Author Topic: Hiddendll =( please help (Read 2698 times)

Wain · « **on:** March 05, 2005, 07:28:22 AM »

Hi all, for the past months i have put up with a spyware which has infected my IE, previously i had tried to remove it via Regedit, spyware removals etc but it kept coming back the search engine "search the web". I have been reading some previous posts of people who had the same kind of problem and im glad to see they have got theirs sorted out but now it is my turn to plead for any advice or help. I scanned my computer with CWSherdder and CWS.Hiddendll appears, it says it had fixed it but the usual.. when u restart you hope its gone but its not. It reappears again once i scan after the restart. if anyone could help me out i'd be really grateful, here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:27:17, on 05/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\j2re1.4.2_01\bin\javaw.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://216.131.84.26/search.php?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9749CF35-EAE2-4C62-91A7-ECDA9FDC9097} - C:\WINDOWS\system32\camf.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Wallpaper Changer] C:\Program Files\BGCWPV7\BGCWPV7.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EC..._1027_EN_XP.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O18 - Filter: text/html - {3CE2AF69-31D5-47AE-A6F3-86A26F6ECF39} - C:\WINDOWS\system32\camf.dll
O18 - Filter: text/plain - {3CE2AF69-31D5-47AE-A6F3-86A26F6ECF39} - C:\WINDOWS\system32\camf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: SDPAUMS server service (SDPASVC) - Matsu[censored]a Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Wain · « **Reply #1 on:** March 05, 2005, 07:30:08 AM »

sorry forgot to mention that recently it has been bringing up pop ups every 10-15 minutes even when there are no browsers open

guestolo · « **Reply #2 on:** March 05, 2005, 07:56:04 PM »

Download and save to Desktop DLLCompare

Start the Program and click the Run Locate.com

Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button
Post back this log too, thanks

Wain · « **Reply #3 on:** March 06, 2005, 12:12:54 PM »

Hey thanks for the reply, here is the log from the Scan:

C:\WINDOWS\SYSTEM32\mso.dll Sat 29 May 2004 23:13:52 A...R 57,344 56.00 K
________________________________________________

1,400 items found: 1,400 files, 0 directories.
Total of file sizes: 293,609,439 bytes 280.00 M

Administrator Account = True

--------------------End log---------------------

guestolo · « **Reply #4 on:** March 06, 2005, 03:31:18 PM »

-Download and save to desktop this Removal tool developed by Symantec

also

Download and save to desktop The STANDALONE version of CWShredder.exe
Don't run this yet

Download the Pocket Killbox
UNZIP it to a folder of your choice

Please print this out or save to a Notepad file on your desktop for easy access
START>>RUN>>type in notepad
hit OK

Disconnect from the Internet (Close down all browser windows) and all unnecessary programs running in the background

Double-click the FxAgentB removal tool by Symantec to run it.
The program will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later.
RESTART your computer when Done

Back in Windows>>>Stay disconnected from the Internet
Run Pocket KillBox>>Now you have Killbox and this notepad file open
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them
click on Tools --> Select Delete Temp Files. Click OK.

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold

C:\WINDOWS\system32\camf.dll

Select the radio button to
Delete on Reboot
Additionally, select the "Unregister .dll before deleting"
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for this file
C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll

But this time if prompted to Reboot select YES
If not prompted reboot anyways

But please Restart into Safe mode, you can do this by tapping the F8 key as the system is booting up

In safe mode
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://216.131.84.26/search.php?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {9749CF35-EAE2-4C62-91A7-ECDA9FDC9097} - C:\WINDOWS\system32\camf.dll

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll,DllInstall

O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EC..._1027_EN_XP.cab

O18 - Filter: text/html - {3CE2AF69-31D5-47AE-A6F3-86A26F6ECF39} - C:\WINDOWS\system32\camf.dll
O18 - Filter: text/plain - {3CE2AF69-31D5-47AE-A6F3-86A26F6ECF39} - C:\WINDOWS\system32\camf.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Again, in safe mode
Open just CWShredder and click ONLY the FIX button, let it fix all problems
Restart back to Normal mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back a fresh Hijackthis log
Could you also post the FxAgentB.log

