Save it to Desktop. Double click on it , press INSTALL button.A folder called DLLFIX would have been created. Run Start.Bat from there. Run Option 1. which is "Run Find-All... ". Let it complete and there will be a pop-up window with a log. Post that log here.
Run the start.bat again after dll found or whatever. Run option 2 and choose correct option in submenu. In the submenu,
Option 2 -- > is for if you can't find the dllname.
Reboot. There will be the scan for the " dll " on-boot screen, which will search and fix it. Reboot. Run HijackThis and save the fresh log.
Post a new Output.txt (option 1 in start.bat ), the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder) and a fresh HijackThis Log.
Now , Open CWShredder, Run FIX and let it fix what it finds.You can download latest version of Cwshredder 1.59 from the link below.
--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==-- --==***@@@ ORIGINAL BY FREEATLAST @@@***==--
Sat 06/12/2004 01:25 PM
System Info:
Microsoft Windows XP [Version 5.1.2600] C: "" (9420:A8C6) - FS:NTFS clusters:4k Total: 80 040 165 376 [75G] - Free: 36 803 170 304 [34G]
*IE version and Service packs: 6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe *Notepad version : 5.1.2600.0 C:\WINDOWS\notepad.exe *Media Player version : 9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: Read BUILTIN\Users Full access BUILTIN\Administrators Full access NT AUTHORITY\SYSTEM
CWSDLL/Searchx Appinit Fix By Shadowwar Version 3.01 060504 Please Do not mirror Without Permission! I can be contacted at spywaresubmit at aol.com Sat 06/12/2004 05:12 PM
Backing up Registry Hive
The operation completed successfully
Deleting Windows Key
The operation completed successfully
Adding Test Windows Key
The operation completed successfully
Restoring temp Values Key
The operation completed successfully
Deleting Bad Appinit Value
The operation completed successfully
Backup of Modified Hiv
The operation completed successfully
Deleting test Windows key
The operation completed successfully
Deleting Filter text Running from C:\Documents and Settings\Brian\Desktop\dllfix Scanning for Locked File If this repeats 4 times than you may have another Locked File not related to About:blank Hijack Unlocking Locked File
C:\WINDOWS\System32\D3D.DLL Scanning For main hijacker. Found Main Hijacker Dll:C:\WINDOWS\System32\NGHC.DLL Md5 tested As 8077C2987B88D4D351B8E0E16D453B51 Scanning for Hidden Dll in system32 1st pass File found was: C:\WINDOWS\System32\NGHC.DLL Md5 Check of C:\WINDOWS\System32\NGHC.DLL
Md5 tested As 8077C2987B88D4D351B8E0E16D453B51 File was found but md5 didnt match MD5 was: 8077C2987B88D4D351B8E0E16D453B51 Resetting file attributes Processing ACL of: <\\?\C:\WINDOWS\System32\NGHC.DLL>
SetACL finished successfully. File was zipped for submission to Shadowwar File is located at C:\Documents and Settings\Brian\Desktop\dllfix\submit.zip please Email a copy to spywaresubmit at aol.com Please include a link to your post. File is still in original location now unlocked. It is now ok to proceed with Rest of Cleanup.
Adding Back Windows Key
The operation completed successfully
Restoring Registry Hive
The operation completed successfully
Restoring Cleaned Appinit Value
The operation completed successfully
HiJackThis Log
Logfile of HijackThis v1.97.7 Scan saved at 5:22:57 PM, on 6/12/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==-- --==***@@@ ORIGINAL BY FREEATLAST @@@***==--
Sat 06/12/2004 05:29 PM
System Info:
Microsoft Windows XP [Version 5.1.2600] C: "" (9420:A8C6) - FS:NTFS clusters:4k Total: 80 040 165 376 [75G] - Free: 36 880 093 184 [34G]
*IE version and Service packs: 6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe *Notepad version : 5.1.2600.0 C:\WINDOWS\notepad.exe *Media Player version : 9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
Locked or 'Suspect' file(s) found... These may be other files that Dllfix doesnt target. * result\\?\C:\WINDOWS\System32\D3D.DLL * result: not locked...C:\WINDOWS\System32\D3D.DLL
Scanning for main Hijacker: File found was C:\WINDOWS\System32\NGHC.DLL Md5 tested As 8077C2987B88D4D351B8E0E16D453B51
known baddies are: 0758CF635DF08AC381962F74832B6484 C87354D67A8B9828F483C6F90C496972 4E24A18F3A557AF479219E47E27B8B59
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: Read BUILTIN\Users Full access BUILTIN\Administrators Full access NT AUTHORITY\SYSTEM
Logfile of HijackThis v1.97.7 Scan saved at 5:40:31 PM, on 6/12/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
I have edited my old post. Sorry for the bad link.
