HijackThis log.

Ok...I used Ad-aware and Spybot and both programs could not find whatever has taken over my browser.

The problems are:
1. Homepage keeps being reset to something other than what I chose.
2. Something blocks my ability to view certain sites...like "wildersecurity.com" for instance...I guess they know about you guys Right now I'm actually writing from a different computer in order to try and fix this thing.
3. It's controlling what gets written to CD's I create. So it'll write something else instead of the log I'm trying to copy to CD in order to use on another computer.
4. More weird things are going on...computer is running slower and crashing now, and I'd hate to think that this thing is collecting passwords and other private info. This thing is really screwing with my patience.

Here is the HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 5:29:00 PM, on 6/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\WINDOWS\essspk.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.hp.com/notebooks/pavilion/e-center
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {9A52B8B9-5C35-4CCA-9B81-9FA16DEACF21} -
C:\WINDOWS\System32\klid.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -
c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program
Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft
Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program
Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program
Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [HP Display Settings] C:\Program
Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft
Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\freescan.exe
-FastScan
O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: CorelCENTRAL 9.lnk = C:\Program Files\Corel\WordPerfect
Office 2000\programs\ccwin9.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program
Files\America Online 6.0a\aoltray.exe
O4 - Global Startup: Corel Colleagues & Contacts Reminders.LNK =
C:\Program Files\Corel\Print Office\cffrem.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program
Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif
Launcher\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF:
START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38148.3457638889

In conclusion, HELPMEPLEASE!!!! Thank you.

 

Download this file from http://downloads.subratam.org/dllfix.exe .

Preferably to Desktop. Double click on it and it being a self -extractor, will create its own folder. Run Start.Bat from there. Run Option 1. which is "Run Find-All... ". Let it complete and there will be a pop-up window with a log.
Post that log here.

[ Tutorial - http://forums.subratam.org/index.php?showtopic=583 with screenshots for better understanding. Follow upto step 5 ]

Regards

 

Thanks so much for your help! Ok...here is the log that the "dllfix.exe" program created:


--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Sat 06/12/2004
02:19 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "HPNOTEBOOK" (709E:3C03) - FS:NTFS clusters:4k
Total: 39 950 184 448 [37G] - Free: 25 465 724 928 [24G]


*IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet
Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
8.0.0.4482 C:\Program Files\Windows Media
Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings



Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
\\?\C:\WINDOWS\System32\MS.DLL +++ File read error
\\?\C:\WINDOWS\System32\MS.DLL +++ File read error


Scanning for main Hijacker:
File found was C:\WINDOWS\System32\KLID.DLL
Md5 tested As 6BEC672DACE7A386B26DFE9827AE0E30

known baddies are:
0758CF635DF08AC381962F74832B6484
C87354D67A8B9828F483C6F90C496972
4E24A18F3A557AF479219E47E27B8B59


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{9A52B8B9-5C35-4CCA-9B81-9FA16DEACF21}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{1B33DA21-E299-40BA-9667-FF0D619C4DAA}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{1B33DA21-E299-40BA-9667-FF0D619C4DAA}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4
and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




Thanks again. I look forward to your reply.

 

Run the start.bat again after the "dll" is found or if you have not found it..Run option 2 and choose correct option in submenu.
Option 1 -- > is if you found the dllname that is locked or in the appinit key.
Option 2 -- > is for if you can't find the dllname.

It will then perform some routines, then the Computer will reboot with a 15 second countdown. After the reboot there will be the scan for the " dll " on-boot screen, which will search and fix it.There will just be a md5 scan if the filename was entered manually. (option 2,1 in start.bat)


Reboot. Run HijackThis and save the fresh log.

Post a new Output.txt (option 1 in start.bat ), the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder) and a fresh HijackThis Log.

Regards

 

Ok. Did everything but the problems are still there. Here are the:
1. Output.txt file
2. New HijackThis log
3. But could not see, find, or locate a "logs.txt" file anywhere, not even in the dllfix folder.

New Output.txt file:

--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Sat 06/12/2004
12:37 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "HPNOTEBOOK" (709E:3C03) - FS:NTFS clusters:4k
Total: 39 950 184 448 [37G] - Free: 25 463 910 400 [24G]


*IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet
Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
8.0.0.4482 C:\Program Files\Windows Media
Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings



Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
* result\\?\C:\WINDOWS\System32\MS.DLL
* result: not locked...C:\WINDOWS\System32\MS.DLL


Scanning for main Hijacker:
File found was C:\WINDOWS\System32\NPF.DLL
Md5 tested As 6BEC672DACE7A386B26DFE9827AE0E30

known baddies are:
0758CF635DF08AC381962F74832B6484
C87354D67A8B9828F483C6F90C496972
4E24A18F3A557AF479219E47E27B8B59


