extensions for known file types" checked. I have now unchecked these and I will try the steps again.

    I will post the log as soon as I can.

    Thanks for your help
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,884
    No problem.
     
  12. Frogman

    Frogman Thread Starter

    Joined:
    Sep 19, 2004
    Messages:
    14
    Ok it's seems it's been sucessful, here is the log it created

    Thanks...

    Tue 21 Sep 04 00:18:07

    »»»»»»»»»»»»»»»»»»***LOG2!(*updated *9/1*)***»»»»»»»»»»»»»»»»

    *System:
    Microsoft Windows XP Professional 5.1 Service Pack 2 (Build 2600)
    *IE version:
    6.0.2900.2180 SP2

    The type of the file system is NTFS.

    ___________________________________________
    !!Restoring backups!!

    The operation completed successfully

    The operation completed successfully
    0:18:05.26 21/09/2004
    ___________________________________________

    *Local time:
    21 September 2004 (21/09/2004)
    00:18, GMT Daylight Time
    *Uptime:
    00:18:09 up 0 days, 0:08:08

    *path:
    C:\FINDnFIX
    Running in WORKSTATION MODE.

    SystemDrive is C:
    SystemRoot is C:\WINDOWS
    Logon Domain is PAULS
    Administrator's Name is Claire
    Computer Name is PAULS
    LOGON SERVER is \\PAULS
    ------------------------------------------


    This log will confirm if the file was successfully moved, and/or
    the right file was selected...

    Scanning for file(s) in System32...

    »»»»»»» (1) »»»»»»»

    »»»»»»» (2) »»»»»»»

    »»»»»»» (3) »»»»»»»

    No matches found.
    Unknown/hidden files...

    No matches found.

    »»»»»»» (4) »»»»»»»
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»»»(5)»»»»»

    »»»»»(6)»»»»»

    »»»»»»» Search by size And Date...

    *List of files specs according to size:
    *Note: Not all files listed here are infected!
    ____________________________________________________________________________
    Path: C:\WINDOWS\SYSTEM32 Including: *.DLL

    248. Dpwsockx Dll 57,344 . . . . A 8-04-04 8:56 am
    666. Msasn1 Dll 57,344 . . . . A 8-04-04 8:56 am
    1103. Sgecom~1 Dll 57,344 . . . . A 4-30-04 10:52 am
    220. Dmloader Dll 35,840 . . . . A 8-04-04 8:56 am
    389. Imgutil Dll 35,840 . . . . A 8-04-04 8:56 am
    446. Jgmd400 Dll 35,840 . . . . A 2-25-04 2:58 pm
    1229. Umandlg Dll 35,840 . . . . A 8-04-04 8:56 am
    244. Dpvacm Dll 21,504 . . . . A 8-04-04 8:56 am
    304. Feclient Dll 21,504 . . . . A 8-04-04 8:56 am

    ____________________________________________________________________________

    C:\WINDOWS\SYSTEM32\
    dpwsockx.dll Wed 4 Aug 2004 8:56:42 A.... 57,344 56.00 K
    msasn1.dll Wed 4 Aug 2004 8:56:42 A.... 57,344 56.00 K
    sgecom~1.dll Fri 30 Apr 2004 10:52:42 A.... 57,344 56.00 K

    3 items found: 3 files, 0 directories.
    Total of file sizes: 172,032 bytes 168.00 K

    C:\WINDOWS\SYSTEM32\
    dmloader.dll Wed 4 Aug 2004 8:56:42 A.... 35,840 35.00 K
    imgutil.dll Wed 4 Aug 2004 8:56:42 A.... 35,840 35.00 K
    umandlg.dll Wed 4 Aug 2004 8:56:46 A.... 35,840 35.00 K

    3 items found: 3 files, 0 directories.
    Total of file sizes: 107,520 bytes 105.00 K

