My HJT log

Discussion in 'adware, spyware & hijack cleaning' started by Retired, Apr 20, 2004.

Thread Status:
Not open for further replies.
  1. Retired

    Retired Guest

    My system is slammed with .. well I'm not sure what.

    My homepage is "about:blank". My default search is "linklist". My browser keeps mis behaving: resetting toolbars; not allowing me to login to sites. Notepad.lnk has been redirected to C:\WINDOWS\system32\Actmovie.exe. Other new files on my drive include C:\Program Files\Trustfragaudio\coolloud.exe.

    My HJT log:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:26:03 PM, on 4/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\WINDOWS\System32\Fast.exe
    C:\WINDOWS\System32\BRMFRSMG.EXE
    C:\Program Files\WinFax\WFXMOD32.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\WINDOWS\Tp4.exe
    C:\WINDOWS\System32\fast.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe
    C:\PROGRA~1\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Textual\anagram\anagram.exe
    C:\Program Files\WinFax\WFXCTL32.EXE
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\CE Software\QuicKeys\QkEngine.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\KnockOut.exe
    C:\PROGRA~1\CESOFT~1\QuicKeys\QKAPPS~1.EXE
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    E:\Downloads\Zone Alarm\zlsSetup_45_594_000.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    E:\Downloads\HiJack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\macmgba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\macmgba.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\macmgba.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\macmgba.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\macmgba.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\macmgba.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {6EE31924-DC72-44A1-936A-3F08D35B61D1} - C:\WINDOWS\System32\macmgba.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [Chotkey] Tp4.exe
    O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: KnockOut.lnk = C:\Program Files\KnockOut.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: anagram.lnk = C:\Program Files\Textual\anagram\anagram.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: QuicKeys Engine.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Add To &Restricted Sites - C:\WINDOWS\web\add-restricted.htm
    O8 - Extra context menu item: Add To &Trusted Sites - C:\WINDOWS\web\add-trusted.htm
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Add To Restricted Sites (HKLM)
    O9 - Extra button: Add To Trusted Sites (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O15 - Trusted Zone: *.advent.com
    O15 - Trusted Zone: *.advisorintelligence.com
    O15 - Trusted Zone: *.advisorservices.com
    O15 - Trusted Zone: *.allocationmaster.com
    O15 - Trusted Zone: *.chapura.com
    O15 - Trusted Zone: *.dell.com
    O15 - Trusted Zone: *.dfaus.com
    O15 - Trusted Zone: *.digidesign.com
    O15 - Trusted Zone: *.epocrates.com
    O15 - Trusted Zone: *.financeware.com
    O15 - Trusted Zone: *.financialtrans.com
    O15 - Trusted Zone: *.foremostadvice.com
    O15 - Trusted Zone: *.investordelivery.com
    O15 - Trusted Zone: *.mapquest.com
    O15 - Trusted Zone: *.money-software.com
    O15 - Trusted Zone: *.morningstar.com
    O15 - Trusted Zone: *.nytimes.com
    O15 - Trusted Zone: *.passport.net
    O15 - Trusted Zone: *.pgdc.com
    O15 - Trusted Zone: *.progresscapital.com
    O15 - Trusted Zone: *.proxyvote.com
    O15 - Trusted Zone: *.purehost.com
    O15 - Trusted Zone: *.schmidtfoto.de
    O15 - Trusted Zone: *.symantec.com
    O15 - Trusted Zone: *.thestreet.com
    O15 - Trusted Zone: *.trustednetwork.com
    O15 - Trusted Zone: *.wsj.com
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {25D9AA40-ED39-11D2-A038-009027078284} (UrlDownloader Class) - https://www1.advisorservices.com/advisorweb/file/urldownloader.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/client/iftwclix.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {6D5BDE27-926E-11D5-8C25-0050DA647546} (VEOSchedulerOCX.VeoScheduler) - https://www1.advisorservices.com/advisorweb/adl/VEOSchedulerOCX.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - https://www1.advisorservices.com/advisorweb/adl/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38072.3035185185
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://advent-support.webex.com/client/latest/support/ieatgpc.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {FF0F7B6E-D733-11D7-8088-0001024743E4} (veoExpress.ctlVeoExpress) - https://www2.advisorservices.com/AdvisorWeb/ActiveX/veoExpress.CAB
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi Retired,

    Welcome to Wilders.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\macmgba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\macmgba.dll/sp.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\macmgba.dll/sp.html (obfuscated)

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\macmgba.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\macmgba.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\macmgba.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {6EE31924-DC72-44A1-936A-3F08D35B61D1} - C:\WINDOWS\System32\macmgba.dll

    O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O15 - Trusted Zone: *. <-- Remove any of these that you did not add yourself.