Also, the hijack is still there. Dllfix should remove the bad file. Could you please repeat the steps in my old post . Please post the logs.txt, Findall report(option 1 in dllfix) and a fresh hijackthis log.
baskar1234
181 Posts
0
June 12th, 2004 16:00
Hello ,..
Download this file from http://downloads.subratam.org/dllfix.exe .
Save it to Desktop. Double click on it , press INSTALL button.A folder called DLLFIX would have been created. Run Start.Bat from there. Run Option 1. which is "Run Find-All... ". Let it complete and there will be a pop-up window with a log.
Post that log here.
baskar1234
181 Posts
0
June 12th, 2004 17:00
Hello,.
Run the start.bat again after dll found or whatever. Run option 2 and choose correct option in submenu.
In the submenu,
Option 2 -- > is for if you can't find the dllname.
Reboot. There will be the scan for the " dll " on-boot screen, which will search and fix it.
Reboot. Run HijackThis and save the fresh log.
Post a new Output.txt (option 1 in start.bat ), the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder) and a fresh HijackThis Log.
Now , Open CWShredder, Run FIX and let it fix what it finds.You can download latest version of Cwshredder 1.59 from the link below.
http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Download the killbox from the link below.
http://www.downloads.subratam.org/KillBox.zipUnzip it. Run it and paste the following line in the text box
C:\WINDOWS\SYSTEM32\D3D.DLL
Please dont press KILL FILE BUTTON. Choose ACTION (menu) -- DELTE ON REBOOT.
Reboot.
Download and run the latest version of Cwshredder 1.59 from
http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Reboot , rescan with Hijackthis and post a fresh log in this same thread.
Message Edited by baskar1234 on 06-12-2004 02:40 PM
Message Edited by baskar1234 on 06-14-2004 12:09 PM
Vandread
98 Posts
0
June 12th, 2004 17:00
--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--
Sat 06/12/2004
01:25 PM
System Info:
Microsoft Windows XP [Version 5.1.2600]
C: "" (9420:A8C6) - FS:NTFS clusters:4k
Total: 80 040 165 376 [75G] - Free: 36 803 170 304 [34G]
*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
! REG.EXE VERSION 2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;
Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
\\?\C:\WINDOWS\System32\D3D.DLL +++ File read error
\\?\C:\WINDOWS\System32\D3D.DLL +++ File read error
Scanning for main Hijacker:
File found was C:\WINDOWS\System32\AGOGEE.DLL
Md5 tested As 4E24A18F3A557AF479219E47E27B8B59
known baddies are:
0758CF635DF08AC381962F74832B6484
C87354D67A8B9828F483C6F90C496972
4E24A18F3A557AF479219E47E27B8B59
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="300"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
REGEDIT4
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
! REG.EXE VERSION 2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ
*Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Vandread
98 Posts
0
June 12th, 2004 21:00
Logs.txt Log
CWSDLL/Searchx Appinit Fix By Shadowwar
Version 3.01 060504
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Sat 06/12/2004
05:12 PM
Backing up Registry Hive
The operation completed successfully
Deleting Windows Key
The operation completed successfully
Adding Test Windows Key
The operation completed successfully
Restoring temp Values Key
The operation completed successfully
Deleting Bad Appinit Value
The operation completed successfully
Backup of Modified Hiv
The operation completed successfully
Deleting test Windows key
The operation completed successfully
Deleting Filter text
Running from C:\Documents and Settings\Brian\Desktop\dllfix
Scanning for Locked File
If this repeats 4 times than you may have another
Locked File not related to About:blank Hijack
Unlocking Locked File
C:\WINDOWS\System32\D3D.DLL
Scanning For main hijacker.
