« previous next »
Pages: [1]

Author Topic: CWS.hiddendll - Help!  (Read 6047 times)

Offline itsumofalling

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
CWS.hiddendll - Help!
« on: May 06, 2005, 06:17:51 AM »
Hi. I've found out I've got CWS.hiddendll (a variant of CoolWebSearch's really piss annoying hijacker). It's the one that changes the homepage to about:blank, an annoying web search and also prompts pop-ups all the time, which really piss you off.

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:03:33 PM, on 5/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
C:\PROGRAM FILES\MESSENGERPLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TELSTRA\TOOLBAR\BPUMTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\PROFILES\DANIEL\DESKTOP\DANIEL\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {B2281DC6-BDA4-11D9-B4CB-000A40EEC41E} - C:\WINDOWS\SYSTEM\NLPJ.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\PROGRAM FILES\TELSTRA\TOOLBAR\BPUMTOOLBAND.DLL
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\PROGRAM FILES\DASHBAR\DASHBAR21.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\SYSTEM\LVCOMS.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRAM FILES\AQUATICA WATERWORLDS\AQ3HELPER.EXE /partner AQ3
O4 - HKLM\..\Run: [OSS] c:\windows\system\rk.exe -boot
O4 - HKLM\..\Run: [saap] c:\program files\180solutions inc\sa\81\saap.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid%20: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/m0h54e.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt1_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by17fd.bay17.Email Removed.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O18 - Filter: text/html - {B2281DC5-BDA4-11D9-B4CB-000AB03C5A69} - C:\WINDOWS\SYSTEM\NLPJ.DLL
O18 - Filter: text/plain - {B2281DC5-BDA4-11D9-B4CB-000AB03C5A69} - C:\WINDOWS\SYSTEM\NLPJ.DLL



* HERE IS THE DLLCOMPARE LOG*

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"
________________________________________________

862 items found:  862 files, 0 directories.
Total of file sizes:  175,266,558 bytes    167.14 M

--------------------End log---------------------

* HERE IS THE START DRECK LOG*
 - note, this one is finding: run keys, browser help objects, run processes

StartDreck (build 2.1.7 public stable) - 2005-05-06 @ 21:16:26 (GMT +10:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Daniel at EDMUNDS

»Registry
 »Run Keys
  »Current User
   »Run
    *Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    *MessengerPlus3="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    *msnmsgr="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
   »RunOnce
  »Default User
   »Run
    *Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    *MessengerPlus3="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    *MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
   »RunOnce
  »Local Machine
   »Run
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SoundMan=SOUNDMAN.EXE
    *ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    *LVCOMS=C:\WINDOWS\SYSTEM\LVCOMS.EXE
    *DXM6Patch_981116=C:\WINDOWS\p_981116.exe /Q:A
    *KodakCCS=C:\WINDOWS\System32\Drivers\KodakCCS.exe
    *StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
    *LoadQM=loadqm.exe
    *MsnExplorer=C:\WINDOWS\shch.exe /i
    *pccguide.exe="C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    *PCCIOMON.exe="C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    *PCClient.exe="C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    *TM Outbreak Agent="C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    *SpeedTouch USB Diagnostics="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    *BigPond Toolbar="C:\Program Files\Telstra\Toolbar\bpumTray.exe"
    *WildTangent CDA=RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
    *AQ3HelperStartUp=C:\PROGRAM FILES\AQUATICA WATERWORLDS\AQ3HELPER.EXE /partner AQ3
    *sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
   »RunOnce
   »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *PCCIOMON.exe="C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    *PccPfw=C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    *tmproxy=C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    *MessengerPlus3="C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    *Srv32 spool service=C:\WINDOWS\System\spoolsrv32.exe
   »RunServicesOnce
    **c=rundll32 C:\WINDOWS\WIN3H6.SWP,DllGetClassObject
   »RunOnceEx
   »RunServicesOnceEx
 »Browser Helper Objects (LM)
  *{78FC9FC7-BE60-11D9-B4CB-000AC4DBFB1E}
   `InprocServer32=C:\WINDOWS\SYSTEM\NLPJ.DLL
»Files
»System/Drivers
 »Running Processes
  +FFCE6845=C:\WINDOWS\SYSTEM\KERNEL32.DLL
  +FFFFB3ED=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
  +FFFFAD7D=C:\WINDOWS\SYSTEM\MPREXE.EXE
  +FFFF2101=C:\WINDOWS\SYSTEM\MSTASK.EXE
  +FFFF71B5=C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
  +FFFF600D=C:\WINDOWS\RUNDLL32.EXE
  +FFFF7179=C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
  +FFFCBA79=C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
  +FFFF6369=C:\PROGRAM FILES\MESSENGERPLUS! 3\MSGPLUS.EXE
  +FFFF2ECD=C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
  +FFFC260D=C:\WINDOWS\SYSTEM\mmtask.tsk
  +FFFDE811=C:\WINDOWS\EXPLORER.EXE
  +FFF2FECD=C:\WINDOWS\TASKMON.EXE
  +FFF2E88D=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
  +FFF226D9=C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
  +FFF24EF9=C:\WINDOWS\SYSTEM\LVCOMS.EXE
  +FFF3ACDD=C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
  +FFF38641=C:\WINDOWS\SYSTEM\STIMON.EXE
  +FFF3BC09=C:\WINDOWS\LOADQM.EXE
  +FFF27EFD=C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
  +FFF3B9A5=C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
  +FFF30B09=C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
  +FFF37329=C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
  +FFF36CB5=C:\PROGRAM FILES\TELSTRA\TOOLBAR\BPUMTRAY.EXE
  +FFF33931=C:\WINDOWS\RUNDLL32.EXE
  +FFF0F46D=C:\WINDOWS\RUNDLL32.EXE
  +FFF00B61=C:\WINDOWS\RunDLL.exe
  +FFF1EB8D=C:\WINDOWS\SYSTEM\DDHELP.EXE
  +FFF69019=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
  +FFF634E9=C:\WINDOWS\SYSTEM\WMIEXE.EXE
  +FFF77FC1=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
  +FFF74311=C:\WINDOWS\SYSTEM\PSTORES.EXE
  +FFF47F3D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
  +FFF53D29=C:\WINDOWS\PROFILES\DANIEL\DESKTOP\START DRECK\STARTDRECK.EXE
»Application specific



