An appeal to the experts for help, hijack this log included

celerityfm · May 20, 2004

Hey guys... I've been owned by what I THINK is a CWS variant.. latest CWSShredder shows CWS.searchx and cleans it but it kept coming back.. eventually it just stopped showing up all together and my IE homepage stopped getting reset to CoolWebSearch. Sometimes it would get reset to about:blank, but I stopped using IE and hit up FireFox for a while and figured I could ignore this. But recently AVG Free 6.0 started finding random DLL files in system32 that it said was "Trojan horse Startpage.4.AO" and could not clean them! I don't think we're out of the woods yet!

I thought I might have the RealYellow variant of CWS but I tried the cleaning steps posted on Merijn's site but never found the file with the 61c00000 61440 header, so I'm not sure I even have that. To make things even STRANGER, I downloaded SpywareBlaster AFTER the fact (shoulda been running that before all this right?) and when I try to launch it after installation I get an error saying "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." and as you may have guessed, reinstalling does not help. I also tried the program and technique listed in this thread https://www.wilderssecurity.com/showpost.php?p=177718&postcount=17 out of desperation even though I've never seen a mrhoppy.dll anywhere on my computer. Now, justto be complete I'll go ahead and run Spybot and Hijackthis again right now...(goes off to run Spybot).

Ok, just ran the latest Spybot and man did that adware/trojan squirm! Right around 4292 (AdGoblin), AVG started detecting "Trojan horse Startpage.4.AO" and continued to do so throughout the rest of the scan. SYSTEM32\FIEN.DLL, HQCMPE.DLL, etc flashed by on AVG during the scan but in the end Spybot only found 1 random registry key for a "web dialer", the rest were just cookies (btw that key was HKEY_USERS\S-1-5-21-484763869-1343024091-1708537768-1003\Software\Microsoft\Internet Explorer\Main\HOMEOldSP). AVG finds this trojan on random occasions as well but so far it finds it everytime I run spybot right around the AdGoblin part. HMM. Anyways, enough blathering, here's the Hijack this goods (including scan log and startup log for completeness). THANK YOU!!! I feel like I'm close to killing this thing for good, and with your help perhaps we can!

I've pasted the Hijackthis log and startup list below!

Logfile of HijackThis v1.97.7
Scan saved at 6:10:13 PM, on 5/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\bloggar\wbloggar.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\logon.scr
C:\Documents and Settings\Toby\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (8394abfc1be196a62c9f532511936df7, 37808 bytes)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (skipped, 711168 bytes)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (0fb22dd37c17f80ad71316049f725170, 31744 bytes)
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup (47d4d5e2f2b6a78dcd5dbdd8c06677ac, 345661 bytes)
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe (84f0c045f24dae5de54b9aff3450b181, 262144 bytes)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install (5d8d50d90cbf3b5cc32100425545394a, 323584 bytes)
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 (15cca68bee2d232166f992a7ae2f8002, 81920 bytes)
O4 - HKLM\..\Run: [Hotkeycontrol] C:\Program Files\Hotkeycontrol XP\hkcontrol.exe (1178f146097e820b1ed219c646693b52, 348160 bytes)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe (ed85b344e6edc30c1bc57ec1a2a56bf3, 32881 bytes)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (414de7cf9d3f19c3ea902f1bb38ec116, 13312 bytes)
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (skipped, 1038336 bytes)
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe (30895afed476666c11470d7311c9ad81, 40960 bytes)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM (file missing)
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM (file missing)
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer\Add_UrlO.htm (file missing)
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer\Add_AllO.htm (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.7208101852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

StartupList report, 5/20/2004, 6:10:28 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Toby\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\bloggar\wbloggar.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\logon.scr
C:\Documents and Settings\Toby\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Toby\Start Menu\Programs\Startup]
Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
Shortcut to wbloggar.lnk = C:\Program Files\bloggar\wbloggar.exe
Trillian.lnk = C:\Program Files\Trillian\trillian.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup
DataCaching = C:\PROGRA~1\DATACA~1\FLashKsk.exe
nwiz = nwiz.exe /install
DAEMON Tools-1033 = "C:\Program Files\D-Tools\daemon.exe" -lang 1033
Hotkeycontrol = C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\NOSTAL~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\WINDOWS\System32\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.7208101852

[Java Plug-in 1.4.0]
InProcServer32 = C:\Program Files\Java\j2re1.4.0\bin\npjpi140.dll
CODEBASE = http://java.sun.com/products/plugin/1.4/jinstall-14-win.cab