One more request
Could you also
Download STARTDRECK

Unzip it to it's own folder

run StartDreck.exe:
Hit: -config
Hit: -Unmark all

Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log

Also run one more scan with DLLCompare and post that log too, thanks

Wain · « **Reply #5 on:** March 06, 2005, 07:08:17 PM »

Hi Really appericiate you using your own time to help me out, i have done exactly what you said and here are the logs :

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2

process: winlogon.exe, thread: 000002D0 (terminated)
process: services.exe, thread: 00000314 (terminated)
process: lsass.exe, thread: 00000318 (terminated)
process: ati2evxx.exe, thread: 000003D0 (terminated)
process: svchost.exe, thread: 000003F0 (terminated)
process: svchost.exe, thread: 0000043C (terminated)
process: svchost.exe, thread: 00000468 (terminated)
process: svchost.exe, thread: 00000564 (terminated)
process: svchost.exe, thread: 0000058C (terminated)
process: spoolsv.exe, thread: 00000680 (terminated)
process: wbload.exe, thread: 00000728 (terminated)
process: ati2evxx.exe, thread: 0000018C (terminated)
process: explorer.exe, thread: 000001F4 (terminated)
process: mnmsrvc.exe, thread: 000004D0 (terminated)
process: SMax4.exe, thread: 00000560 (terminated)
process: realsched.exe, thread: 0000055C (terminated)
process: qttask.exe, thread: 000005AC (terminated)
process: LogiTray.exe, thread: 0000016C (terminated)
process: winampa.exe, thread: 000005E0 (terminated)
process: jusched.exe, thread: 00000704 (terminated)
process: atiptaxx.exe, thread: 00000710 (terminated)
process: rundll32.exe, thread: 0000074C (terminated)
process: OSA.EXE, thread: 00000740 (terminated)
process: sdpasvc.exe, thread: 000004AC (terminated)
process: rundll32.exe, thread: 00000238 (terminated)
process: SMAgent.exe, thread: 00000494 (terminated)
process: svchost.exe, thread: 000005D8 (terminated)
process: LVComS.exe, thread: 00000824 (terminated)
process: alg.exe, thread: 00000A78 (terminated)
process: wscntfy.exe, thread: 00000BB0 (terminated)
process: Steam.exe, thread: 00000D60 (terminated)
process: wuauclt.exe, thread: 000009E0 (terminated)
process: FxAgentB.exe, thread: 00000E24 (terminated)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: AppInit_DLLs (value set to "")

C:\System Volume Information: (not scanned)
E:\System Volume Information: (not scanned)

Backdoor.Agent.B has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 106285
The number of deleted files: 0
The number of viral processes terminated: 0
The number of viral threads terminated: 33
The number of registry entries fixed: 1

Logfile of HijackThis v1.99.1
Scan saved at 23:59:58, on 06/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Wallpaper Changer] C:\Program Files\BGCWPV7\BGCWPV7.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: SDPAUMS server service (SDPASVC) - Matsu[censored]a Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

StartDreck (build 2.1.7 public stable) - 2005-03-07 @ 00:02:36 (GMT +00:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Wain at WAIN