    C:\WINDOWS\SYSTEM32\
    dpvacm.dll Wed 4 Aug 2004 8:56:42 A.... 21,504 21.00 K
    feclient.dll Wed 4 Aug 2004 8:56:42 A.... 21,504 21.00 K

    2 items found: 2 files, 0 directories.
    Total of file sizes: 43,008 bytes 42.00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\DPWSOCKX.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\MSASN1.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\SGECOM~1.DLL
    SNiF 1.34 statistics

    Matching files : 3 Amount in bytes : 172032
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\DMLOADER.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\IMGUTIL.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\UMANDLG.DLL
    SNiF 1.34 statistics

    Matching files : 3 Amount in bytes : 107520
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\DPVACM.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\FECLIENT.DLL
    SNiF 1.34 statistics

    Matching files : 2 Amount in bytes : 43008
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    BHO search and other files...



    No matches found.

    "C:\WINDOWS\system32\"
    rtipxmib.dll 4 Aug 2004 31744 "rtipxmib.dll"

    1 item found: 1 file, 0 directories.
    Total of file sizes: 31,744 bytes 31.00 K


    No matches found.

    --*sp.html in temp folder was NOT FOUND!--

    *Filter keys search...
    REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html' (2)

    --(*text/html Subkey was NOT FOUND!)--

    REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain' (2)

    --(*text/plain Subkey was NOT FOUND!)--

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»»*»»» Scanning for moved file... »»»*»»»

    * result\\?\C:\FINDnFIX\junkxxx\COMGACD.333


    C:\FINDNFIX\JUNKXXX\
    comgacd.333 Wed 14 Jul 2004 21:32:22 A.... 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\FINDNFIX\JUNKXXX\COMGACD.333
    SNiF 1.34 statistics

    Matching files : 1 Amount in bytes : 57344
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.*

    **File C:\FINDNFIX\JUNKXXX\COMGACD.333
    0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
    0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

    A----- COMGACD .333 0000E000 21:32.22 14/07/2004

    Analyzer v1.36 by Boogie Copyright (C) 1997 ESP Team
    Files: C:\FINDNFIX\JUNKXXX\*.*
    Ä
    COMGACD.333 MS Windows 95 / Windows NT Exe
    Ä


    Volume: Local Disk * DDIR * 12:23 am | Tue, 9-21-04
    Ser #: 1C95-22B9 DOS Ver. 5.00 61% Used space
    Path: C:\FINDNFIX\JUNKXXX All files selected

    1. Comgacd 333 57,344 . . . . A 7-14-04 9:32 pm

    No. of files: 1 | List size: 57,344
    Disk size: 976.5 M | Actual spc: 65,024
    Bytes free: 396,451,328 | Wasted space: 7,680

    --a-- W32i - - - - 57,344 07-14-2004 comgacd.333
    A C:\FINDnFIX\junkxxx\comgacd.333

    CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
    MD5 Message Digest Algorithm by RSA Data Security, Inc.

    File name Size Date Time MD5 Hash
    ________________________________________________________________________
    COMGACD.333 57344 07-14-104 21:32 c185b36f9969d3a6d2122ba7cbc02249

    CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

    C:\FINDNFIX\JUNKXXX
    COMGACD.333 : crc16=3138 crc32=D5C9FB2E

    File: <C:\FINDnFIX\junkxxx\comgacd.333>

    CRC-32 : D5C9FB2E

    MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




    #######################################################
    *Known files are...
    --------------------
    File: ((56k; (57,344 bytes)
    CRC-32 : D5C9FB2E
    MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
    --------------------
    File: ((35k; (35,840 bytes)
    CRC-32 : 33081C8B
    MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE
    --------------------
    File: ((21k; (21,504 bytes)
    CRC-32 : 2258F59E
    MD5 : EFEE2CB3 B342A351 51802356 9637F8E6
    #######################################################
    »»Permissions:
    C:\FINDnFIX\junkxxx\comgacd.333 Everyone:F
    NT AUTHORITY\SYSTEM:F
    BUILTIN\Administrators:F
    NT AUTHORITY\SYSTEM:F
    BUILTIN\Administrators:F
    NT AUTHORITY\SYSTEM:F
    BUILTIN\Administrators:F
    PAULS\Claire:F
    BUILTIN\Users:R

