HijackThis log.

Discussion in 'adware, spyware & hijack cleaning' started by helpmeplease, Jun 11, 2004.

Thread Status:
Not open for further replies.
  1. helpmeplease

    helpmeplease Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    6
    Ok...I used Ad-aware and Spybot and both programs could not find whatever has taken over my browser.

    The problems are:
    1. Homepage keeps being reset to something other than what I chose.
    2. Something blocks my ability to view certain sites...like "wildersecurity.com" for instance...I guess they know about you guys :) Right now I'm actually writing from a different computer in order to try and fix this thing.
    3. It's controlling what gets written to CD's I create. So it'll write something else instead of the log I'm trying to copy to CD in order to use on another computer.
    4. More weird things are going on...computer is running slower and crashing now, and I'd hate to think that this thing is collecting passwords and other private info. This thing is really screwing with my patience.

    Here is the HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:29:00 PM, on 6/11/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\WINDOWS\System32\HPConfig.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\RadioSvr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
    C:\WINDOWS\essspk.exe
    C:\PROGRA~1\HPONE-~1\OneTouch.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Eraser\eraser.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    C:\Program Files\Exif Launcher\QuickDCF.exe
    C:\Program Files\Common Files\Microsoft Shared\Works
    Shared\wkcalrem.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.hp.com/notebooks/pavilion/e-center
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
    about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {9A52B8B9-5C35-4CCA-9B81-9FA16DEACF21} -
    C:\WINDOWS\System32\klid.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -
    c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
    - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program
    Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program
    Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft
    Money\System\Activation.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program
    Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program
    Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program
    Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
    O4 - HKLM\..\Run: [HP Display Settings] C:\Program
    Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program
    Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft
    Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
    /background
    O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\freescan.exe
    -FastScan
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
    C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: CorelCENTRAL 9.lnk = C:\Program Files\Corel\WordPerfect
    Office 2000\programs\ccwin9.exe
    O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program
    Files\America Online 6.0a\aoltray.exe
    O4 - Global Startup: Corel Colleagues & Contacts Reminders.LNK =
    C:\Program Files\Corel\Print Office\cffrem.exe
    O4 - Global Startup: Corel Registration.lnk = C:\Program
    Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program
    Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program
    Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program
    Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif
    Launcher\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .wav: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF:
    START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38148.3457638889

    In conclusion, HELPMEPLEASE!!!! Thank you.
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Download this file from http://downloads.subratam.org/dllfix.exe .

    Preferably to Desktop. Double click on it and it being a self -extractor, will create its own folder. Run Start.Bat from there. Run Option 1. which is "Run Find-All... ". Let it complete and there will be a pop-up window with a log.
    Post that log here.

    [ Tutorial - http://forums.subratam.org/index.php?showtopic=583 with screenshots for better understanding. Follow upto step 5 ]

    Regards
     
  3. helpmeplease

    helpmeplease Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    6
    Thanks so much for your help! Ok...here is the log that the "dllfix.exe" program created:


    --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Sat 06/12/2004
    02:19 AM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "HPNOTEBOOK" (709E:3C03) - FS:NTFS clusters:4k
    Total: 39 950 184 448 [37G] - Free: 25 465 724 928 [24G]


    *IE version and Service packs:
    6.0.2600.0 C:\Program Files\Internet
    Explorer\Iexplore.exe
    *Notepad version :
    5.1.2600.0 C:\WINDOWS\system32\notepad.exe
    5.1.2600.0 C:\WINDOWS\notepad.exe
    *Media Player version :
    8.0.0.4482 C:\Program Files\Windows Media
    Player\wmplayer.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings



    Locked or 'Suspect' file(s) found...
    These may be other files that Dllfix doesnt target.
    \\?\C:\WINDOWS\System32\MS.DLL +++ File read error
    \\?\C:\WINDOWS\System32\MS.DLL +++ File read error


    Scanning for main Hijacker:
    File found was C:\WINDOWS\System32\KLID.DLL
    Md5 tested As 6BEC672DACE7A386B26DFE9827AE0E30

    known baddies are:
    0758CF635DF08AC381962F74832B6484
    C87354D67A8B9828F483C6F90C496972
    4E24A18F3A557AF479219E47E27B8B59


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{9A52B8B9-5C35-4CCA-9B81-9FA16DEACF21}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    @="NAV Helper"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{1B33DA21-E299-40BA-9667-FF0D619C4DAA}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{1B33DA21-E299-40BA-9667-FF0D619C4DAA}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls REG_SZ

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4
    and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    

    Thanks again. I look forward to your reply.
     