»Registry
»Run Keys
»Current User
»Run
*msnmsgr="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
*Internet Download Accelerator=C:\Program Files\IDA\ida.exe -autorun
*Steam=
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*SoundMax="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Wallpaper Changer=C:\Program Files\BGCWPV7\BGCWPV7.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*LogitechVideoRepair=C:\Program Files\Logitech\Video\ISStart.exe
*LogitechVideoTray=C:\Program Files\Logitech\Video\LogiTray.exe
*WinampAgent=C:\Program Files\Winamp\winampa.exe
*Zone Labs Client=C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
*SunJavaUpdateSched=C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
*ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
*!CleanupNetMeetingDispDriver="C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=Notepad.exe %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
*Jccatch.IeCatch2.1/{A5366673-E8CA-11D3-9CD9-0090271D075B}
`InprocServer32=C:\PROGRA~1\FlashGet\jccatch.dll
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Wain\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\Wain\Start Menu\Programs\Startup\Office Startup.lnk
*C:\Documents and Settings\Wain\Start Menu\Programs\Startup\Xfire.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\system32\config.nt
*C:\autoexec.bat
*C:\WINDOWS\system32\autoexec.nt
*C:\WINDOWS\wininit.ini
*C:\WINDOWS\system32\drivers\etc\hosts
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+456=\SystemRoot\System32\smss.exe
+504=\??\C:\WINDOWS\system32\csrss.exe
+528=\??\C:\WINDOWS\system32\winlogon.exe
+576=C:\WINDOWS\system32\services.exe
+588=C:\WINDOWS\system32\lsass.exe
+768=C:\WINDOWS\system32\Ati2evxx.exe
+796=C:\WINDOWS\system32\svchost.exe
+900=C:\WINDOWS\system32\svchost.exe
+944=C:\WINDOWS\System32\svchost.exe
+1000=C:\WINDOWS\System32\svchost.exe
+1092=C:\WINDOWS\System32\svchost.exe
+1276=C:\WINDOWS\system32\spoolsv.exe
+1404=C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
+1528=C:\WINDOWS\System32\mnmsrvc.exe
+1704=C:\WINDOWS\system32\Ati2evxx.exe
+1808=C:\WINDOWS\Explorer.EXE
+1880=C:\WINDOWS\system32\rundll32.exe
+1904=C:\WINDOWS\System32\sdpasvc.exe
+1940=C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
+2012=C:\WINDOWS\System32\svchost.exe
+124=C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+192=C:\Program Files\Analog Devices\SoundMAX\smax4.exe
+208=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
+216=C:\Program Files\QuickTime\qttask.exe
+264=C:\Program Files\Logitech\Video\LogiTray.exe
+272=C:\Program Files\Winamp\winampa.exe
+280=C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
+292=C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
+308=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
+324=C:\Program Files\MSN Messenger\msnmsgr.exe
+404=C:\Program Files\Microsoft Office\Office\OSA.EXE
+1804=C:\WINDOWS\System32\alg.exe
+2176=C:\WINDOWS\system32\wscntfy.exe
+2240=C:\WINDOWS\System32\LVComS.exe
+2432=C:\WINDOWS\system32\wuauclt.exe
+2508=C:\WINDOWS\system32\wuauclt.exe
+2956=C:\PROGRA~1\WINZIP\winzip32.exe
+3012=C:\unzipped\startdreck\StartDreck.exe
»NT Services
*Alerter   Alerter   -   disabled
*Application Layer Gateway Service   ALG   running   on demand
*Application Management   AppMgmt   -   on demand
*ASP.NET State Service   aspnet_state   -   on demand
*Ati HotKey Poller   Ati HotKey Poller   running   auto
*ATI Smart   ATI Smart   -   auto
*Windows Audio   AudioSrv   running   auto
*Background Intelligent Transfer Service   BITS   -   on demand
*Computer Browser   Browser   running   auto
*Indexing Service   cisvc   -   on demand
*ClipBook   ClipSrv   -   disabled
*COM+ System Application   COMSysApp   -   on demand
*Cryptographic Services   CryptSvc   running   auto
*DCOM Server Process Launcher   DcomLaunch   running   auto