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{9A52B8B9-5C35-4CCA-9B81-9FA16DEACF21}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{79D31B81-2853-4C3D-8ED2-1AAEB19B4B88}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{79D31B81-2853-4C3D-8ED2-1AAEB19B4B88}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4
and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access HEWLETT-5K1589J\Owner
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access HEWLETT-5K1589J\Owner




New HijackThis log:

HijackThis Log2

Logfile of HijackThis v1.97.7
Scan saved at 12:30:23 PM, on 6/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\WINDOWS\essspk.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\klid.dll/sp.html

(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.hp.com/notebooks/pavilion/e-center
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\klid.dll/sp.html

(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {9A52B8B9-5C35-4CCA-9B81-9FA16DEACF21} -
C:\WINDOWS\System32\klid.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -
c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program
Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft
Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program
Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program
Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [HP Display Settings] C:\Program
Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft
Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\freescan.exe
-FastScan
O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: CorelCENTRAL 9.lnk = C:\Program Files\Corel\WordPerfect
Office 2000\programs\ccwin9.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program
Files\America Online 6.0a\aoltray.exe
O4 - Global Startup: Corel Colleagues & Contacts Reminders.LNK =
C:\Program Files\Corel\Print Office\cffrem.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program
Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif
Launcher\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF:
START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38148.3457638889

 

I used the option for the program to find the "dll" itself, as I was unsure which dll to put in. At the end of it running and replace a file it said some sort of error and began to repeat that error continously until I ended the program, and rebooted to follow the rest of your instructions.

I'm definitely no computer expert, but it seems to me like the problem files are contained somewhere as posted below (found in the HijackThis log). I see things that look as if it is directing Internet Explorer to go to "about:blank" etc. Again, I'm not a computer savvy person but, I just want to know which files are the problems. Apparently, the start.bat program overlooked the problem. Maybe I'm wrong. HELPMEPLEASE!!!!
By the way, what does "obfuscated" mean, as it relates to computers?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\klid.dll/sp.html

(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.hp.com/notebooks/pavilion/e-center
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\klid.dll/sp.html

(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank

 

Fix the entries in HijackThis,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\klid.dll/sp.html

(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\klid.dll/sp.html

(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank
O2 - BHO: (no name) - {9A52B8B9-5C35-4CCA-9B81-9FA16DEACF21} -
C:\WINDOWS\System32\klid.dll

Reboot in SAFE MODE and Show Hidden Files/Folders and delete if found,

C:\WINDOWS\System32\klid.dll

Reboot in normal mode and download CWShredder and do FIX. Let it fix what it finds.

Reboot in normal mode and post a fresh log

Regards

[I will answer your other questions when we are done with the problems, it should be over after this post ]

 

Ok...followed your instructions and here is the final log as requested:

Logfile of HijackThis v1.97.7
Scan saved at 2:56:15 AM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\WINDOWS\essspk.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.hp.com/notebooks/pavilion/e-center
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -
c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program
Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft
Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program
Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program
Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [HP Display Settings] C:\Program
Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft
Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\freescan.exe
-FastScan
O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: CorelCENTRAL 9.lnk = C:\Program Files\Corel\WordPerfect
Office 2000\programs\ccwin9.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program
Files\America Online 6.0a\aoltray.exe
O4 - Global Startup: Corel Colleagues & Contacts Reminders.LNK =
C:\Program Files\Corel\Print Office\cffrem.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program
Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program
Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif
Launcher\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF:
START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38148.3457638889

 

I have restarted my computer several times and to my delight, the problems I had before have now been resolved. I haven't tried creating a CD as yet, but I am optimistic as a result of the absence of all the other problems. Ok, question time...

1. How do I know truly that everything is gone? (I know, always the pessimist.)
2. Is it safe now to resume logging into email accounts and using my credit cards from the "tainted" computer again?
3. How do I know if any of my personal information has been transmitted anywhere else already?
4. I have another computer that had a similar problem before...and I basically erased (system restore) everything on the system except for files (Word doc's etc.) in order to stop the problem with the browser hijacker. The question is...could this "trojan...virus..." whatever it is, still be present on my system and laying dormant...transmitting information without my knowledge? I did a HijackThis scan but saw nothing that looked even vaguely similar to the "lines" that I saw on the other computer (the one you just helped me with).

In closing, let me say (hopefully not prematurely)...I am truly grateful for all that you have done here. You might not consider it to be a big deal but you really saved my life and I will NEVER forget it. You guys truly provide a service of angelic proportions. God bless! THANKS, THANKS, a million times, THANK YOU!

 

Sorry for the delay

First nice to hear that your problems got solved .
Well, you will know all is ok, if you are not having any browser hijacks or suspicious actions, all running smooth.Regarding your personal informations and passwords, please change and get new ones immediately, for nothing but cause of safety. Well, for another computer you can post the hijackthis log, and someone will give their help again for sure.
Read How did I get infected? to minimise future reinfections by spywares.

Glad we could help and really nice to see all well.

Regards