  4. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Run the start.bat again after the "dll" is found or if you have not found it..Run option 2 and choose correct option in submenu.
    Option 1 -- > is if you found the dllname that is locked or in the appinit key.
    Option 2 -- > is for if you can't find the dllname.

    It will then perform some routines, then the Computer will reboot with a 15 second countdown. After the reboot there will be the scan for the " dll " on-boot screen, which will search and fix it.There will just be a md5 scan if the filename was entered manually. (option 2,1 in start.bat)


    Reboot. Run HijackThis and save the fresh log.

    Post a new Output.txt (option 1 in start.bat ), the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder) and a fresh HijackThis Log.

    Regards
     
  5. helpmeplease

    helpmeplease Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    6
    Ok. Did everything but the problems are still there. Here are the:
    1. Output.txt file
    2. New HijackThis log
    3. But could not see, find, or locate a "logs.txt" file anywhere, not even in the dllfix folder.

    New Output.txt file:

    --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Sat 06/12/2004
    12:37 PM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "HPNOTEBOOK" (709E:3C03) - FS:NTFS clusters:4k
    Total: 39 950 184 448 [37G] - Free: 25 463 910 400 [24G]


    *IE version and Service packs:
    6.0.2600.0 C:\Program Files\Internet
    Explorer\Iexplore.exe
    *Notepad version :
    5.1.2600.0 C:\WINDOWS\system32\notepad.exe
    5.1.2600.0 C:\WINDOWS\notepad.exe
    *Media Player version :
    8.0.0.4482 C:\Program Files\Windows Media
    Player\wmplayer.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings



    Locked or 'Suspect' file(s) found...
    These may be other files that Dllfix doesnt target.
    * result\\?\C:\WINDOWS\System32\MS.DLL
    * result: not locked...C:\WINDOWS\System32\MS.DLL


    Scanning for main Hijacker:
    File found was C:\WINDOWS\System32\NPF.DLL
    Md5 tested As 6BEC672DACE7A386B26DFE9827AE0E30

    known baddies are:
    0758CF635DF08AC381962F74832B6484
    C87354D67A8B9828F483C6F90C496972
    4E24A18F3A557AF479219E47E27B8B59


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Windows]

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{9A52B8B9-5C35-4CCA-9B81-9FA16DEACF21}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    @="NAV Helper"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{79D31B81-2853-4C3D-8ED2-1AAEB19B4B88}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{79D31B81-2853-4C3D-8ED2-1AAEB19B4B88}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4
    and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-NI) ALLOW Full access HEWLETT-5K1589J\Owner
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM
    Full access HEWLETT-5K1589J\Owner


    

    New HijackThis log:

    HijackThis Log2

    Logfile of HijackThis v1.97.7
    Scan saved at 12:30:23 PM, on 6/12/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
    C:\WINDOWS\essspk.exe
    C:\PROGRA~1\HPONE-~1\OneTouch.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Eraser\eraser.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    C:\Program Files\Exif Launcher\QuickDCF.exe
    C:\Program Files\Common Files\Microsoft Shared\Works
    Shared\wkcalrem.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\WINDOWS\System32\HPConfig.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\RadioSvr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINDOWS\System32\klid.dll/sp.html

    (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.hp.com/notebooks/pavilion/e-center
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINDOWS\System32\klid.dll/sp.html

    (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
    about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat

    5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {9A52B8B9-5C35-4CCA-9B81-9FA16DEACF21} -
    C:\WINDOWS\System32\klid.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -
    c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
    - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program
    Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program
    Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft
    Money\System\Activation.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program
    Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program
    Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program
    Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
    O4 - HKLM\..\Run: [HP Display Settings] C:\Program
    Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program
    Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft
    Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
    /background
    O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\freescan.exe
    -FastScan
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
    C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: CorelCENTRAL 9.lnk = C:\Program Files\Corel\WordPerfect
    Office 2000\programs\ccwin9.exe
    O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program
    Files\America Online 6.0a\aoltray.exe
    O4 - Global Startup: Corel Colleagues & Contacts Reminders.LNK =
    C:\Program Files\Corel\Print Office\cffrem.exe
    O4 - Global Startup: Corel Registration.lnk = C:\Program
    Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program
    Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program
    Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program
    Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif
    Launcher\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .wav: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF:
    START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38148.3457638889
     
  6. helpmeplease

    helpmeplease Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    6
    I used the option for the program to find the "dll" itself, as I was unsure which dll to put in. At the end of it running and replace a file it said some sort of error and began to repeat that error continously until I ended the program, and rebooted to follow the rest of your instructions.

    I'm definitely no computer expert, but it seems to me like the problem files are contained somewhere as posted below (found in the HijackThis log). I see things that look as if it is directing Internet Explorer to go to "about:blank" etc. Again, I'm not a computer savvy person but, I just want to know which files are the problems. Apparently, the start.bat program overlooked the problem. Maybe I'm wrong. HELPMEPLEASE!!!!
    By the way, what does "obfuscated" mean, as it relates to computers?

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINDOWS\System32\klid.dll/sp.html

    (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.hp.com/notebooks/pavilion/e-center
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINDOWS\System32\klid.dll/sp.html

    (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
    about:blank
     
  7. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Fix the entries in HijackThis,

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINDOWS\System32\klid.dll/sp.html

    (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\System32\klid.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINDOWS\System32\klid.dll/sp.html

    (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
    about:blank
    O2 - BHO: (no name) - {9A52B8B9-5C35-4CCA-9B81-9FA16DEACF21} -
    C:\WINDOWS\System32\klid.dll

    Reboot in SAFE MODE and Show Hidden Files/Folders and delete if found,

    C:\WINDOWS\System32\klid.dll

    Reboot in normal mode and download CWShredder and do FIX. Let it fix what it finds.

    Reboot in normal mode and post a fresh log

    Regards

    [I will answer your other questions when we are done with the problems, it should be over after this post :) ]
     
  8. helpmeplease

    helpmeplease Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    6
    Ok...followed your instructions and here is the final log as requested:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:56:15 AM, on 6/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
    C:\WINDOWS\essspk.exe
    C:\PROGRA~1\HPONE-~1\OneTouch.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Eraser\eraser.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    C:\Program Files\Exif Launcher\QuickDCF.exe
    C:\Program Files\Common Files\Microsoft Shared\Works
    Shared\wkcalrem.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\WINDOWS\System32\HPConfig.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\RadioSvr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.hp.com/notebooks/pavilion/e-center
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -
    c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
    - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program
    Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program
    Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft
    Money\System\Activation.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program
    Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program
    Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program
    Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
    O4 - HKLM\..\Run: [HP Display Settings] C:\Program
    Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program
    Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft
    Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
    /background
    O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\freescan.exe
    -FastScan
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
    C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: CorelCENTRAL 9.lnk = C:\Program Files\Corel\WordPerfect
    Office 2000\programs\ccwin9.exe
    O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program
    Files\America Online 6.0a\aoltray.exe
    O4 - Global Startup: Corel Colleagues & Contacts Reminders.LNK =
    C:\Program Files\Corel\Print Office\cffrem.exe
    O4 - Global Startup: Corel Registration.lnk = C:\Program
    Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program
    Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program
    Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program
    Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif
    Launcher\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .wav: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF:
    START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38148.3457638889
     
  9. helpmeplease

    helpmeplease Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    6
    I have restarted my computer several times and to my delight, the problems I had before have now been resolved. I haven't tried creating a CD as yet, but I am optimistic as a result of the absence of all the other problems. Ok, question time...

    1. How do I know truly that everything is gone? (I know, always the pessimist.)
    2. Is it safe now to resume logging into email accounts and using my credit cards from the "tainted" computer again?
    3. How do I know if any of my personal information has been transmitted anywhere else already?
    4. I have another computer that had a similar problem before...and I basically erased (system restore) everything on the system except for files (Word doc's etc.) in order to stop the problem with the browser hijacker. The question is...could this "trojan...virus..." whatever it is, still be present on my system and laying dormant...transmitting information without my knowledge? I did a HijackThis scan but saw nothing that looked even vaguely similar to the "lines" that I saw on the other computer (the one you just helped me with).

    In closing, let me say (hopefully not prematurely)...I am truly grateful for all that you have done here. You might not consider it to be a big deal but you really saved my life and I will NEVER forget it. You guys truly provide a service of angelic proportions. God bless! THANKS, THANKS, a million times, THANK YOU!
     
  10. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Sorry for the delay :(

    First nice to hear that your problems got solved :).
    Well, you will know all is ok, if you are not having any browser hijacks or suspicious actions, all running smooth.Regarding your personal informations and passwords, please change and get new ones immediately, for nothing but cause of safety. Well, for another computer you can post the hijackthis log, and someone will give their help again for sure.
    Read How did I get infected? to minimise future reinfections by spywares.

    Glad we could help and really nice to see all well.

    Regards
     
Thread Status:
Not open for further replies.