Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Wain

Pages: [1]
1
Tech Clinic / Hiddendll =( please help
« on: March 10, 2005, 01:33:23 PM »
Hiya, things are looking much better, thanks for all your time and support!
dont think i could have found any place that would help me with this problem and have enough patience, not to mention the easy step by step instructions you gave.

once again thanks!

Wain

2
Tech Clinic / Hiddendll =( please help
« on: March 08, 2005, 10:57:51 AM »
Bingo .. C:\WINDOWS\System32\mso.dll was found in the value field for the
AppInit_DLLs

Also here is the HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 15:56:34, on 08/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Registrar Lite\rl.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8EBC1800-447F-48DA-B7E9-8DEEF4137FC9} - C:\WINDOWS\system32\ddlcoia.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Wallpaper Changer] C:\Program Files\BGCWPV7\BGCWPV7.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab
O18 - Filter: text/html - {722F1EB0-A691-4C2B-A52B-D7E0C52A86E9} - C:\WINDOWS\system32\ddlcoia.dll
O18 - Filter: text/plain - {722F1EB0-A691-4C2B-A52B-D7E0C52A86E9} - C:\WINDOWS\system32\ddlcoia.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: SDPAUMS server service (SDPASVC) -  Matsu[censored]a Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

3
Tech Clinic / Hiddendll =( please help
« on: March 07, 2005, 01:58:28 PM »
Heh Spyware Strikes again, it really does seem we did not manage to get rid of the evil. however it is the old one the Mso.dll as the webpage is the same search engine.

4
Tech Clinic / Hiddendll =( please help
« on: March 07, 2005, 11:26:45 AM »
Heya I tried to look for C:\WINDOWS\SYSTEM32\mso.dll
But it wasnt there, so i downloaded Reg lite entered the command line in the address bar pushed go and there was no "Appinit_Dlls" value on the right side panel.

The only things that came up were:

Current Version                Key
Help                                Key
HTML Help                       Key
IT Storage                       Key
Shell                               Key
(default)                         Value

5
Tech Clinic / Hiddendll =( please help
« on: March 06, 2005, 07:10:53 PM »
oops thats not all the logs, here is the Comparedll Log you requested for too

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\mso.dll        Sat 29 May 2004  23:13:52   A...R         57,344    56.00 K
________________________________________________

1,399 items found:  1,399 files, 0 directories.
Total of file sizes:  293,569,503 bytes    279.97 M

Administrator Account =  True

--------------------End log---------------------

6
Tech Clinic / Hiddendll =( please help
« on: March 06, 2005, 07:08:17 PM »
Hi Really appericiate you using your own time to help me out, i have done exactly what you said and here  are the logs :

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2

process: winlogon.exe, thread: 000002D0 (terminated)
process: services.exe, thread: 00000314 (terminated)
process: lsass.exe, thread: 00000318 (terminated)
process: ati2evxx.exe, thread: 000003D0 (terminated)
process: svchost.exe, thread: 000003F0 (terminated)
process: svchost.exe, thread: 0000043C (terminated)
process: svchost.exe, thread: 00000468 (terminated)
process: svchost.exe, thread: 00000564 (terminated)
process: svchost.exe, thread: 0000058C (terminated)
process: spoolsv.exe, thread: 00000680 (terminated)
process: wbload.exe, thread: 00000728 (terminated)
process: ati2evxx.exe, thread: 0000018C (terminated)
process: explorer.exe, thread: 000001F4 (terminated)
process: mnmsrvc.exe, thread: 000004D0 (terminated)
process: SMax4.exe, thread: 00000560 (terminated)
process: realsched.exe, thread: 0000055C (terminated)
process: qttask.exe, thread: 000005AC (terminated)
process: LogiTray.exe, thread: 0000016C (terminated)
process: winampa.exe, thread: 000005E0 (terminated)
process: jusched.exe, thread: 00000704 (terminated)
process: atiptaxx.exe, thread: 00000710 (terminated)
process: rundll32.exe, thread: 0000074C (terminated)
process: OSA.EXE, thread: 00000740 (terminated)
process: sdpasvc.exe, thread: 000004AC (terminated)
process: rundll32.exe, thread: 00000238 (terminated)
process: SMAgent.exe, thread: 00000494 (terminated)
process: svchost.exe, thread: 000005D8 (terminated)
process: LVComS.exe, thread: 00000824 (terminated)
process: alg.exe, thread: 00000A78 (terminated)
process: wscntfy.exe, thread: 00000BB0 (terminated)
process: Steam.exe, thread: 00000D60 (terminated)
process: wuauclt.exe, thread: 000009E0 (terminated)
process: FxAgentB.exe, thread: 00000E24 (terminated)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: AppInit_DLLs (value set to "")