[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll
Protocol #24: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Service for Avance AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATI TV Wonder Video Capture: system32\drivers\atibtcap.sys (autostart)
ATI TV Wonder Video Crossbar: system32\drivers\atibtxbr.sys (autostart)
ATI TV Wonder TV Tuner: system32\drivers\ativtutw.sys (autostart)
ATI TV Wonder Audio Crossbar: system32\drivers\ativxstw.sys (autostart)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG6 Kernel: \??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys (autostart)
AVG6 Rezident Driver: \??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys (autostart)
AVG6 Service: C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
C-Media PCI Audio Driver (WDM): system32\drivers\cmaudio.sys (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
d344bus: System32\DRIVERS\d344bus.sys (system)
d344prt: System32\Drivers\d344prt.sys (system)
Dev_DirectNT: \??\C:\Program Files\Dreaming of Brazil 3b6\directnt.sys (manual start)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
DSDrv4: \??\C:\PROGRA~1\DScaler\DSDrv4.sys (manual start)
DVXCEL Streaming Class Driver: System32\DRIVERS\DVXUSBKS.sys (manual start)
DVXUSBLD: system32\drivers\DVXUSBLD.SYS (manual start)
enodpl: System32\drivers\enodpl.sys (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Hid to Joystick Port Enabler: System32\DRIVERS\hidgame.sys (manual start)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IIS Admin: C:\WINDOWS\System32\inetsrv\inetinfo.exe (disabled)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
mapmem: \??\C:\WINDOWS\System32\Drivers\mapmem.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Sidewinder HID to Joystick Port Enabler: System32\DRIVERS\msgame.sys (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (disabled)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NetGroup Packet Filter Driver: system32\drivers\npf.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NUVision II Audio Service: System32\DRIVERS\nuvaud2.sys (manual start)
NUVision Video Service: System32\DRIVERS\nuvvid2.sys (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nVidia WDM Video Capture (universal): System32\DRIVERS\nvcap.sys (autostart)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
nVidia WDM TVTuner: System32\DRIVERS\nvtunep.sys (autostart)
nVidia WDM TVAudio Crossbar: System32\DRIVERS\nvtvsnd.sys (autostart)
nVidia WDM A/V Crossbar: System32\DRIVERS\NVxbar.sys (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
PGPmemlock: \??\C:\WINDOWS\System32\drivers\PGPmemlock.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Linksys Fast Ethernet PCI Card: System32\DRIVERS\lne100.SYS (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
portio: \??\C:\WINDOWS\System32\Drivers\portio.sys (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (disabled)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Remote Packet Capture Protocol v.0 (experimental): "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (disabled)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (disabled)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SanDisk USB ImageMate/SecureMate Mass Storage Driver: System32\DRIVERS\SDSTOR2K.SYS (manual start)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\System32\inetsrv\inetinfo.exe (disabled)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{485B4C9D-B5EF-432F-8632-3F7A53E30B1F} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
tandpl: System32\drivers\tandpl.sys (autostart)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
tvtool: \??\C:\Program Files\TVTool 9.5\tvtool.sys (system)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (disabled)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: System32\DRIVERS\viaidexp.sys (system)
VIAPFD: \SystemRoot\System32\Drivers\VIAPFD.SYS (system)
Virtual PC Application Services: System32\DRIVERS\VPCAppSv.sys (autostart)
Virtual PC Emulated Ethernet Switch Driver: System32\DRIVERS\VPCNetS2.sys (manual start)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Wide Web Publishing: %SystemRoot%\System32\inetsrv\inetinfo.exe (disabled)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
X10 Device Network Service: C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Program Files\Spybot - Search & Destroy\is-963V6.tmp => C:\Program Files\Spybot - Search & Destroy\SDHelper.dll||\

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 34,200 bytes
Report generated in 0.131 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Thanks for reading this far, you guys are providing an amazing service, KEEP FIGHTING THE GOOD FIGHT.

Hope you can help.

Unzy · May 21, 2004

Hi

Download the following tool :

http://tools.zerosrealm.com/dllfix.exe

Doubleclick it and install in folder of choice but on the root drive, most likely C:\

1. Run start.bat and press option 1. A search will start

'output.txt' will be created in the folder

2. Copypaste the complete contents of output.txt here please

Thnx

Cheers,

celerityfm · May 21, 2004

Ahhh thank you very much for your help! Here's the output.. when it got to those suspect DLL files AVG popped up again about the trojan horse startpage.4.ao.

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Fri 05/21/2004
08:14 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (F0CC:B2E0) - FS:NTFS clusters:4k
Total: 80 015 491 072 [75G] - Free: 2 704 596 992 [2.5G]

*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q813489;Q330994;Q828750;Q824145;Q832894;Q837009;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:

*PC uptime:
8:14am up 3 days, 12:29
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\ALKELH.DLL +++ File read error
\\?\C:\WINDOWS\System32\ALKELH.DLL +++ File read error

*List of top level windows:
HWND PID PRIO TITLE
100a2 1512 norm TF_FloatingLangBar_WndTitle
490104 656 norm AVG Resident Shield
100a6 1512 norm CiceroUIWndFrame
2b0124 3984 norm SysFader
250412 3748 norm Wilders Security Forums - An appeal to the experts for help, hijack this log in
2011c 3984 norm _Shell_TrayWnd
1101dc 1720 norm Trillian: List Tooltip Entry
16025e 6188 norm DirectDBNotifyWndProc
220232 6188 norm Outlook Express FolderSync Window Class
100226 6188 norm OEStoreCleanupThread
12601d8 6188 norm DirectDBNotifyWndProc
1301fa 6188 norm SysFader
7024e 6188 norm DirectDBNotifyWndProc
4027c 6188 norm DirectDBListenWndProc
13c0222 6188 norm O
100e2 1632 norm MessageWindow
100bc 1632 norm TodoWindow
100b8 1632 norm Rainlendar
10026 680 high NetDDE Agent
100be 1444 Hotkeycontrol XP
5800ae 4256 norm C:\WINDOWS\System32\cmd.exe
110126 3984 norm dllfix
8f035c 3748 norm Wilders Security Forums - Reply to Topic - Avant Browser
10f0150 3748 norm Avant Browser
2b0148 3984 norm DDE Server Window
1a042a 3748 norm MCI command handling window
4004f8 3748 norm IMMIF UI
f902ae 3748 norm DDE Server Window
14020e 6856 norm Start Page - Mozilla Firefox
10168 1720 norm Trillian
100c0 1720 norm Trillian
d0024a 6188 norm Outlook Express
c001b2 6856 norm NetscapeDispatchWnd
a026a 6856 norm XPCOM:EventReceiver
f02a0 6188 norm MCI command handling window
9f031e 6188 norm Identity Mgr Notify
c0254 6188 norm WAB Notification Window
802a2 6188 norm Identity Mgr Notify
501a6 6188 norm Identity Mgr Notify
200fc 528 norm AVG Control Center - FREE Edition
3c02f4 3984 norm DDE Server Window
6003b0 3984 norm MCI command handling window
70044 3984 norm Connections Tray
2008c 3984 norm Power Meter
2008a 3984 norm MS_WebcheckMonitor
2005e 1632 norm Rainlendar control window
1017c 1444 _Static
1009e 1444 Hotkeycontrol XP
20156 1720 norm celerityfm - Console
100b4 1408 norm Virtual DAEMON Manager V3.44
10070 1940 norm NVSVCPMMWindowClass
20074 1388 norm FlashKiosk Application
7d0238 6188 norm Inbox - Outlook Express - Main Identity
40038 3984 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

Hope this helps! Thanks!!

Unzy · May 21, 2004

Ah good job!

This is the culprit :

C:\WINDOWS\System32\ALKELH.DLL

Let's proceed. Follow these instructions :

run start.bat again and choose option 2.

Hit '1' and enter C:\WINDOWS\System32\ALKELH.DLL and proceed

Restart PC after doing so

4. Download and run AdAware : http://www.lavasoft.de/software/adaware/

Update XP and IE at windowsupdate.com

Finally take another hijackthis scan, if you still see the dll entries, fix them one last time

Hope this helps

Cheers,

celerityfm · May 21, 2004

Thank you thank you thank you for followingup with me! I'm hoping we finally killed it but I have a sinking feeling that its not entirely gone yet.

Went ahead and ran start.bat/dllfix option 2 and specified ALKELH.DLL as you described. Rebooted and it ran on startup and finished up. Hit up the latest adaware and it found some CWS registry keys which I cleaned. Then I hit up windows update and grabbed one new update that I didn't have yet and then reran hijackthis.. didn't see anything different from the last time so I reran dllfix and it found the ALKELH.DLL file again (but this time AVG didn't pop up to warn me about it). I reran step 2 and rebooted/etc.

Here are the log files from dllfix and adaware.. what do you think? Are we out of the woods yet? THANKS!!

First run of DLLFIX option 2:
CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Fri 05/21/2004
11:19 AM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully

Deleting temp value

The operation completed successfully

Running from C:\dllfix
Processing File Manually
C:\WINDOWS\system32\ALKELH.DLL
Md5 Check of C:\WINDOWS\system32\ALKELH.DLL

Md5 tested As
File was found but md5 didnt match
MD5 was:
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\system32\ALKELH.DLL>

SetACL finished successfully.
File was zipped for submission to Shadowwar
File is located at C:\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

AdAware log after first run of dllfix:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Friday, May 21, 2004 11:27:33 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R306 19.05.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry

5-21-2004 11:27:33 AM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-21-2004 3:21:13 PM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:21:25 PM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:21:26 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 8/23/2001 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:21:26 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 8/29/2002 8:41:26 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:21:26 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 8/23/2001 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 3:21:26 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 8/23/2001 12:00:00 PM

#:7 [logonui.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:21:26 PM
BasePriority : Normal
FileSize : 492 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Logon UI
InternalName : LOGONUI
OriginalFilename : LOGONUI.EXE
ProductName : Microsoft
Created on : 2/25/2003 4:18:00 AM
Last accessed : 5/21/2004 3:19:00 PM
Last modified : 8/29/2002 8:41:26 AM

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:21:27 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 8/23/2001 12:00:00 PM

#:9 [avgserv.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ThreadCreationTime : 5-21-2004 3:21:37 PM
BasePriority : Normal
FileSize : 20 KB
FileVersion : 6.0.1.9
ProductVersion : 6.0.1.9
Copyright : Copyright (c) GRISOFT(c) SOFTWARE 1998-2001
CompanyName : GRISOFT(c) SOFTWARE s.r.o
FileDescription : AvgServ - displays notification message
InternalName : AvgServ
OriginalFilename : AvgServ
ProductName : AVG6
Created on : 10/17/2002 11:49:18 AM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 10/17/2002 11:49:18 AM

#:10 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 3:21:37 PM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 6.14.10.4523
ProductVersion : 6.14.10.4523
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 45.23
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 45.23
Created on : 11/23/2003 7:22:28 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 7/28/2003 7:19:00 PM

#:11 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:22:53 PM
BasePriority : High

#:12 [rdpclip.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:23:01 PM
BasePriority : Normal
FileSize : 43 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : RDP Clip Monitor
InternalName : RDPClip
OriginalFilename : RDPClip.exe
ProductName : Microsoft
Created on : 2/25/2003 4:17:45 AM
Last accessed : 5/21/2004 3:19:00 PM
Last modified : 8/29/2002 8:41:28 AM

#:13 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-21-2004 3:23:07 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 2/25/2003 4:18:22 AM
Last accessed : 5/21/2004 3:23:08 PM
Last modified : 8/29/2002 8:41:24 AM

#:14 [notepad.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:23:19 PM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
OriginalFilename : NOTEPAD.EXE
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 5/21/2004 3:23:19 PM
Last modified : 8/23/2001 12:00:00 PM

#:15 [avgcc32.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ThreadCreationTime : 5-21-2004 3:23:19 PM
BasePriority : Normal
FileSize : 337 KB
FileVersion : 6, 0, 0, 515
ProductVersion : 6, 0, 0, 0
Copyright : Copyright
CompanyName : GRISOFT s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC32
OriginalFilename : AvgCC32.EXE
ProductName : AVG Anti-Virus System
Created on : 9/13/2003 11:54:11 AM
Last accessed : 5/21/2004 3:23:33 PM
Last modified : 9/13/2003 11:54:11 AM

#:16 [flashksk.exe]
FilePath : C:\PROGRA~1\DATACA~1\
ThreadCreationTime : 5-21-2004 3:23:19 PM
BasePriority : Normal
FileSize : 256 KB
FileVersion : V1.16.01
ProductVersion : V1.16.01
Created on : 9/24/2002 2:34:37 AM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 11/29/2001 3:55:00 AM

#:17 [daemon.exe]
FilePath : C:\Program Files\D-Tools\
ThreadCreationTime : 5-21-2004 3:23:19 PM
BasePriority : Normal
FileSize : 80 KB
FileVersion : 3.44.0.0
ProductVersion : 3.44.0.0
Copyright : Copyright (C) 2000-2003
CompanyName : DAEMON'S HOME
FileDescription : Virtual DAEMON Manager
InternalName : DAEMON.EXE
OriginalFilename : daemon.exe
ProductName : DAEMON Tools
Created on : 12/28/2003 1:43:26 AM
Last accessed : 5/21/2004 3:23:20 PM
Last modified : 12/28/2003 1:43:26 AM

#:18 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_03\bin\
ThreadCreationTime : 5-21-2004 3:23:19 PM
BasePriority : Normal
FileSize : 32 KB
Created on : 11/19/2003 9:48:18 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 11/19/2003 9:48:14 PM

#:19 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 3:23:19 PM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 2/25/2003 4:18:13 AM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 8/29/2002 8:41:22 AM

#:20 [teatimer.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ThreadCreationTime : 5-21-2004 3:23:19 PM
BasePriority : Idle
FileSize : 1014 KB
FileVersion : 1, 3, 0, 12
ProductVersion : 1, 3, 0, 12
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
OriginalFilename : TeaTimer.exe
ProductName : Spybot - Search & Destroy
Created on : 4/14/2004 5:03:00 AM
Last accessed : 5/21/2004 3:23:20 PM
Last modified : 5/12/2004 5:03:00 AM

#:21 [rainlendar.exe]
FilePath : C:\Program Files\Rainlendar\
ThreadCreationTime : 5-21-2004 3:23:20 PM
BasePriority : Normal
FileSize : 40 KB
Created on : 1/28/2004 6:11:30 PM
Last accessed : 5/21/2004 3:23:20 PM
Last modified : 1/28/2004 6:11:30 PM

#:22 [wbloggar.exe]
FilePath : C:\Program Files\bloggar\
ThreadCreationTime : 5-21-2004 3:23:20 PM
BasePriority : Normal
FileSize : 584 KB
FileVersion : 3.03.0165
ProductVersion : 3.03.0165
Copyright : Copyright
CompanyName : RainDrops Freeware Project
FileDescription : w.bloggar - Universal Weblog Interface
InternalName : wbloggar
OriginalFilename : wbloggar.exe
ProductName : w.bloggar
Created on : 7/12/2003 5:41:30 AM
Last accessed : 5/21/2004 3:23:21 PM
Last modified : 12/16/2003 4:48:30 PM

#:23 [trillian.exe]
FilePath : C:\Program Files\Trillian\
ThreadCreationTime : 5-21-2004 3:23:20 PM
BasePriority : Normal
FileSize : 792 KB
FileVersion : 2.0.1.112
ProductVersion : 2.0.1.112
CompanyName : Cerulean Studios
FileDescription : Trillian
InternalName : Trillian
OriginalFilename : Trillian.exe
ProductName : Trillian
Created on : 1/12/2004 4:00:00 AM
Last accessed : 5/21/2004 3:23:50 PM
Last modified : 4/14/2004 11:09:29 PM

#:24 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 5-21-2004 3:27:06 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 7/10/2003 5:04:02 AM
Last accessed : 5/21/2004 3:27:02 PM
Last modified : 7/13/2003 1:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 2

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : toby@2o7[1].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/5/2004 6:06:38 AM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/5/2004 6:06:38 AM

Tracking Cookie Object recognized!
Type : File
Data : toby@ads.addynamix[2].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/6/2004 5:03:27 AM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/6/2004 5:03:27 AM

Tracking Cookie Object recognized!
Type : File
Data : toby@ads.specificpop[1].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/13/2004 3:22:06 AM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/13/2004 3:22:06 AM

Tracking Cookie Object recognized!
Type : File
Data : toby@adserver.phatmax[1].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/5/2004 12:42:31 AM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/5/2004 12:42:31 AM

Tracking Cookie Object recognized!
Type : File
Data : toby@advertising[1].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/21/2004 12:27:51 PM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/21/2004 12:27:51 PM

Tracking Cookie Object recognized!
Type : File
Data : toby@atdmt[2].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/21/2004 12:18:30 PM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/21/2004 12:18:30 PM

Tracking Cookie Object recognized!
Type : File
Data : toby@doubleclick[1].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/21/2004 12:18:47 PM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/21/2004 12:18:49 PM