    Directory "C:\FINDnFIX\junkxxx\."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x PAULS\Claire
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: PAULS\Claire

    Primary Group: PAULS\None

    Directory "C:\FINDnFIX\junkxxx\.."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x PAULS\Claire
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: PAULS\Claire

    Primary Group: PAULS\None

    File "C:\FINDnFIX\junkxxx\comgacd.333"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x PAULS\Claire
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

    Owner: PAULS\Claire

    Primary Group: PAULS\None

    C:\FINDnFIX\junkxxx\comgacd.333;Everyone:F
    C:\FINDnFIX\junkxxx\comgacd.333;NT AUTHORITY\SYSTEM:F
    C:\FINDnFIX\junkxxx\comgacd.333;BUILTIN\Administrators:F
    C:\FINDnFIX\junkxxx\comgacd.333;NT AUTHORITY\SYSTEM:F
    C:\FINDnFIX\junkxxx\comgacd.333;BUILTIN\Administrators:F
    C:\FINDnFIX\junkxxx\comgacd.333;NT AUTHORITY\SYSTEM:F
    C:\FINDnFIX\junkxxx\comgacd.333;BUILTIN\Administrators:F
    C:\FINDnFIX\junkxxx\comgacd.333;PAULS\Claire:F
    C:\FINDnFIX\junkxxx\comgacd.333;BUILTIN\Users:RX



    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Checking for AppInit_DLLs (empty) value...
    ________________________________
    !"AppInit_DLLs"=""!

    Value Matches
    ________________________________

    »»Comparing *saved* key with *original*...

    REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

    Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

    Value "AppInit_DLLs" in key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" has different lengths (32 vs 1)

    »»Dumping Values:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs =

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    00001150: ?
    00001190: vk UDeviceNo
    000011D0:tSelectedTimeout 1 5 ( W vk ' z
    00001210:GDIProcessHandleQuota" 9 0 ! vk X
    00001250:Spooler2 y e s vk =pswapdisk
    00001290: 8 h vk ( R TransmissionRetryTimeout
    000012D0: vk ' \ USERProcessHandleQuota0 8
    00001310:h vk f AppInit_DLLs G
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:

    ---------- NEWWIN.TXT
    fùAppInit_DLLs֍æG¸
    --------------
    --------------
    $011C7: UDeviceNotSelectedTimeout
    $0120F: zGDIProcessHandleQuota
    $012B8: TransmissionRetryTimeout
    $012E8: USERProcessHandleQuota0
    $01338: AppInit_DLLs
    --------------
    --------------
    No strings found.

    --------------
    --------------
    d.... 0 Sep 19 22:25 .
    d.... 0 Sep 19 22:25 ..
    ....a 57344 Jul 14 21:32 comgacd.333

    3 files found occupying 55296 bytes

    -------- C:\FINDNFIX\JUNKXXX\COMGACD.333
    InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
    ===============================================================================
    57,344 bytes 5,734,400 cps
    Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.01

    VDIR v1.00
    Path: C:\FINDNFIX\JUNKXXX\*.*
    ---------------------------------------+---------------------------------------
    . <dir> 09-19-:4 22:25|COMGACD 333 57344 A 07-14-:4 21:32
    .. <dir> 09-19-:4 22:25|
    ---------------------------------------+---------------------------------------
    3 files totaling 57344 bytes consuming 65024 bytes of disk space.
    27287552 bytes available on Drive C: Volume label: Local Disk

    ...File dump...

    junkxxx\comgacd.333
    1 file(s) copied.
    56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30
    56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40
    56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50
    56928 00000000 00000000 00000000 a6f00100 |................| 0de60
    56944 01000000 03000000 03000000 88f00100 |................| 0de70
    56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80
    56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90
    56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0
    57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0
    57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0
    57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0
    57056 63655365 74757032 |ceSetup2 | 0dee0

    Detecting...