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete:

    C:\PROGRA~1\FOLDER~1\ <-- entire folder

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  3. retired

    retired Guest

    Thanks for the reply. This is a great service you're providing.

    I did as you suggested with the exception of altering C:\PROGRA~1\FOLDER~1\. This is an explorer plugin called Folderbox.

    I have removed the offending dll several times. It always comes back. Here is the latest "clean" HJT log.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:04:06 AM, on 4/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\BRMFRSMG.EXE
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\WINDOWS\System32\Fast.exe
    C:\Program Files\WinFax\WFXMOD32.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\WINDOWS\Tp4.exe
    C:\WINDOWS\System32\fast.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe
    C:\PROGRA~1\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Textual\anagram\anagram.exe
    C:\Program Files\WinFax\WFXCTL32.EXE
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\CE Software\QuicKeys\QkEngine.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\KnockOut.exe
    C:\PROGRA~1\CESOFT~1\QuicKeys\QKAPPS~1.EXE
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    E:\Downloads\HiJack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [Chotkey] Tp4.exe
    O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: KnockOut.lnk = C:\Program Files\KnockOut.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: anagram.lnk = C:\Program Files\Textual\anagram\anagram.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: QuicKeys Engine.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Add To &Restricted Sites - C:\WINDOWS\web\add-restricted.htm
    O8 - Extra context menu item: Add To &Trusted Sites - C:\WINDOWS\web\add-trusted.htm
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Add To Restricted Sites (HKLM)
    O9 - Extra button: Add To Trusted Sites (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O15 - Trusted Zone: *.advent.com
    O15 - Trusted Zone: *.advisorintelligence.com
    O15 - Trusted Zone: *.advisorservices.com
    O15 - Trusted Zone: *.allocationmaster.com
    O15 - Trusted Zone: *.chapura.com
    O15 - Trusted Zone: *.dell.com
    O15 - Trusted Zone: *.dfaus.com
    O15 - Trusted Zone: *.digidesign.com
    O15 - Trusted Zone: *.epocrates.com
    O15 - Trusted Zone: *.financeware.com
    O15 - Trusted Zone: *.financialtrans.com
    O15 - Trusted Zone: *.foremostadvice.com
    O15 - Trusted Zone: *.investordelivery.com
    O15 - Trusted Zone: *.mapquest.com
    O15 - Trusted Zone: *.money-software.com
    O15 - Trusted Zone: *.morningstar.com
    O15 - Trusted Zone: *.nytimes.com
    O15 - Trusted Zone: *.passport.net
    O15 - Trusted Zone: *.pgdc.com
    O15 - Trusted Zone: *.progresscapital.com
    O15 - Trusted Zone: *.proxyvote.com
    O15 - Trusted Zone: *.purehost.com
    O15 - Trusted Zone: *.schmidtfoto.de
    O15 - Trusted Zone: *.symantec.com
    O15 - Trusted Zone: *.thestreet.com
    O15 - Trusted Zone: *.trustednetwork.com
    O15 - Trusted Zone: *.wsj.com
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {25D9AA40-ED39-11D2-A038-009027078284} (UrlDownloader Class) - https://www1.advisorservices.com/advisorweb/file/urldownloader.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/client/iftwclix.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {6D5BDE27-926E-11D5-8C25-0050DA647546} (VEOSchedulerOCX.VeoScheduler) - https://www1.advisorservices.com/advisorweb/adl/VEOSchedulerOCX.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - https://www1.advisorservices.com/advisorweb/adl/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38072.3035185185
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://advent-support.webex.com/client/latest/support/ieatgpc.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {FF0F7B6E-D733-11D7-8088-0001024743E4} (veoExpress.ctlVeoExpress) - https://www2.advisorservices.com/AdvisorWeb/ActiveX/veoExpress.CAB

    It may help to know that this trojan messed with both Windows Media Player and Notepad. I have replaced both.

    Hopeful,

    Jay
     
  4. retired

    retired Guest

    About:Blank reapeared. Here is my current "dirty" HJT log.