C:\System Volume Information: (not scanned)
E:\System Volume Information: (not scanned)

Backdoor.Agent.B has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 106285
The number of deleted files: 0
The number of viral processes terminated: 0
The number of viral threads terminated: 33
The number of registry entries fixed: 1

Logfile of HijackThis v1.99.1
Scan saved at 23:59:58, on 06/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Wallpaper Changer] C:\Program Files\BGCWPV7\BGCWPV7.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: SDPAUMS server service (SDPASVC) -  Matsu[censored]a Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

StartDreck (build 2.1.7 public stable) - 2005-03-07 @ 00:02:36 (GMT +00:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Wain at WAIN

»Registry
 »Run Keys
  »Current User
   »Run
    *msnmsgr="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    *Internet Download Accelerator=C:\Program Files\IDA\ida.exe -autorun
    *Steam=
   »RunOnce
  »Default User
   »Run
    *CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
   »RunOnce
  »Local Machine
   »Run
    *SoundMax="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
    *TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
    *Wallpaper Changer=C:\Program Files\BGCWPV7\BGCWPV7.exe
    *QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
    *LogitechVideoRepair=C:\Program Files\Logitech\Video\ISStart.exe
    *LogitechVideoTray=C:\Program Files\Logitech\Video\LogiTray.exe
    *WinampAgent=C:\Program Files\Winamp\winampa.exe
    *Zone Labs Client=C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    *SunJavaUpdateSched=C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    *ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    +OptionalComponents
     +MSFS
      *Installed=1
     +MAPI
      *Installed=1
      *NoChange=1
     +MAPI
      *Installed=1
      *NoChange=1
   »RunOnce
    *!CleanupNetMeetingDispDriver="C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
   »RunServices
   »RunServicesOnce
   »RunOnceEx
   »RunServicesOnceEx
 »File Associations (CR)
  +.bat
   *batfile="%1" %*
  +.com
   *comfile="%1" %*
  +.exe
   *exefile="%1" %*
  +.hta
   *htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
  +.htm
   *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
  +.html
   *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
  +.js
   *JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.jse
   *JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.pif
   *piffile="%1" %*
  +.reg
   *regfile=regedit.exe "%1"
  +.scr
   *scrfile="%1" /S
  +.txt
   *txtfile=Notepad.exe %1
  +.vbs
   *VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.vbe
   *VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.wsh
   *WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.wsf
   *WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
  +.lnk
   `lnkfile= [key or value does not exist]
 »Browser Helper Objects (LM)
  *AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   `InprocServer32=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  *Jccatch.IeCatch2.1/{A5366673-E8CA-11D3-9CD9-0090271D075B}
   `InprocServer32=C:\PROGRA~1\FlashGet\jccatch.dll
»Files
 »Autostart Folders
  »Current User
   *C:\Documents and Settings\Wain\Start Menu\Programs\Startup\desktop.ini
   *C:\Documents and Settings\Wain\Start Menu\Programs\Startup\Office Startup.lnk
   *C:\Documents and Settings\Wain\Start Menu\Programs\Startup\Xfire.lnk
  »Default User
   *C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
  »Local Machine
   *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
 »INI-Files
  »WIN.INI\[windows]
   *LOAD=
   *RUN=
  »SYSTEM.INI\[boot]
   *SHELL=Explorer.exe
 »Text Files
  *C:\boot.ini
  *C:\msdos.sys
  *C:\config.sys
  *C:\WINDOWS\system32\config.nt
  *C:\autoexec.bat
  *C:\WINDOWS\system32\autoexec.nt
  *C:\WINDOWS\wininit.ini
  *C:\WINDOWS\system32\drivers\etc\hosts
»System/Drivers
 »Running Processes
  +0=<idle>
  +4=<system>
  +456=\SystemRoot\System32\smss.exe
  +504=\??\C:\WINDOWS\system32\csrss.exe
  +528=\??\C:\WINDOWS\system32\winlogon.exe
  +576=C:\WINDOWS\system32\services.exe
  +588=C:\WINDOWS\system32\lsass.exe
  +768=C:\WINDOWS\system32\Ati2evxx.exe
  +796=C:\WINDOWS\system32\svchost.exe
  +900=C:\WINDOWS\system32\svchost.exe
  +944=C:\WINDOWS\System32\svchost.exe
  +1000=C:\WINDOWS\System32\svchost.exe
  +1092=C:\WINDOWS\System32\svchost.exe
  +1276=C:\WINDOWS\system32\spoolsv.exe
  +1404=C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
  +1528=C:\WINDOWS\System32\mnmsrvc.exe
  +1704=C:\WINDOWS\system32\Ati2evxx.exe
  +1808=C:\WINDOWS\Explorer.EXE
  +1880=C:\WINDOWS\system32\rundll32.exe
  +1904=C:\WINDOWS\System32\sdpasvc.exe
  +1940=C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  +2012=C:\WINDOWS\System32\svchost.exe
  +124=C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  +192=C:\Program Files\Analog Devices\SoundMAX\smax4.exe
  +208=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  +216=C:\Program Files\QuickTime\qttask.exe
  +264=C:\Program Files\Logitech\Video\LogiTray.exe
  +272=C:\Program Files\Winamp\winampa.exe
  +280=C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