Found Main Hijacker Dll:C:\WINDOWS\System32\NGHC.DLL
Md5 tested As 8077C2987B88D4D351B8E0E16D453B51
Scanning for Hidden Dll in system32 1st pass
File found was: C:\WINDOWS\System32\NGHC.DLL
Md5 Check of C:\WINDOWS\System32\NGHC.DLL
Md5 tested As 8077C2987B88D4D351B8E0E16D453B51
File was found but md5 didnt match
MD5 was: 8077C2987B88D4D351B8E0E16D453B51
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\System32\NGHC.DLL>
SetACL finished successfully.
File was zipped for submission to Shadowwar
File is located at C:\Documents and Settings\Brian\Desktop\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.
Adding Back Windows Key
The operation completed successfully
Restoring Registry Hive
The operation completed successfully
Restoring Cleaned Appinit Value
The operation completed successfully
HiJackThis Log
Logfile of HijackThis v1.97.7
Scan saved at 5:22:57 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\Brian\Desktop\My Stuff\cwshredder\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\notepad.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://projectraptor.game-mod.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Documents and Settings\Brian\Desktop\My Stuff\cwshredder\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Brian\Desktop\My Stuff\cwshredder\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
OutPut.txt
--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--
Sat 06/12/2004
05:29 PM
System Info:
Microsoft Windows XP [Version 5.1.2600]
C: "" (9420:A8C6) - FS:NTFS clusters:4k
Total: 80 040 165 376 [75G] - Free: 36 880 093 184 [34G]
*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
! REG.EXE VERSION 2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;
Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
* result\\?\C:\WINDOWS\System32\D3D.DLL
* result: not locked...C:\WINDOWS\System32\D3D.DLL
Scanning for main Hijacker:
File found was C:\WINDOWS\System32\NGHC.DLL
Md5 tested As 8077C2987B88D4D351B8E0E16D453B51
known baddies are:
0758CF635DF08AC381962F74832B6484
C87354D67A8B9828F483C6F90C496972
4E24A18F3A557AF479219E47E27B8B59
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="300"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
REGEDIT4
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
! REG.EXE VERSION 2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ
*Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Vandread
98 Posts
0
June 12th, 2004 21:00
Logfile of HijackThis v1.97.7
Scan saved at 5:40:31 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\Brian\Desktop\My Stuff\cwshredder\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://projectraptor.game-mod.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Documents and Settings\Brian\Desktop\My Stuff\cwshredder\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Brian\Desktop\My Stuff\cwshredder\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
Vandread
98 Posts
0
June 12th, 2004 21:00
baskar1234
181 Posts
0
June 14th, 2004 15:00
Hello,
I have edited my old post. Sorry for the bad link.
Also, the hijack is still there. Dllfix should remove the bad file. Could you please repeat the steps in my old post . Please post the logs.txt, Findall report(option 1 in dllfix) and a fresh hijackthis log.
baskar1234
181 Posts
0
June 14th, 2004 16:00
Hello,.
Lets do couple of other programs too. It is recommended that you uninstall messengerplus program .
Close all browser windows. Run Hijackthis. Hit scan button. Then put a check mark on these entries and hit FIX CHECKED button.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://projectraptor.game-mod.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe
Reboot into safe mode,.
Unhide all files and folders.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html How to unhide file and folders
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039 How to boot into safe mode
Then delete the following
C:\Program Files\CasinoOnline\ -- FOLDER
Also , run CWSHREDDER in safe mode.
Post a fresh hijackthis log.
Vandread
98 Posts
0
June 14th, 2004 16:00
baskar1234
181 Posts
0
June 14th, 2004 17:00
Hello,.
I am sorry for overlooking that . While i copied all the bad stuff, i got this one in the middle also.