THANKS HEAPS! hopefully all the logs i posted will help in some way.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CWS.hiddendll - Help!
« Reply #1 on: May 07, 2005, 01:01:13 AM »
==Download and save to Desktop
SpSeHjfix109.zip
From that link
Unzip the contents, so you now have SpSeHjfix109.exe on your desktop

Restart your computer into Safe Mode
You can do this by tapping the F8 key as the system is restarting, right after the single post beep
Select safe mode

==Run SpSeHjfix109.exe by clicking the Start Disinfection
It should reboot your computer
If not Reboot anyways back to Normal mode
Back in Windows>>The tool would of created a log, could you copy and paste that log to a location such as MyDocuments, just so we don't overwrite it when we run the tool again

Run
SpSeHjfix109.exe again

Post back a Fresh Hijackthis log and the logs from SpSeHjfix

We'll still have some cleaning to do
Could you do the following please
Open Hijackthis>>Open Misc Tools Section>>Open Uninstall Manager
Click the SAVE LIST button
Save the list and then copy and paste the contents back here

One more request
Go here and download and UNZIP to desktop LSPFix.zip
http://www.cexx.org/lspfix.htm
We may not need this, but we have it just in case
Open LSPFIX.exe and let me know what you see on the KEEP side
Also let me know if you see anything on the REMOVE side
Close it out by using the X button afterwards
« Last Edit: May 07, 2005, 01:02:04 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline itsumofalling

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
CWS.hiddendll - Help!
« Reply #2 on: May 07, 2005, 04:29:41 PM »
*** SPSeHjFix #1 Log File ***