    C:\FINDnFIX\junkxxx
    comgacd.333 ACL has 9 ACE(s)
    SID = /Everyone S-1-1-0
    ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = NT AUTHORITY/SYSTEM S-1-5-18
    ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = BUILTIN/Administrators S-1-5-32-544
    ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = NT AUTHORITY/SYSTEM S-1-5-18
    ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = BUILTIN/Administrators S-1-5-32-544
    ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = NT AUTHORITY/SYSTEM S-1-5-18
    ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = BUILTIN/Administrators S-1-5-32-544
    ACE 6 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 6 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = PAULS/Claire S-1-5-21-1229272821-1788223648-1801674531-1004
    ACE 7 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 7 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = BUILTIN/Users S-1-5-32-545
    ACE 8 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 8 mask = 0x001200a9 -R -X
    ACL done...


    Finished Detecting...
    =========================================
    57344 C:\FINDnFIX\junkxxx\comgacd.333 Claire
    57344 C:\FINDnFIX\junkxxx (DIR Total)

    Owner No. Files Total Size
    =========================================
    Claire 1 57344
    ________________________________________________________________________________
    ***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
    AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
    MINIMAL REQUIREMENTS INCLUDE:
    _________XP HOME/PRO; SP1; IE6/SP1
    _________2K/SP4; IE6/SP1
    ________________________________________________________________________________
    »»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»
    Tue 21 Sep 04 00:23:43
    -----END-----
    
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,884
    Very good.

    Open the FINDnFIX\Files2< Subfolder:

    Run the -> ZIPZAP.bat file.

    It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions:

    Simply drag and drop the 'junkxxx.zip' file from the folder into the mail message and submit to the specified addresses! Thanks!

    When done, restart your computer and delete and entire 'FINDnFIX' file+folder(s) from C:\ and be sure the C:\junkxxx folder was deleted (as part of the cleanup process)

    Go to http://www.majorgeeks.com/download4086.html to download CWShredder. Close all browser windows. Unzip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do its thing.

    When it is finished, restart your computer.

    Then, go to http://www.lavasoftusa.com/support/download/ and download Ad-Aware SE Personal

    Install the program and launch it.

    First, in the bottom right-hand corner of the main window click on “Check for updates now” then click “Connect” and download the latest definitions files.

    Then, in the main window: Click “Start” and under “Select a scan Mode” tick “Perform full system scan”.

    Then, deselect “Search for negligible risk entries”.

    To start the scan, click the “Next” button.

    When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose “select all” from the drop down menu and then click “Next”)

    Come back here and post another Hijack This log and we'll see what’s left to get rid of.
     
  14. Frogman

    Frogman Thread Starter

    Joined:
    Sep 19, 2004
    Messages:
    14
    Ok, all done..here is the latest HJT log

    Thanks

    Logfile of HijackThis v1.98.2
    Scan saved at 01:42:35, on 21/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\system32\CTSvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\apvxdwin.exe
    C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    C:\Program Files\VoyagerTest\fts.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Spyware Doctor\spydoctor.exe
    C:\Program Files\AOL 9.0\aoltray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
    C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Converted Music\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CPubIE Object - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: aststbexqxq - {356b3e47-d6e2-469e-b929-dd0e95576a27} - C:\DOCUME~1\Paul\APPLIC~1\eagrjkuqf.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [WinLogin] win32x.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093775714218
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  15. Frogman

    Frogman Thread Starter

    Joined:
    Sep 19, 2004
    Messages:
    14
    Cookiegal

    It's getting pretty late here in the UK so I'm going to bed and I will pick up on this again tommorrow.

    I can't thank you enough for the help you have given

    Thanks...goodnight ;)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/275739

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice