Hijack this log: Please help

Hi guys
Please help. i have About:Blank hijacking my IE browser & about a million popups advertising spyware when i try & use the Aol one.
I have run Ad aware & it found 15 objects which I have deleted ( I have done this several times but the problems are still there). About:Blank is still my homepage. After running Adaware I have rebooted & ran Hijack this; here is the log file:

Logfile of HijackThis v1.97.7
Scan saved at 17:22:50, on 14/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\wanmpsvc.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\AOL 9.0b\aoltray.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e-plus.cc/search.php?aff_id=46&keyword=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {69346623-6D48-4BCA-B84E-B1174AF09C03} - C:\WINDOWS\System32\ijjo.dll
O2 - BHO: (no name) - {8B60BD99-A737-41D6-9266-9207D007726C} - C:\WINDOWS\System32\nha.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm


How bad is this. and how easy to cure as I am a novice at this sort of thing.
I found your website on a search. i hope you can help me?
thanks
Adam

 

Hello Adam Reece,

Download this file from
http://downloads.subratam.org/dllfix.exe

The file when downloaded will be dllfix.exe
Double-Click or Open the self-extracting file. It will ask for installation and change location. Please Keep it on the Desktop.

Navigate to the folder with the contents of the file. You will see there are two more folders inside and two BAT files.

Run start.bat

Run the Option 1. for report.
Once the search is complete a ".txt" file should pop up with the name "Output.txt". Keep it and post it here.

 

Thanks Taz
Here it is:
--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

14/06/2004
17:47

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "HDD" (F43B:4664) - FS:NTFS clusters:4k
Total: 75 746 603 008 [71G] - Free: 68 369 268 736 [64G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;



Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.


Scanning for main Hijacker:
File found was C:\WINDOWS\System32\IJJO.DLL
Md5 tested As CA622322E1433720EA3979F27D03A83B

known baddies are:
0758CF635DF08AC381962F74832B6484
C87354D67A8B9828F483C6F90C496972
4E24A18F3A557AF479219E47E27B8B59


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69346623-6D48-4BCA-B84E-B1174AF09C03}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B60BD99-A737-41D6-9266-9207D007726C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{3F4D54BA-7BE6-4FE9-B3BC-DFAC34AD0580}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{3F4D54BA-7BE6-4FE9-B3BC-DFAC34AD0580}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

 

Taz
Anything you can help me with on this one?
I've no Idea how to get rid of the problem
You guys are my only hope!

 

Hello,

Run the start.bat again. This time select option 2. Now select option 1. It will ask you to enter full name and hit enter, so here is the file name:

C:\WINDOWS\System32\IJJO.DLL <<<< Hit enter after typing this in.

Reboot. There will be a scan on reboot. When done follow the next steps:

Reboot and Download Adaware. Check for updates. Then click on Scan.

Reboot and run HJT again and post a new log along with a new output.txt file (option 1 in start.bat ). I would also like you to post the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder).

 

Thanks Taz
I have done half of that, but ran out of time & had to come to work.
I have done the System32 bit. I included the <<<< bit, is that correct?
When I rebooted I saw no scan, it did take a bit longer to boot up. Does it scan in the background?
I have also done the Adaware scan & it found 8 items. do you need the log file from this? I have saved it.
When I get home I will finish off what you have requested.
Thanks again for your help I cant tell you how much I appreciate this.
I entered the same logs on the Webuser forum & they said it would be difficult to correct as it had the 'nasty' HomeOLDSP in it.
That scared me.

 

Hi Taz
Ok I have done all of that & here are the logs. In the order you requested(HiJack, output log & the fix log)

Logfile of HijackThis v1.97.7
Scan saved at 17:57:33, on 15/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\apps\ABoard\ABoard.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\AOL 9.0b\aoltray.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e-plus.cc/search.php?aff_id=46&keyword=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {69346623-6D48-4BCA-B84E-B1174AF09C03} - C:\WINDOWS\System32\ijjo.dll
O2 - BHO: (no name) - {8B60BD99-A737-41D6-9266-9207D007726C} - C:\WINDOWS\System32\nha.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

Output Log:

--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

15/06/2004
18:03

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "HDD" (F43B:4664) - FS:NTFS clusters:4k
Total: 75 746 603 008 [71G] - Free: 68 311 793 664 [64G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;



Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.


Scanning for main Hijacker:
File found was C:\WINDOWS\System32\IJJO.DLL
Md5 tested As CA622322E1433720EA3979F27D03A83B

known baddies are:
0758CF635DF08AC381962F74832B6484
C87354D67A8B9828F483C6F90C496972
4E24A18F3A557AF479219E47E27B8B59


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69346623-6D48-4BCA-B84E-B1174AF09C03}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B60BD99-A737-41D6-9266-9207D007726C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{6DE15D12-E7E9-4F56-B95B-27C3814CDEB2}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{6DE15D12-E7E9-4F56-B95B-27C3814CDEB2}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




Fix Log:

CWSDLL/Searchx Appinit Fix By Shadowwar
Version 3.01 060504
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
15/06/2004
17:23

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Deleting Filter text
Running from C:\Documents and Settings\Adam\Desktop\dllfix
Scanning for Locked File
If this repeats 4 times than you may have another
Locked File not related to About:blank Hijack
Scanning For main hijacker.
Found Main Hijacker Dll:C:\WINDOWS\System32\IJJO.DLL
Md5 tested As CA622322E1433720EA3979F27D03A83B
Processing File Manually
C:\WINDOWS\system32\IJJO.DLL
Md5 Check of C:\WINDOWS\system32\IJJO.DLL

Md5 tested As CA622322E1433720EA3979F27D03A83B
File was found but md5 didnt match
MD5 was: CA622322E1433720EA3979F27D03A83B
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\system32\IJJO.DLL>

SetACL finished successfully.
File was zipped for submission to Shadowwar
File is located at C:\Documents and Settings\Adam\Desktop\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

Adding Back Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully


Restoring Cleaned Appinit Value

The operation completed successfully
-----------------------------------------------

Taz, Hope this is of some help. Popups & About:Blank are still there at the moment.

 

Taz, this is quite difficult when we are in different time zones!
I have faith in you though.
Hope you can help.

 

Hello,

Now, run HJT again with all browsers closed and check these items and then on Fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ijjo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e-plus.cc/search.php?aff_id=46&keyword=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html

O2 - BHO: (no name) - {69346623-6D48-4BCA-B84E-B1174AF09C03} - C:\WINDOWS\System32\ijjo.dll
O2 - BHO: (no name) - {8B60BD99-A737-41D6-9266-9207D007726C} - C:\WINDOWS\System32\nha.dll (file missing)


Reboot and run HJT again and post a new log here.

 

Thanks Taz, Here's the new log: (ps. what time is it where you are?)
I can't express how much I appreciate this help.

Logfile of HijackThis v1.97.7
Scan saved at 23:06:43, on 15/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\apps\ABoard\ABoard.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\AOL 9.0b\aoltray.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

What Next?

 

Hello,

If you look at the time when you posted your last post it was 5:11pm by me.


Run Hijackthis again and check this one and Fix:

O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe

Reboot into safe mode again and find and delete this file:

C:\WINDOWS\winh.exe

Reboot.

Post a new log here.

 

Thanks Taz
Here you go:

Logfile of HijackThis v1.97.7
Scan saved at 08:19:03, on 16/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

I found winh.exe-ob7bb774.pf & deleted it.

 

Taz
Anything else I need to do?

 

Hello Adam,

Log looks good to me.

Here is a link for you to go to that will give you suggestions on how to keep your computer safe:
https://www.wilderssecurity.com/showthread.php?t=27971

Happy Surfing!

 

Ok Thanks Taz, You have been A great help.