Tracking Cookie Object recognized!
Type : File
Data : toby@ehg-dig.hitbox[1].txt
Object : C:\Documents and Settings\Toby\Cookies\
FileSize : 1 KB
Created on : 5/21/2004 12:27:35 PM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/21/2004 12:27:35 PM

Tracking Cookie Object recognized!
Type : File
Data : toby@ehg-space.hitbox[1].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/21/2004 12:27:52 PM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/21/2004 12:27:52 PM

Tracking Cookie Object recognized!
Type : File
Data : toby@fastclick[1].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/21/2004 12:27:33 PM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/21/2004 12:27:33 PM

Tracking Cookie Object recognized!
Type : File
Data : toby@hitbox[2].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/21/2004 12:27:35 PM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/21/2004 12:27:52 PM

Tracking Cookie Object recognized!
Type : File
Data : toby@questionmarket[2].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/6/2004 5:03:38 AM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/21/2004 12:27:33 PM

Tracking Cookie Object recognized!
Type : File
Data : toby@realmedia[2].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/10/2004 4:14:41 PM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/10/2004 4:14:41 PM

Tracking Cookie Object recognized!
Type : File
Data : toby@servedby.advertising[1].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/21/2004 12:27:51 PM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/21/2004 12:27:51 PM

Tracking Cookie Object recognized!
Type : File
Data : toby@tribalfusion[1].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/6/2004 5:03:26 AM
Last accessed : 5/21/2004 3:29:14 PM
Last modified : 5/6/2004 5:03:26 AM

Tracking Cookie Object recognized!
Type : File
Data : toby@zedo[1].txt
Object : C:\Documents and Settings\Toby\Cookies\

Created on : 5/21/2004 12:18:40 PM
Last accessed : 5/21/2004 3:29:15 PM
Last modified : 5/21/2004 12:27:29 PM

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : ITBarLayout

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 19

11:29:50 AM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:02:16:767
Objects scanned :51792
Objects identified :19
Objects ignored :0
New objects :19

DLLFIX logfile after SECOND run:
CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Fri 05/21/2004
11:40 AM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully

Deleting temp value

The operation completed successfully

Running from C:\dllfix
Processing File Manually
C:\WINDOWS\system32\ALKELH.DLL
Md5 Check of C:\WINDOWS\system32\ALKELH.DLL

Md5 tested As
File was found but md5 didnt match
MD5 was:
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\system32\ALKELH.DLL>

SetACL finished successfully.
File was zipped for submission to Shadowwar
File is located at C:\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

Adaware logfile after SECOND run:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Friday, May 21, 2004 11:53:25 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R306 19.05.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry

5-21-2004 11:53:25 AM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-21-2004 3:42:23 PM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:42:36 PM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:42:36 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 8/23/2001 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:42:36 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 8/29/2002 8:41:26 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:42:37 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 8/23/2001 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 3:42:37 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 8/23/2001 12:00:00 PM

#:7 [logonui.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:42:37 PM
BasePriority : Normal
FileSize : 492 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Logon UI
InternalName : LOGONUI
OriginalFilename : LOGONUI.EXE
ProductName : Microsoft
Created on : 2/25/2003 4:18:00 AM
Last accessed : 5/21/2004 3:19:00 PM
Last modified : 8/29/2002 8:41:26 AM

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:42:38 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 8/23/2001 12:00:00 PM

#:9 [avgserv.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ThreadCreationTime : 5-21-2004 3:42:47 PM
BasePriority : Normal
FileSize : 20 KB
FileVersion : 6.0.1.9
ProductVersion : 6.0.1.9
Copyright : Copyright (c) GRISOFT(c) SOFTWARE 1998-2001
CompanyName : GRISOFT(c) SOFTWARE s.r.o
FileDescription : AvgServ - displays notification message
InternalName : AvgServ
OriginalFilename : AvgServ
ProductName : AVG6
Created on : 10/17/2002 11:49:18 AM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 10/17/2002 11:49:18 AM

#:10 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 3:42:47 PM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 6.14.10.4523
ProductVersion : 6.14.10.4523
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 45.23
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 45.23
Created on : 11/23/2003 7:22:28 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 7/28/2003 7:19:00 PM

#:11 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:45:10 PM
BasePriority : High

#:12 [rdpclip.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:45:26 PM
BasePriority : Normal
FileSize : 43 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : RDP Clip Monitor
InternalName : RDPClip
OriginalFilename : RDPClip.exe
ProductName : Microsoft
Created on : 2/25/2003 4:17:45 AM
Last accessed : 5/21/2004 3:19:00 PM
Last modified : 8/29/2002 8:41:28 AM

#:13 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-21-2004 3:45:34 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 2/25/2003 4:18:22 AM
Last accessed : 5/21/2004 3:45:35 PM
Last modified : 8/29/2002 8:41:24 AM

#:14 [notepad.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:45:44 PM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
OriginalFilename : NOTEPAD.EXE
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 5/21/2004 3:45:45 PM
Last modified : 8/23/2001 12:00:00 PM

#:15 [avgcc32.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ThreadCreationTime : 5-21-2004 3:45:44 PM
BasePriority : Normal
FileSize : 337 KB
FileVersion : 6, 0, 0, 515
ProductVersion : 6, 0, 0, 0
Copyright : Copyright
CompanyName : GRISOFT s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC32
OriginalFilename : AvgCC32.EXE
ProductName : AVG Anti-Virus System
Created on : 9/13/2003 11:54:11 AM
Last accessed : 5/21/2004 3:45:58 PM
Last modified : 9/13/2003 11:54:11 AM

#:16 [flashksk.exe]
FilePath : C:\PROGRA~1\DATACA~1\
ThreadCreationTime : 5-21-2004 3:45:45 PM
BasePriority : Normal
FileSize : 256 KB
FileVersion : V1.16.01
ProductVersion : V1.16.01
Created on : 9/24/2002 2:34:37 AM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 11/29/2001 3:55:00 AM

#:17 [daemon.exe]
FilePath : C:\Program Files\D-Tools\
ThreadCreationTime : 5-21-2004 3:45:45 PM
BasePriority : Normal
FileSize : 80 KB
FileVersion : 3.44.0.0
ProductVersion : 3.44.0.0
Copyright : Copyright (C) 2000-2003
CompanyName : DAEMON'S HOME
FileDescription : Virtual DAEMON Manager
InternalName : DAEMON.EXE
OriginalFilename : daemon.exe
ProductName : DAEMON Tools
Created on : 12/28/2003 1:43:26 AM
Last accessed : 5/21/2004 3:45:49 PM
Last modified : 12/28/2003 1:43:26 AM

#:18 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_03\bin\
ThreadCreationTime : 5-21-2004 3:45:46 PM
BasePriority : Normal
FileSize : 32 KB
Created on : 11/19/2003 9:48:18 PM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 11/19/2003 9:48:14 PM

#:19 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 3:45:46 PM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 2/25/2003 4:18:13 AM
Last accessed : 5/21/2004 3:21:03 PM
Last modified : 8/29/2002 8:41:22 AM

#:20 [teatimer.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ThreadCreationTime : 5-21-2004 3:45:47 PM
BasePriority : Idle
FileSize : 1014 KB
FileVersion : 1, 3, 0, 12
ProductVersion : 1, 3, 0, 12
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
OriginalFilename : TeaTimer.exe
ProductName : Spybot - Search & Destroy
Created on : 4/14/2004 5:03:00 AM
Last accessed : 5/21/2004 3:23:20 PM
Last modified : 5/12/2004 5:03:00 AM

#:21 [rainlendar.exe]
FilePath : C:\Program Files\Rainlendar\
ThreadCreationTime : 5-21-2004 3:45:51 PM
BasePriority : Normal
FileSize : 40 KB
Created on : 1/28/2004 6:11:30 PM
Last accessed : 5/21/2004 3:45:51 PM
Last modified : 1/28/2004 6:11:30 PM

#:22 [wbloggar.exe]
FilePath : C:\Program Files\bloggar\
ThreadCreationTime : 5-21-2004 3:45:51 PM
BasePriority : Normal
FileSize : 584 KB
FileVersion : 3.03.0165
ProductVersion : 3.03.0165
Copyright : Copyright
CompanyName : RainDrops Freeware Project
FileDescription : w.bloggar - Universal Weblog Interface
InternalName : wbloggar
OriginalFilename : wbloggar.exe
ProductName : w.bloggar
Created on : 7/12/2003 5:41:30 AM
Last accessed : 5/21/2004 3:45:51 PM
Last modified : 12/16/2003 4:48:30 PM

#:23 [trillian.exe]
FilePath : C:\Program Files\Trillian\
ThreadCreationTime : 5-21-2004 3:45:51 PM
BasePriority : Normal
FileSize : 792 KB
FileVersion : 2.0.1.112
ProductVersion : 2.0.1.112
CompanyName : Cerulean Studios
FileDescription : Trillian
InternalName : Trillian
OriginalFilename : Trillian.exe
ProductName : Trillian
Created on : 1/12/2004 4:00:00 AM
Last accessed : 5/21/2004 3:46:28 PM
Last modified : 4/14/2004 11:09:29 PM

#:24 [iexplore.exe]
FilePath : C:\Program Files\Avant Browser\
ThreadCreationTime : 5-21-2004 3:46:58 PM
BasePriority : Normal
FileSize : 674 KB
FileVersion : 9.0.2.12
ProductVersion : 9.0
CompanyName : Avant Browser
FileDescription : Avant Browser
ProductName : Avant Browser
Created on : 4/9/2004 4:55:44 PM
Last accessed : 5/21/2004 3:46:58 PM
Last modified : 4/9/2004 4:55:44 PM

#:25 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 5-21-2004 3:48:05 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 7/10/2003 5:04:02 AM
Last accessed : 5/21/2004 3:27:06 PM
Last modified : 7/13/2003 1:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

11:54:36 AM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:01:11:853
Objects scanned :51622
Objects identified :0
Objects ignored :0
New objects :0

Hopefully this will be good news THANK YOU!

celerityfm · May 21, 2004

One other thing to add-- after doing this I can now launch spyware blaster!

I wonder if thats a sign that things are OK?

(EDIT)Although AdAware just popped AGAIN about that DLL file.. (/EDIT)

Unzy · May 22, 2004

Can you pelase post a fresh HijackThis log, a well as a new output.txt log?

Thnx!

Cheers,

celerityfm · May 22, 2004

No prob man here they are, thanks for the help.

Note: I recently installed April's edition of Autopatcher XP http://www.autopatcher.com , so we've got a few new running processes/etc from last time. Doh!

First HijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 9:43:44 AM, on 5/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\uphclean\uphclean.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\bloggar\wbloggar.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Toby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Toby/My%20Documents/big%20list.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (8394abfc1be196a62c9f532511936df7, 37808 bytes)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (964621e8b2415feaa99026ed4f29d198, 192512 bytes)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (skipped, 744960 bytes)
O3 - Toolbar: Find - {8D029AEC-E412-4948-84B5-699A740946AE} - %SystemRoot%\System32\iefind.dll (file missing) (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (0fb22dd37c17f80ad71316049f725170, 31744 bytes)
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup (47d4d5e2f2b6a78dcd5dbdd8c06677ac, 345661 bytes)
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe (84f0c045f24dae5de54b9aff3450b181, 262144 bytes)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install (5d8d50d90cbf3b5cc32100425545394a, 323584 bytes)
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 (15cca68bee2d232166f992a7ae2f8002, 81920 bytes)
O4 - HKLM\..\Run: [Hotkeycontrol] C:\Program Files\Hotkeycontrol XP\hkcontrol.exe (1178f146097e820b1ed219c646693b52, 348160 bytes)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe (d7b9be63c406103ee1405fe473ac0697, 32881 bytes)
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe (ebd2ea535fc47d426d0c2fc7c7293534, 45632 bytes)
O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe (064805a7893898cbf058086832217771, 86016 bytes)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (414de7cf9d3f19c3ea902f1bb38ec116, 13312 bytes)
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (skipped, 1038336 bytes)
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe (30895afed476666c11470d7311c9ad81, 40960 bytes)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer\Add_UrlO.htm (file missing)
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer\Add_AllO.htm (file missing)
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O8 - Extra context menu item: Zoom In - C:\WINDOWS\web\zoomin.htm (8aa6321f74d9c524a89e5fe739ee0691, 450 bytes)
O8 - Extra context menu item: Zoom Out - C:\WINDOWS\web\zoomout.htm (2edded79e18f85e28a604869b77377f4, 450 bytes)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.7208101852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Now OUTPUT.TXT from running the DLLFIX START.BAT:

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Sat 05/22/2004
09:43 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (F0CC:B2E0) - FS:NTFS clusters:4k
Total: 80 015 491 072 [75G] - Free: 2 896 121 856 [2.7G]

*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q813489;Q330994;Q828750;Q824145;Q832894;Q837009;Q831167;Q813503;Q824463;Q826940;Q827057;Q837251;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:

*PC uptime:
9:43am up 0 days, 19:21
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\ALKELH.DLL +++ File read error
\\?\C:\WINDOWS\System32\ALKELH.DLL +++ File read error

*List of top level windows:
HWND PID PRIO TITLE
10092 1532 norm TF_FloatingLangBar_WndTitle
10094 1532 norm CiceroUIWndFrame
1bd037e 1148 norm SysFader
4002c 1148 norm _Shell_TrayWnd
16033a 2616 norm Winamp Playlist Editor
1c0360 2616 norm Winamp Library
2a03ba 2616 norm Winamp Video
250320 2616 norm Winamp Equalizer
24030a 2616 norm 16. Chromatique - Numbers - Winamp [Paused]
1a01a6 1804 norm Trillian: List Tooltip Entry
2a01c2 3768 norm DirectDBNotifyWndProc
2301b4 3768 norm Outlook Express FolderSync Window Class
120364 2616 norm Configure FindIt [(c) 1999 by STND, Thorsten Vogel]
4f02d4 2616 norm FindIt [(c) 1999 by STND, Thorsten Vogel]
10026a 3768 norm OEStoreCleanupThread
2b01e6 3768 norm DirectDBNotifyWndProc
30194 3768 norm SysFader
30190 3768 norm DirectDBNotifyWndProc
c028a 3768 norm DirectDBListenWndProc
d003a 3768 norm O
1011a 1632 norm MessageWindow
10118 1632 norm TodoWindow
10114 1632 norm Rainlendar
1008a 1424 Hotkeycontrol XP
1001e 416 high NetDDE Agent
260354 3492 norm C:\WINDOWS\System32\cmd.exe
300288 1148 norm dllfix
170322 1148 norm DDE Server Window
2023e 2080 norm _Static
201fc 2080 norm SpywareGuard
301ee 2080 norm SpywareGuard
10168 1804 norm Trillian
10128 1804 norm Trillian
330344 3644 norm NetscapeDispatchWnd
260292 3644 norm XPCOM:EventReceiver
a03d6 2616 norm DDE Server Window
1701ac 2104 norm XPCOM:EventReceiver
80356 1148 norm MCI command handling window
13022e 3768 norm MCI command handling window
30378 3768 norm Identity Mgr Notify
150304 3768 norm WAB Notification Window
2102a4 3768 norm Identity Mgr Notify
30180 3768 norm Identity Mgr Notify
50164 3768 norm Outlook Express
410254 2088 norm SpywareGuard Brower Hijacking Protection
1c0260 2088 norm SG Browser Hijacking Protection
200e2 1540 idle Tea Timer
100e4 1540 idle Spybot-S&D Resident
10110 1200 norm _Static
1010a 1200 norm :: w.bloggar :: v3.03 ::
10100 1200 norm w.bloggar
20160 1804 norm celerityfm - Console
1015e 1200 norm IMMIF UI
100f6 1632 norm Rainlendar control window
100f8 1148 norm Connections Tray
100ea 1148 norm Power Meter
100ce 1424 _Static
10076 1424 Hotkeycontrol XP
100dc 1148 norm MS_WebcheckMonitor
100cc 1416 norm Virtual DAEMON Manager V3.44
10096 1364 norm AVG Control Center - FREE Edition
10084 1524 norm StartupMonitor
10078 1372 norm FlashKiosk Application
30184 3768 norm Spam - Outlook Express - Main Identity
2402c4 3644 norm Wilders Security Forums - Reply to Topic - Mozilla Firefox
10060 1148 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
@="SpywareGuard Download Protection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

Thanks!!!!!

Pieter_Arntz · May 23, 2004

Hi celerityfm,

Delete C:\WINDOWS\System32\ALKELH.DLL from the Recovery Console

How to install and use the Recovery Console in Windows XP

Then boot normally and use AdAware as described here:
https://www.wilderssecurity.com/showthread.php?t=15913
to clean out the rest.

Regards,

Pieter

celerityfm · May 23, 2004

Pieter_Arntz- thanks for the reply!!

Ok, I killed ALKELH.DLL using recovery console as specified, then ran AdAware as specified in the link you sent me.. during the AdAware scan AVG realtime scan started popping up saying it saw more Startpage.4.AO DLL files. I then ran Spybot for good measure as specified on the same page, and again AVG realtime popped up with more Startpage.4.AOs... so I fired up DLLFIX's start.bat and lo and behold, it found ANOTHER DLL file. So I "unlocked it" with option #2, rebooted, it ran second.bat, and then I went into recovery console and deleted THAT file-- THEN I rebooted one more time, ran adaware/spybot and THIS time avg DIDN'T popup! So, I ran a custom filescan of the SYSTEM32 directory and found about 6 or 7 randomly named DLL files that it id'd as Startpage.4.AO and I was able to delete and clean all those files.. seems like it moved into another DLL since I first identified it as ALKELH.DLL. But since I acted so quickly with recovery console I think we finally killed it.

Posting HJT logfile for good measure if you spy anything wrong in that logfile please advise-- I can't find anything bad in it!

Much appreciated!

Logfile of HijackThis v1.97.7
Scan saved at 9:09:07 PM, on 5/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\uphclean\uphclean.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\bloggar\wbloggar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Avant Browser\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Toby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Toby/My%20Documents/big%20list.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (8394abfc1be196a62c9f532511936df7, 37808 bytes)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (964621e8b2415feaa99026ed4f29d198, 192512 bytes)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (skipped, 744960 bytes)
O3 - Toolbar: Find - {8D029AEC-E412-4948-84B5-699A740946AE} - %SystemRoot%\System32\iefind.dll (file missing) (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (0fb22dd37c17f80ad71316049f725170, 31744 bytes)
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup (47d4d5e2f2b6a78dcd5dbdd8c06677ac, 345661 bytes)
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe (84f0c045f24dae5de54b9aff3450b181, 262144 bytes)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install (5d8d50d90cbf3b5cc32100425545394a, 323584 bytes)
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 (15cca68bee2d232166f992a7ae2f8002, 81920 bytes)
O4 - HKLM\..\Run: [Hotkeycontrol] C:\Program Files\Hotkeycontrol XP\hkcontrol.exe (1178f146097e820b1ed219c646693b52, 348160 bytes)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe (d7b9be63c406103ee1405fe473ac0697, 32881 bytes)
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe (ebd2ea535fc47d426d0c2fc7c7293534, 45632 bytes)
O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe (064805a7893898cbf058086832217771, 86016 bytes)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (414de7cf9d3f19c3ea902f1bb38ec116, 13312 bytes)
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (skipped, 1038336 bytes)
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe (30895afed476666c11470d7311c9ad81, 40960 bytes)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer\Add_UrlO.htm (file missing)
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer\Add_AllO.htm (file missing)
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm (4671176065f64336216f8afcf1d3af38, 173 bytes)
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm (02002db952f42b5112b83497e7352b38, 176 bytes)
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm (8cd7b3b6c6dafffa1894f41451632f55, 198 bytes)
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm (826a39186355ad01a9dd5077ed8b8c31, 279 bytes)
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm (83f299af5782dcc0a17fd83e73f9cbeb, 195 bytes)
O8 - Extra context menu item: Zoom In - C:\WINDOWS\web\zoomin.htm (8aa6321f74d9c524a89e5fe739ee0691, 450 bytes)
O8 - Extra context menu item: Zoom Out - C:\WINDOWS\web\zoomout.htm (2edded79e18f85e28a604869b77377f4, 450 bytes)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.7208101852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Pieter_Arntz · May 24, 2004

Hi celerityfm,

There are a few lines stating (file missing) in your log. Those are not bad but superfluous, so if you want, you can have those fixed.

Good job,

Pieter

celerityfm · May 24, 2004

Yay! Wonderful!

Great job guys, thank you both so much for your help! And to all the lurkers viewing this message as well, hope it helps someone else in similar circumstances.

Until the next mystery. Ciao.

Log in or Sign up

An appeal to the experts for help, hijack this log included

celerityfm Registered Member

Unzy Registered Member

celerityfm Registered Member

Unzy Registered Member

celerityfm Registered Member

celerityfm Registered Member

Unzy Registered Member

celerityfm Registered Member

Pieter_Arntz Spyware Veteran

celerityfm Registered Member

Pieter_Arntz Spyware Veteran

celerityfm Registered Member

Log in or Sign up

An appeal to the experts for help, hijack this log included

celerityfm Registered Member

Unzy Registered Member

celerityfm Registered Member

Unzy Registered Member

celerityfm Registered Member

celerityfm Registered Member

Unzy Registered Member

celerityfm Registered Member

Pieter_Arntz Spyware Veteran

celerityfm Registered Member

Pieter_Arntz Spyware Veteran

celerityfm Registered Member

Useful Searches