*DefWatch   DefWatch   -   auto
*DHCP Client   Dhcp   running   auto
*Logical Disk Manager Administrative Service   dmadmin   -   on demand
*Logical Disk Manager   dmserver   running   auto
*DNS Client   Dnscache   running   auto
*Error Reporting Service   ERSvc   running   auto
*Event Log   Eventlog   running   auto
*COM+ Event System   EventSystem   running   on demand
*Fast User Switching Compatibility   FastUserSwitchingCom   -   on demand
*Help and Support   helpsvc   running   auto
*Human Interface Device Access   HidServ   -   disabled
*HTTP SSL   HTTPFilter   -   on demand
*IMAPI CD-Burning COM Service   ImapiService   -   on demand
*Server   lanmanserver   running   auto
*Workstation   lanmanworkstation   running   auto
*TCP/IP NetBIOS Helper   LmHosts   running   auto
*Messenger   Messenger   -   disabled
*NetMeeting Remote Desktop Sharing   mnmsrvc   paused   auto
*Distributed Transaction Coordinator   MSDTC   -   on demand
*Windows Installer   MSIServer   -   on demand
*Network DDE   NetDDE   -   disabled
*Network DDE DSDM   NetDDEdsdm   -   disabled
*Net Logon   Netlogon   -   on demand
*Network Connections   Netman   running   on demand
*Network Location Awareness (NLA)   Nla   running   on demand
*Symantec AntiVirus Client   Norton AntiVirus Ser   -   auto
*NT LM Security Support Provider   NtLmSsp   -   on demand
*Removable Storage   NtmsSvc   -   on demand
*Plug and Play   PlugPlay   running   auto
*IPSEC Services   PolicyAgent   running   auto
*Protected Storage   ProtectedStorage   running   auto
*Remote Access Auto Connection Manager   RasAuto   -   on demand
*Remote Access Connection Manager   RasMan   running   on demand
*Remote Desktop Help Session Manager   RDSessMgr   -   on demand
*Routing and Remote Access   RemoteAccess   -   disabled
*Remote Registry   RemoteRegistry   running   auto
*Remote Procedure Call (RPC) Locator   RpcLocator   -   on demand
*Remote Procedure Call (RPC)   RpcSs   running   auto
*QoS RSVP   RSVP   -   on demand
*Security Accounts Manager   SamSs   running   auto
*Smart Card   SCardSvr   -   on demand
*Task Scheduler   Schedule   running   auto
*SDPAUMS server service   SDPASVC   running   auto
*Secondary Logon   seclogon   running   auto
*System Event Notification   SENS   running   auto
*Windows Firewall/Internet Connection Sharing (I   SharedAccess   running   auto
`CS)
*Shell Hardware Detection   ShellHWDetection   running   auto
*Symantec Network Drivers Service   SNDSrvc   -   on demand
*SoundMAX Agent Service   SoundMAX Agent Servi   running   auto
*Print Spooler   Spooler   running   auto
*System Restore Service   srservice   -   auto
*SSDP Discovery Service   SSDPSRV   running   on demand
*Windows Image Acquisition (WIA)   stisvc   running   auto
*MS Software Shadow Copy Provider   SwPrv   -   on demand
*Performance Logs and Alerts   SysmonLog   -   on demand
*Telephony   TapiSrv   running   on demand
*Terminal Services   TermService   running   on demand
*Themes   Themes   running   auto
*Telnet   TlntSvr   -   on demand
*Distributed Link Tracking Client   TrkWks   running   auto
*Universal Plug and Play Device Host   upnphost   -   on demand
*Uninterruptible Power Supply   UPS   -   on demand
*TrueVector Internet Monitor   vsmon   running   auto
*Volume Shadow Copy   VSS   -   on demand
*Windows Time   W32Time   running   auto
*WebClient   WebClient   running   auto
*Windows Management Instrumentation   winmgmt   running   auto
*Portable Media Serial Number Service   WmdmPmSN   -   on demand
*Windows Management Instrumentation Driver Exten   Wmi   -   on demand
`sions
*WMI Performance Adapter   WmiApSrv   -   on demand
*Security Center   wscsvc   running   auto
*Automatic Updates   wuauserv   running   auto
*Wireless Zero Configuration   WZCSVC   running   auto
*Network Provisioning Service   xmlprov   -   on demand
»Application specific