(5/8/05 7:13:25 AM) SPSeHjFix started v1.09
(5/8/05 7:13:25 AM) OS: Win98SE A (4.10.67766446)
(5/8/05 7:13:25 AM) Language: english
(5/8/05 7:13:26 AM) Disinfect started
(5/8/05 7:13:26 AM) Bad-Dll(IEP): se.dll
(5/8/05 7:13:26 AM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\GHDH.DLL  
(5/8/05 7:13:26 AM) Searchassistant Uninstaller - Keys Deleted
(5/8/05 7:13:26 AM) UBF: 6
(5/8/05 7:13:26 AM) UBB: 0
(5/8/05 7:13:26 AM) FilterKey: HKCR\text/html (deleted)
(5/8/05 7:13:26 AM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5/8/05 7:13:26 AM) FilterKey: HKCR\CLSID\{6198BAA0-BE84-11D9-B4CB-000A6D060F6A} (deleted)
(5/8/05 7:13:26 AM) FilterKey: HKCR\text/plain (deleted)
(5/8/05 7:13:26 AM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5/8/05 7:13:26 AM) FilterKey: HKCR\CLSID\{6198BAA0-BE84-11D9-B4CB-000A6D060F6A} (error while deleting)
(5/8/05 7:13:26 AM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6198BAA1-BE84-11D9-B4CB-000A024AAAF1} (deleted)
(5/8/05 7:13:26 AM) BHO-Key: HKCR\CLSID\{6198BAA1-BE84-11D9-B4CB-000A024AAAF1} (deleted)
(5/8/05 7:13:26 AM) UBR: 35
(5/8/05 7:13:26 AM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(5/8/05 7:13:26 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5/8/05 7:13:26 AM) Stealth-String found: C:\WINDOWS\WIN3H6.SWP
(5/8/05 7:13:26 AM) File added to delete: c:\windows\system\ghdh.dll  
(5/8/05 7:13:26 AM) File added to delete: c:\windows\system\ghdh.dll
(5/8/05 7:13:26 AM) File added to delete: c:\windows\temp\se.dll
(5/8/05 7:13:26 AM) File added to delete: c:\windows\win3h6.swp
(5/8/05 7:13:26 AM) Reboot
(5/8/05 7:15:01 AM) SPSeHjFix 2nd Step
(5/8/05 7:15:01 AM) RunServicesOnce-Key: (edited)
(5/8/05 7:15:12 AM) Cleaned

*** SPSeHjFix #2 Log File ***

(5/8/05 7:17:49 AM) SPSeHjFix started v1.09
(5/8/05 7:17:49 AM) OS: Win98SE A (4.10.67766446)
(5/8/05 7:17:49 AM) Language: english
(5/8/05 7:17:54 AM) Disinfect started
(5/8/05 7:17:54 AM) Bad-Dll(IEP): (not found)
(5/8/05 7:17:54 AM) Bad-Dll(IEP) in BHO: (not found)
(5/8/05 7:17:54 AM) UBF: 4
(5/8/05 7:17:54 AM) UBB: 0
(5/8/05 7:17:54 AM) UBR: 35
(5/8/05 7:17:54 AM) Bad IE-pages:
(5/8/05 7:17:54 AM) Stealth-String not found:
(5/8/05 7:17:54 AM) Not infected->END


(5/8/05 7:18:09 AM) SPSeHjFix started v1.09
(5/8/05 7:18:09 AM) OS: Win98SE A (4.10.67766446)
(5/8/05 7:18:09 AM) Language: english
(5/8/05 7:18:10 AM) Disinfect started
(5/8/05 7:18:10 AM) Bad-Dll(IEP): (not found)
(5/8/05 7:18:10 AM) Bad-Dll(IEP) in BHO: (not found)
(5/8/05 7:18:10 AM) UBF: 4
(5/8/05 7:18:10 AM) UBB: 0
(5/8/05 7:18:10 AM) UBR: 35
(5/8/05 7:18:10 AM) Bad IE-pages:
(5/8/05 7:18:10 AM) Stealth-String not found:
(5/8/05 7:18:10 AM) Not infected->END


(5/8/05 7:18:59 AM) SPSeHjFix started v1.09
(5/8/05 7:18:59 AM) OS: Win98SE A (4.10.67766446)
(5/8/05 7:18:59 AM) Language: english
(5/8/05 7:19:00 AM) Disinfect started
(5/8/05 7:19:00 AM) Bad-Dll(IEP): (not found)
(5/8/05 7:19:00 AM) Bad-Dll(IEP) in BHO: (not found)
(5/8/05 7:19:00 AM) UBF: 4
(5/8/05 7:19:00 AM) UBB: 0
(5/8/05 7:19:00 AM) UBR: 35
(5/8/05 7:19:00 AM) Bad IE-pages:
(5/8/05 7:19:00 AM) Stealth-String not found:
(5/8/05 7:19:00 AM) Not infected->END