    How this trojan recreats the offending dll is a big mystery.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:46:16 PM, on 4/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\BRMFRSMG.EXE
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\WINDOWS\System32\Fast.exe
    C:\Program Files\WinFax\WFXMOD32.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\WINDOWS\Tp4.exe
    C:\WINDOWS\System32\fast.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe
    C:\PROGRA~1\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Textual\anagram\anagram.exe
    C:\Program Files\WinFax\WFXCTL32.EXE
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\CE Software\QuicKeys\QkEngine.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\KnockOut.exe
    C:\PROGRA~1\CESOFT~1\QuicKeys\QKAPPS~1.EXE
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
    C:\WINDOWS\System32\WISPTIS.EXE
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    E:\Downloads\HiJack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lpl.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lpl.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lpl.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lpl.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lpl.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lpl.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {25C0EB19-3A48-4E2E-A482-2854E02D9D0E} - C:\WINDOWS\System32\lpl.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [Chotkey] Tp4.exe
    O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: KnockOut.lnk = C:\Program Files\KnockOut.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: anagram.lnk = C:\Program Files\Textual\anagram\anagram.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: QuicKeys Engine.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Add To &Restricted Sites - C:\WINDOWS\web\add-restricted.htm
    O8 - Extra context menu item: Add To &Trusted Sites - C:\WINDOWS\web\add-trusted.htm
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Add To Restricted Sites (HKLM)
    O9 - Extra button: Add To Trusted Sites (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O15 - Trusted Zone: *.advent.com
    O15 - Trusted Zone: *.advisorintelligence.com
    O15 - Trusted Zone: *.advisorservices.com
    O15 - Trusted Zone: *.allocationmaster.com
    O15 - Trusted Zone: *.chapura.com
    O15 - Trusted Zone: *.dell.com
    O15 - Trusted Zone: *.dfaus.com
    O15 - Trusted Zone: *.digidesign.com
    O15 - Trusted Zone: *.epocrates.com
    O15 - Trusted Zone: *.financeware.com
    O15 - Trusted Zone: *.financialtrans.com
    O15 - Trusted Zone: *.foremostadvice.com
    O15 - Trusted Zone: *.investordelivery.com
    O15 - Trusted Zone: *.mapquest.com
    O15 - Trusted Zone: *.money-software.com
    O15 - Trusted Zone: *.morningstar.com
    O15 - Trusted Zone: *.nytimes.com
    O15 - Trusted Zone: *.passport.net
    O15 - Trusted Zone: *.pgdc.com
    O15 - Trusted Zone: *.progresscapital.com
    O15 - Trusted Zone: *.proxyvote.com
    O15 - Trusted Zone: *.purehost.com
    O15 - Trusted Zone: *.schmidtfoto.de
    O15 - Trusted Zone: *.symantec.com
    O15 - Trusted Zone: *.thestreet.com
    O15 - Trusted Zone: *.trustednetwork.com
    O15 - Trusted Zone: *.wsj.com
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {25D9AA40-ED39-11D2-A038-009027078284} (UrlDownloader Class) - https://www1.advisorservices.com/advisorweb/file/urldownloader.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/client/iftwclix.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {6D5BDE27-926E-11D5-8C25-0050DA647546} (VEOSchedulerOCX.VeoScheduler) - https://www1.advisorservices.com/advisorweb/adl/VEOSchedulerOCX.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - https://www1.advisorservices.com/advisorweb/adl/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38072.3035185185
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://advent-support.webex.com/client/latest/support/ieatgpc.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {FF0F7B6E-D733-11D7-8088-0001024743E4} (veoExpress.ctlVeoExpress) - https://www2.advisorservices.com/AdvisorWeb/ActiveX/veoExpress.CAB
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi retired,

    Download this file: http://tools.zerosrealm.com/pv.zip and unzip it to the desktop. It will not work if you run it from inside the zip.
    Be sure to have one Internet Explorer window open, then double click on the runme.bat.
    When you doubleclick runme.bat you will get a screen with a few options. Please select option 1 for explorer dll's by typing 1 and then pressing enter.
    The txt file that gets made then is the one we need.

    Regards,

    Pieter
     
  6. Retired

    Retired Guest

    Here is the log from Runme.bat. One not, the current offending dll is pnb.dll, and get this, according to Prcview, it is not loaded in explorer. It is loaded in Norton AntiVirus!
     
  7. Retired

    Retired Guest

    The log won't post. Too many signatures error.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    I would still like to see the log if you don't mind.
    Below the posting screen put a checkmark in Disable smilies in text.
    Then the error should not come up.

    Regards,

    Pieter
     
  9. Retired

    Retired Guest

    Module information for 'Explorer.EXE'
    MODULE BASE SIZE PATH
    Explorer.EXE 1000000 1015808 C:\WINDOWS\Explorer.EXE 6.00.2800.1106 (xpsp1.020828-1920) Windows Explorer
    ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
    kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
    msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
    ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
    RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
    GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
    USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
    SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library
    SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Windows Shell Common Dll
    ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
    OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
    BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library
    SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library
    UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
    Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
    iphlpapi.dll 76d60000 94208 C:\WINDOWS\System32\iphlpapi.dll 5.1.2600.2 (xpsp1.020828-1920) IP Helper API
    WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Socket 2.0 32-Bit DLL
    WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Socket 2.0 Helper for Windows NT
    comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
    comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
    appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
    CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
    COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
    VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-114:cool: Version Checking and File Installation Libraries
    cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
    CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-114:cool: Offline Network Agent
    themeui.dll 559e0000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Theme API
    MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL
    USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
    actxprxy.dll 71d40000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-114:cool: ActiveX Interface Marshaling Library
    netapi32.dll 71c20000 319488 C:\WINDOWS\System32\netapi32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
    SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
    browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
    GGTASK~1.DLL 27230000 196608 C:\PROGRA~1\Google\GGTASK~1.DLL 0, 5, 81, 0 Google Deskbar
    WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll 6.00.2800.1405 Internet Extensions for Win32
    CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
    MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
    asycfilt.dll 708f0000 77824 C:\WINDOWS\System32\asycfilt.dll 3.50.5014
    urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32
    msi.dll 2370000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
    SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
    LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Volume Tracking
    ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell extensions for sharing
    ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
    RASAPI32.dll 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
    rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
    TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows(TM) Telephony API Client DLL
    rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-114:cool: Routing Utilities
    WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
    TP4DLL.dll 1c000000 28672 C:\WINDOWS\TP4DLL.dll 0, 9, 0, 0 TP4DLL
    WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
    webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2800.1106 (xpsp1.020828-1920) Web Site Monitor
    stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.1106 (xpsp1.020828-1920) Systray shell service object
    BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-114:cool: Battery Meter Helper DLL
    POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-114:cool: Power Profile Helper DLL
    WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs
    MSH_ZWF.dll 61220000 73728 C:\Program Files\Microsoft Hardware\Mouse\MSH_ZWF.dll 4.10.0851.0 Microsoft IntelliPoint
    WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-114:cool: Microsoft Trust Verification APIs
    IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
    rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
    MessageHook.dll 60040000 36864 C:\Program Files\Textual\anagram\MessageHook.dll 1.4 Message Hook Handler
     
    Last edited by a moderator: Apr 22, 2004
  10. Retired

    Retired Guest

    POINT32.dll 61210000 61440 C:\Program Files\Microsoft Hardware\Mouse\POINT32.dll 4.10.0851.0 Microsoft IntelliPoint
    wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-114:cool: WDM Audio driver mapper
    msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-114:cool: Microsoft Sound Mapper
    MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-114:cool: Microsoft ACM Audio Filter
    midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-114:cool: Microsoft MIDI Mapper
    NETSHELL.dll 75cf0000 1642496 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.1106 (xpsp1.020828-1920) Network Connections Shell
    credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.1106 (xpsp1.020828-1920) Credential Manager User Interface
    QKSysHk.dll 10000000 28672 C:\Program Files\CE Software\QuicKeys\QKSysHk.dll 2.5 QkSysHook DLL
    shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-114:cool: Shell Doc Object and Control Library
    printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) Print UI DLL
    WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver
    ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-114:cool: ADs Router Layer DLL
    adsldpc.dll 76e10000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) ADs LDAP Provider C DLL
    WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
    CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-114:cool: Configuration Manager Forwarder DLL
    MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-114:cool: Multiple Provider Router DLL
    QkTxtHk.dll a40000 57344 C:\Program Files\CE Software\QuicKeys\QkTxtHk.dll 2.5 QkTextShortcutHook DLL
    SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
    drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-114:cool: Microsoft Terminal Server Network Provider
    ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
    NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-114:cool: NT LM UI Common Code - GUI Classes
    NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-114:cool: NT LM UI Common Code - Networking classes
    NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-114:cool: Net Remote Admin Protocol DLL
    davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-114:cool: Web DAV Client DLL
    WfxSeh32.Dll 21670000 53248 C:\Program Files\WinFax\WfxSeh32.Dll 9.00.98.0727 Shell extension for ACT phonebook integration DLL
    comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL
    FOLDER~1.DLL 2db0000 1138688 C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL
    olepro32.dll 5edd0000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft (R) OLE Property Support DLL
    DUSER.dll 6c1b0000 278528 C:\WINDOWS\System32\DUSER.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows DirectUser Engine
    MSGINA.dll 75970000 991232 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1343 (xpsp2.040109-1800) Windows NT Logon GINA DLL
    ODBC32.dll 5630000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager
    odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
    sti.dll 73ba0000 73728 C:\WINDOWS\System32\sti.dll 5.1.2600.1106 (xpsp1.020828-1920) Still Image Devices client DLL
    mstask.dll 735d0000 258048 C:\WINDOWS\System32\mstask.dll 5.1.2600.1106 (xpsp1.020828-1920) Task Scheduler interface DLL
    sfc_os.dll 76c60000 167936 C:\WINDOWS\System32\sfc_os.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows File Protection
    KeyboardHook.dll 60000000 40960 C:\Program Files\Textual\anagram\KeyboardHook.dll 1.7 Keyboard Hook Handler
    AcroIEHelper.dll 2920000 45056 C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
    pnb.dll 2930000 53248 C:\WINDOWS\System32\pnb.dll
    NavShExt.dll 2940000 106496 C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll 8.07.17 Norton AntiVirusNAVShellExt Module
    MSVCP60.dll 55900000 397312 C:\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library
    msohev.dll 325c0000 73728 C:\Program Files\Microsoft Office\OFFICE11\msohev.dll 11.0.5510 Microsoft Office 2003 component
    shgina.dll 73d70000 73728 C:\WINDOWS\System32\shgina.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Shell User Logon
    wiashext.dll 5a500000 577536 C:\WINDOWS\System32\wiashext.dll 5.1.2600.0 (XPClient.010817-114:cool: Imaging Devices Shell Folder UI
    gdiplus.dll 70d00000 1708032 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\gdiplus.dll 5.1.3101.0 (xpsp1.020828-1920) Microsoft GDI+
    occache.dll 5f050000 98304 C:\WINDOWS\System32\occache.dll 6.00.2600.0000 (xpclient.010817-114:cool: Object Control Viewer
    netcfgx.dll 755f0000 593920 C:\WINDOWS\System32\netcfgx.dll 5.1.2600.1106 (xpsp1.020828-1920) Network Configuration Objects
    CLUSAPI.dll 55560000 69632 C:\WINDOWS\System32\CLUSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Cluster API Library
    DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
    asfsipc.dll 70eb0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
    MSISIP.DLL 605f0000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
    wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft (r) Shell Extension for Windows Script Host
    ScrTrust.dll 2630000 53248 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrTrust.dll 1, 1, 0, 126 ScriptBlocking Trust Verifier
    MCPS.DLL 36d30000 102400 C:\PROGRA~1\MICROS~3\OFFICE11\MCPS.DLL 11.0.5510 Media Catalog Proxy/Stub
     
    Last edited by a moderator: Apr 22, 2004
  11. Retired

    Retired Guest

    I had to split it into two posts. Even with no icons and smiles disabled it gave me the same error. We'll save that propblem for another time.

    Thanks in advance,

    Jay
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    It's a "too many images" issue because some of the character sequences are turned into smilies.

    FYI - You can get around this by checking the option below the message posting box to: "disable smilies in text"
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Retired,

    Something strange is going on here:
    Can you send this file to pieterATwilderssecurity.org (replace AT with @):
    C:\WINDOWS\System32\pnb.dll

    Regards,

    Pieter
     
  14. Retired

    Retired Guest

    OK, I tried what you suggested via email, but "it" came back. Am now following instructions as posted on CWS Variants page.

    Find.bat log:
    C:\WINDOWS\System32\CTLCC.DLL +++ File read error

    Windows Key:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "AppInit_DLLs"=""
    "AppInit_DLLs1"=""

    BHO Key:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBE59AF5-EE22-4A3A-AB26-3F774D1B4216}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    @="NAV Helper"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7C946E0-E765-47E5-B8CE-A4692D500CDB}]

    Filter Key:
    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{3FED1538-D864-444A-9B5B-F4E10008548A}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{3FED1538-D864-444A-9B5B-F4E10008548A}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
    "CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

    Logfile of HijackThis v1.97.7
    Scan saved at 12:19:43 PM, on 4/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\BRMFRSMG.EXE
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\WINDOWS\System32\Fast.exe
    C:\Program Files\WinFax\WFXMOD32.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\WINDOWS\Tp4.exe
    C:\WINDOWS\System32\fast.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe
    C:\PROGRA~1\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Textual\anagram\anagram.exe
    C:\Program Files\WinFax\WFXCTL32.EXE
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\CE Software\QuicKeys\QkEngine.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\KnockOut.exe
    C:\PROGRA~1\CESOFT~1\QuicKeys\QKAPPS~1.EXE
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    E:\Downloads\HiJack This\PRCView\PrcView.exe
    C:\WINDOWS\System32\WISPTIS.EXE
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\regedit.exe
    C:\Program Files\Windows NT\Accessories\wordpad.exe
    C:\WINDOWS\system32\dllcache\notepad.exe
    E:\Downloads\HiJack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pdladg.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pdladg.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pdladg.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pdladg.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pdladg.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pdladg.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [Chotkey] Tp4.exe
    O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: KnockOut.lnk = C:\Program Files\KnockOut.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: anagram.lnk = C:\Program Files\Textual\anagram\anagram.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: QuicKeys Engine.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Add To &Restricted Sites - C:\WINDOWS\web\add-restricted.htm
    O8 - Extra context menu item: Add To &Trusted Sites - C:\WINDOWS\web\add-trusted.htm
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Add To Restricted Sites (HKLM)
    O9 - Extra button: Add To Trusted Sites (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O15 - Trusted Zone: *.advent.com
    O15 - Trusted Zone: *.advisorintelligence.com
    O15 - Trusted Zone: *.advisorservices.com
    O15 - Trusted Zone: *.allocationmaster.com
    O15 - Trusted Zone: *.chapura.com
    O15 - Trusted Zone: *.dell.com
    O15 - Trusted Zone: *.dfaus.com
    O15 - Trusted Zone: *.digidesign.com
    O15 - Trusted Zone: *.epocrates.com
    O15 - Trusted Zone: *.financeware.com
    O15 - Trusted Zone: *.financialtrans.com
    O15 - Trusted Zone: *.foremostadvice.com
    O15 - Trusted Zone: *.investordelivery.com
    O15 - Trusted Zone: *.mapquest.com
    O15 - Trusted Zone: *.money-software.com
    O15 - Trusted Zone: *.morningstar.com
    O15 - Trusted Zone: *.nytimes.com
    O15 - Trusted Zone: *.passport.net
    O15 - Trusted Zone: *.pgdc.com
    O15 - Trusted Zone: *.progresscapital.com
    O15 - Trusted Zone: *.proxyvote.com
    O15 - Trusted Zone: *.purehost.com
    O15 - Trusted Zone: *.schmidtfoto.de
    O15 - Trusted Zone: *.symantec.com
    O15 - Trusted Zone: *.thestreet.com
    O15 - Trusted Zone: *.trustednetwork.com
    O15 - Trusted Zone: *.webcrd.com
    O15 - Trusted Zone: *.wsj.com
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {25D9AA40-ED39-11D2-A038-009027078284} (UrlDownloader Class) - https://www1.advisorservices.com/advisorweb/file/urldownloader.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/client/iftwclix.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {6D5BDE27-926E-11D5-8C25-0050DA647546} (VEOSchedulerOCX.VeoScheduler) - https://www1.advisorservices.com/advisorweb/adl/VEOSchedulerOCX.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - https://www1.advisorservices.com/advisorweb/adl/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38072.3035185185
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://advent-support.webex.com/client/latest/support/ieatgpc.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {FF0F7B6E-D733-11D7-8088-0001024743E4} (veoExpress.ctlVeoExpress) - https://www2.advisorservices.com/AdvisorWeb/ActiveX/veoExpress.CAB
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Retired,

    First run runme.bat in the pv folder again and choose option 7.

    Then download TheKillbox from here: http://download.broadbandmedic.com/VbStuff/KillBox.zip

    Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

    C:\WINDOWS\System32\CTLCC.DLL

    Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The filenameand path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

    Run AdAware as described here: https://www.wilderssecurity.com/showthread.php?t=15913

    Download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Use the Fix button and follow the instructions you will receive.

    Regards,

    Pieter
     
  16. Retired

    Retired Guest

    I tried what you suggested but About:Blank came back.

    I also tried the manual remove instructions at https://www.wilderssecurity.com/showthread.php?t=28658. It is not clear to me what this refers to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
    CLSID\{ the identified CLSID is here }< <- search for clsid via ctrl+f and F3

    What is the "identified CLSID"?

    Thanks in advance,

    Jay
     
Thread Status:
Not open for further replies.