  +292=C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
  +308=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  +324=C:\Program Files\MSN Messenger\msnmsgr.exe
  +404=C:\Program Files\Microsoft Office\Office\OSA.EXE
  +1804=C:\WINDOWS\System32\alg.exe
  +2176=C:\WINDOWS\system32\wscntfy.exe
  +2240=C:\WINDOWS\System32\LVComS.exe
  +2432=C:\WINDOWS\system32\wuauclt.exe
  +2508=C:\WINDOWS\system32\wuauclt.exe
  +2956=C:\PROGRA~1\WINZIP\winzip32.exe
  +3012=C:\unzipped\startdreck\StartDreck.exe
 »NT Services
  *Alerter   Alerter   -   disabled
  *Application Layer Gateway Service   ALG   running   on demand
  *Application Management   AppMgmt   -   on demand
  *ASP.NET State Service   aspnet_state   -   on demand
  *Ati HotKey Poller   Ati HotKey Poller   running   auto
  *ATI Smart   ATI Smart   -   auto
  *Windows Audio   AudioSrv   running   auto
  *Background Intelligent Transfer Service   BITS   -   on demand
  *Computer Browser   Browser   running   auto
  *Indexing Service   cisvc   -   on demand
  *ClipBook   ClipSrv   -   disabled
  *COM+ System Application   COMSysApp   -   on demand
  *Cryptographic Services   CryptSvc   running   auto
  *DCOM Server Process Launcher   DcomLaunch   running   auto
  *DefWatch   DefWatch   -   auto
  *DHCP Client   Dhcp   running   auto
  *Logical Disk Manager Administrative Service   dmadmin   -   on demand
  *Logical Disk Manager   dmserver   running   auto
  *DNS Client   Dnscache   running   auto
  *Error Reporting Service   ERSvc   running   auto
  *Event Log   Eventlog   running   auto
  *COM+ Event System   EventSystem   running   on demand
  *Fast User Switching Compatibility   FastUserSwitchingCom   -   on demand
  *Help and Support   helpsvc   running   auto
  *Human Interface Device Access   HidServ   -   disabled
  *HTTP SSL   HTTPFilter   -   on demand
  *IMAPI CD-Burning COM Service   ImapiService   -   on demand
  *Server   lanmanserver   running   auto
  *Workstation   lanmanworkstation   running   auto
  *TCP/IP NetBIOS Helper   LmHosts   running   auto
  *Messenger   Messenger   -   disabled
  *NetMeeting Remote Desktop Sharing   mnmsrvc   paused   auto
  *Distributed Transaction Coordinator   MSDTC   -   on demand
  *Windows Installer   MSIServer   -   on demand
  *Network DDE   NetDDE   -   disabled
  *Network DDE DSDM   NetDDEdsdm   -   disabled
  *Net Logon   Netlogon   -   on demand
  *Network Connections   Netman   running   on demand
  *Network Location Awareness (NLA)   Nla   running   on demand
  *Symantec AntiVirus Client   Norton AntiVirus Ser   -   auto
  *NT LM Security Support Provider   NtLmSsp   -   on demand
  *Removable Storage   NtmsSvc   -   on demand
  *Plug and Play   PlugPlay   running   auto
  *IPSEC Services   PolicyAgent   running   auto
  *Protected Storage   ProtectedStorage   running   auto
  *Remote Access Auto Connection Manager   RasAuto   -   on demand
  *Remote Access Connection Manager   RasMan   running   on demand
  *Remote Desktop Help Session Manager   RDSessMgr   -   on demand
  *Routing and Remote Access   RemoteAccess   -   disabled
  *Remote Registry   RemoteRegistry   running   auto
  *Remote Procedure Call (RPC) Locator   RpcLocator   -   on demand
  *Remote Procedure Call (RPC)   RpcSs   running   auto
  *QoS RSVP   RSVP   -   on demand
  *Security Accounts Manager   SamSs   running   auto
  *Smart Card   SCardSvr   -   on demand
  *Task Scheduler   Schedule   running   auto
  *SDPAUMS server service   SDPASVC   running   auto
  *Secondary Logon   seclogon   running   auto
  *System Event Notification   SENS   running   auto
  *Windows Firewall/Internet Connection Sharing (I   SharedAccess   running   auto
   `CS)
  *Shell Hardware Detection   ShellHWDetection   running   auto
  *Symantec Network Drivers Service   SNDSrvc   -   on demand
  *SoundMAX Agent Service   SoundMAX Agent Servi   running   auto
  *Print Spooler   Spooler   running   auto
  *System Restore Service   srservice   -   auto
  *SSDP Discovery Service   SSDPSRV   running   on demand
  *Windows Image Acquisition (WIA)   stisvc   running   auto
  *MS Software Shadow Copy Provider   SwPrv   -   on demand
  *Performance Logs and Alerts   SysmonLog   -   on demand
  *Telephony   TapiSrv   running   on demand
  *Terminal Services   TermService   running   on demand
  *Themes   Themes   running   auto
  *Telnet   TlntSvr   -   on demand
  *Distributed Link Tracking Client   TrkWks   running   auto
  *Universal Plug and Play Device Host   upnphost   -   on demand
  *Uninterruptible Power Supply   UPS   -   on demand
  *TrueVector Internet Monitor   vsmon   running   auto
  *Volume Shadow Copy   VSS   -   on demand
  *Windows Time   W32Time   running   auto
  *WebClient   WebClient   running   auto
  *Windows Management Instrumentation   winmgmt   running   auto
  *Portable Media Serial Number Service   WmdmPmSN   -   on demand
  *Windows Management Instrumentation Driver Exten   Wmi   -   on demand
   `sions
  *WMI Performance Adapter   WmiApSrv   -   on demand
  *Security Center   wscsvc   running   auto
  *Automatic Updates   wuauserv   running   auto
  *Wireless Zero Configuration   WZCSVC   running   auto
  *Network Provisioning Service   xmlprov   -   on demand
»Application specific