And that's all the logs once again thankyou so so much IE is back to normal so far, not sure on the pop ups but i'll let you know how it goes!

Wain · « **Reply #6 on:** March 06, 2005, 07:10:53 PM »

oops thats not all the logs, here is the Comparedll Log you requested for too

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\mso.dll Sat 29 May 2004 23:13:52 A...R 57,344 56.00 K
________________________________________________

1,399 items found: 1,399 files, 0 directories.
Total of file sizes: 293,569,503 bytes 279.97 M

Administrator Account = True

--------------------End log---------------------

guestolo · « **Reply #7 on:** March 06, 2005, 07:27:25 PM »

Looks like you may still have a leftover

Can you let me know if you now see this file since running Symantec's tool
Before it would of been hidden
C:\WINDOWS\SYSTEM32\mso.dll <--this file

If not
Download and install Registrar Lite.
http://www.resplendence.com/reglite
Install it and then run it
Copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows

and hit the "Go" tab.
Find: "Appinit_Dlls" value on the right side panel
DoubleClick on it
Copy and post here the information in the 'Value' field.

Wain · « **Reply #8 on:** March 07, 2005, 11:26:45 AM »

Heya I tried to look for C:\WINDOWS\SYSTEM32\mso.dll
But it wasnt there, so i downloaded Reg lite entered the command line in the address bar pushed go and there was no "Appinit_Dlls" value on the right side panel.

The only things that came up were:

Current Version Key
Help Key
HTML Help Key
IT Storage Key
Shell Key
(default) Value

Wain · « **Reply #9 on:** March 07, 2005, 01:58:28 PM »

Heh Spyware Strikes again, it really does seem we did not manage to get rid of the evil. however it is the old one the Mso.dll as the webpage is the same search engine.

guestolo · « **Reply #10 on:** March 07, 2005, 08:30:19 PM »

That sounds like the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows key that you went too, try this

copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

If you still have trouble seeing AppInit_Dlls
Try manually navigating to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Highlight Windows and look on your right hand side

Also post back a fresh Hijackthis log

Wain · « **Reply #11 on:** March 08, 2005, 10:57:51 AM »

Bingo .. C:\WINDOWS\System32\mso.dll was found in the value field for the
AppInit_DLLs

Also here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 15:56:34, on 08/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Registrar Lite\rl.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8EBC1800-447F-48DA-B7E9-8DEEF4137FC9} - C:\WINDOWS\system32\ddlcoia.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Wallpaper Changer] C:\Program Files\BGCWPV7\BGCWPV7.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab
O18 - Filter: text/html - {722F1EB0-A691-4C2B-A52B-D7E0C52A86E9} - C:\WINDOWS\system32\ddlcoia.dll
O18 - Filter: text/plain - {722F1EB0-A691-4C2B-A52B-D7E0C52A86E9} - C:\WINDOWS\system32\ddlcoia.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: SDPAUMS server service (SDPASVC) - Matsu[censored]a Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

guestolo · « **Reply #12 on:** March 08, 2005, 07:43:01 PM »

My fault with the copy and paste before in Reglite
I forgot to put a space between Windows and NT
Usually, if run again, the Symantec tool will get rid of that file, may be best to run in safe mode>>We won't worry about this now
But there are a few other methods, would you mind trying the steps below

All steps are Important, so please Print this out or save to a Notepad file
Try not to miss anything

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Create a new folder for backups somewhere: (e.g. My Documents\Backups)

Use the Registrar Lite program again. Copy and paste the key below into reglite's address bar and hit 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Left click once to highlight the Windows key
(the key is highlighted as a purple folder in the left hand pane of reglite) and use Reglite's File menu>>>Export, save in the following formats:
Export once and name as
1.) Winkey.reg (Save as type: regedit4 .reg type)>>should be default

Export again and save as
2.) Winkey.hiv (in Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)

After you have both files backed up to your Backups folder

Right-click on the Windows key in the left pane and rename it to NotWindows

DoubleClick "Appinit_Dlls" value on right pane and Erase the data in the 'Value' box at the the bottom of the new pane. The data to remove will be:

"C:\WINDOWS\System32\mso.dll" hit 'Apply' and 'Ok' to set.

After it is removed rename "NotWindows" back to Windows

RESTART your Computer in SAFE MODE

Find and delete this file
C:\WINDOWS\System32\mso.dll

If you have trouble deleting the file, RightClick on the File>Security> And check the box:
'Allow inheritable permissions
from parent' to propagate... '
Apply and ok.