And that's all the logs once again thankyou so so much IE is back to normal so far, not sure on the pop ups but i'll let you know how it goes!

7
Tech Clinic / Hiddendll =( please help
« on: March 06, 2005, 12:12:54 PM »
Hey thanks for the reply, here is the log from the Scan:

C:\WINDOWS\SYSTEM32\mso.dll        Sat 29 May 2004  23:13:52   A...R         57,344    56.00 K
________________________________________________

1,400 items found:  1,400 files, 0 directories.
Total of file sizes:  293,609,439 bytes    280.00 M

Administrator Account =  True

--------------------End log---------------------

8
Tech Clinic / Hiddendll =( please help
« on: March 05, 2005, 07:30:08 AM »
sorry forgot to mention that recently it has been bringing up pop ups every 10-15 minutes even when there are no browsers open

9
Tech Clinic / Hiddendll =( please help
« on: March 05, 2005, 07:28:22 AM »
Hi all, for the past months i have put up with a spyware which has infected my IE, previously i had tried to remove it via Regedit, spyware removals etc but it kept coming back the search engine "search the web". I have been reading some previous posts of people who had the same kind of problem and im glad to see they have got theirs sorted out but now it is my turn to plead for any advice or help. I scanned my computer with CWSherdder and CWS.Hiddendll appears, it says it had fixed it but the usual.. when u restart you hope its gone but its not. It reappears again once i scan after the restart. if anyone could help me out i'd be really grateful, here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:27:17, on 05/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\j2re1.4.2_01\bin\javaw.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://216.131.84.26/search.php?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9749CF35-EAE2-4C62-91A7-ECDA9FDC9097} - C:\WINDOWS\system32\camf.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Wallpaper Changer] C:\Program Files\BGCWPV7\BGCWPV7.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EC..._1027_EN_XP.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O18 - Filter: text/html - {3CE2AF69-31D5-47AE-A6F3-86A26F6ECF39} - C:\WINDOWS\system32\camf.dll
O18 - Filter: text/plain - {3CE2AF69-31D5-47AE-A6F3-86A26F6ECF39} - C:\WINDOWS\system32\camf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: SDPAUMS server service (SDPASVC) -  Matsu[censored]a Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Pages: [1]