When done:
====Navigate to backups location, And DoubleClick on the Winkey.reg file.
Answer yes to the prompt to allow to merge to the registry

===Open Registrar lite again,
Navigate back to the Windows Key in purple
Highlight it and use the File>>>Import
browse to and select the Winkey.hiv file.
Merge and follow the prompts.

The above 2 steps are important in keeping your system secure

DoubleClick on the Appinit_Dlls value again
and erase the data in the
value field. (C:\WINDOWS\System32\mso.dll)

Close Reg Lite

Stay in safe mode

Open Killbox.exe
click on Tools --> Select Delete Temp Files. Click OK.

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold

C:\WINDOWS\system32\ddlcoia.dll

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for this file
C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll

But this time if prompted to Reboot select YES
If not prompted reboot anyways, Normal or safe mode

Immediately back in Windows
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {8EBC1800-447F-48DA-B7E9-8DEEF4137FC9} - C:\WINDOWS\system32\ddlcoia.dll

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Wain\LOCALS~1\Temp\se.dll,DllInstall

O18 - Filter: text/html - {722F1EB0-A691-4C2B-A52B-D7E0C52A86E9} - C:\WINDOWS\system32\ddlcoia.dll
O18 - Filter: text/plain - {722F1EB0-A691-4C2B-A52B-D7E0C52A86E9} - C:\WINDOWS\system32\ddlcoia.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

After you have exited hijackthis open just CWShredder and click the FIX button, let if fix whatever if finds and then
Restart your computer

Back in Windows post a fresh Hijackthis log
Also post another log from DLLCompare

Guest · « **Reply #13 on:** March 09, 2005, 03:28:54 PM »

Hey Guestolo, I have done all you have mentioned however when u asked me to Imports the Reg file and hiv file and then asked me to delete the value for the dll file, there was no value in the box when i opened it.

Here is the log files :

Logfile of HijackThis v1.99.1
Scan saved at 20:26:02, on 09/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\Documents and Settings\Wain\Desktop\Spyware programs\DllCompare.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Wallpaper Changer] C:\Program Files\BGCWPV7\BGCWPV7.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: SDPAUMS server service (SDPASVC) - Matsu[censored]a Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />"
________________________________________________

1,408 items found: 1,408 files, 0 directories.
Total of file sizes: 297,481,183 bytes 283.70 M

Administrator Account = True

--------------------End log---------------------

Thanks.

guestolo · « **Reply #14 on:** March 10, 2005, 12:17:56 AM »

That looks better, can I ask you
when you followed the instructions

You did first backup the Windows key and name it as
Winkey.reg
and
Winkey.hiv

Then you renamed Windows Key to NotWindows
Just Checking

Other than that you look clean, I'm unsure about this entry
O4 - HKLM\..\Run: [Wallpaper Changer] C:\Program Files\BGCWPV7\BGCWPV7.exe

Do you know what it's related too?

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Wain · « **Reply #15 on:** March 10, 2005, 01:33:23 PM »

Hiya, things are looking much better, thanks for all your time and support!
dont think i could have found any place that would help me with this problem and have enough patience, not to mention the easy step by step instructions you gave.

once again thanks!

Wain

guestolo · « **Reply #16 on:** March 13, 2005, 01:14:26 PM »

Thanks for posting back

I'll lock this thread as your problems appear resolved
If you need it reopened please PM a Mod or the site Admin and supply a link to this thread

Take Care

TheTechGuide Forum

News:

Author Topic: Hiddendll =( please help (Read 2698 times)

Wain

Hiddendll =( please help

Wain

Hiddendll =( please help

guestolo

Hiddendll =( please help

Wain

Hiddendll =( please help

guestolo

Hiddendll =( please help

Wain

Hiddendll =( please help

Wain

Hiddendll =( please help

guestolo

Hiddendll =( please help

Wain

Hiddendll =( please help

Wain

Hiddendll =( please help

guestolo

Hiddendll =( please help

Wain

Hiddendll =( please help

guestolo

Hiddendll =( please help

Guest

Hiddendll =( please help

guestolo

Hiddendll =( please help

Wain

Hiddendll =( please help

guestolo

Hiddendll =( please help