(5/8/05 7:19:03 AM) SPSeHjFix started v1.09
(5/8/05 7:19:03 AM) OS: Win98SE A (4.10.67766446)
(5/8/05 7:19:03 AM) Language: english
(5/8/05 7:19:04 AM) Disinfect started
(5/8/05 7:19:04 AM) Bad-Dll(IEP): (not found)
(5/8/05 7:19:04 AM) Bad-Dll(IEP) in BHO: (not found)
(5/8/05 7:19:04 AM) UBF: 4
(5/8/05 7:19:04 AM) UBB: 0
(5/8/05 7:19:04 AM) UBR: 35
(5/8/05 7:19:04 AM) Bad IE-pages:
(5/8/05 7:19:04 AM) Stealth-String not found:
(5/8/05 7:19:04 AM) Not infected->END

*** HiJackThis Log File***

Logfile of HijackThis v1.99.1
Scan saved at 7:25:03 AM, on 5/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
C:\PROGRAM FILES\MESSENGERPLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TELSTRA\TOOLBAR\BPUMTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\180SOLUTIONS INC\SA\81\SAAP.EXE
C:\WINDOWS\HBCL.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\PROFILES\DANIEL\DESKTOP\DANIEL\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\PROGRAM FILES\TELSTRA\TOOLBAR\BPUMTOOLBAND.DLL
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\PROGRAM FILES\DASHBAR\DASHBAR21.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\SYSTEM\LVCOMS.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRAM FILES\AQUATICA WATERWORLDS\AQ3HELPER.EXE /partner AQ3
O4 - HKLM\..\Run: [saap] c:\program files\180solutions inc\sa\81\saap.exe
O4 - HKLM\..\Run: [mbypgx] C:\WINDOWS\mbypgx.exe
O4 - HKLM\..\Run: [hbcl] C:\WINDOWS\HBCL.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid%20: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/m0h54e.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt1_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by17fd.bay17.Email Removed.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au

*** lspfix Files ***

The files in the 'keep' field are...

rnr20.dll - DNS Name Space Provider
mswsosp.dll - (Protocol Handler)
msafd.dll - (Protocol Handler)
rsvpsp.dll - (Protocol Handler)

Thanks heaps Olo for all your help!
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CWS.hiddendll - Help!
« Reply #3 on: May 07, 2005, 04:37:34 PM »
Hold onto LSP fix for now

Could I have you still do the following

Open Hijackthis>>Open Misc Tools Section>>Open Uninstall Manager
Click the SAVE LIST button
Save the list and then copy and paste the contents back here
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline itsumofalling

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
CWS.hiddendll - Help!
« Reply #4 on: May 07, 2005, 05:15:55 PM »
Sorry - forgot to paste that part into my last post

*** HiJackThis Save List ***

602Pro PC SUITE 2001
ACDSee 4.0.1 Standard
Ad-aware 6 Personal
Adobe Acrobat 5.0
Arabic Language Support
Astonia 3
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATP
BankshotBilliards
BankshotBilliards
Battle Realms
BigPond ADSL SIK 5.5 Files
BigPond Toolbar
BitTorrent 3.4.2
Blasterball 2 Remix from WildTangent (remove only)
Canon i350
Carnivores
Chinese (Simplified) Language Support
Chinese (Traditional) Language Support
Cricket 2004
DashBar Toolbar
DataTraveler 2.0
DivX 5.0.2 Bundle
GoldWave v5.10
GTK+ 2.6.2 runtime environment
Gutterball
Hebrew Language Support
HijackThis 1.99.1
HyperLoad - Golf Course
InfoMagic
Japanese Language Support
Kodak EasyShare software
Korean Language Support
Living 3D Dolphins Screen Saver
Logitech QuickCam
Macromedia Shockwave Player
Madeline Rainy Day Activities
Magical Jellybean Dictionary
Messenger Plus! 3
Microsoft Global IME for Chinese (Simplified)
Microsoft Global IME for Chinese (Traditional)
Microsoft Global IME for Chinese (Traditional) ChangJie
Microsoft Global IME for Japanese
Microsoft Global IME for Korean
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Outlook Express 6
mIRC
Morpheus 4.7 (remove only)
Morrowind
MSN Gaming Zone
MSN Messenger 4.6
Nero - Burning ROM
Netscape Browser (remove only)
Pacific Poker
Pan-European Language Support
Populous: The Beginning (Demo)
QuickTime
QuickTime for Windows (32-bit)
RealPlayer 7 Basic
Realtek AC'97 Audio
RelevantKnowledge
RocketBowl
Serif PhotoPlus 6.0
SimCity 3000
SimPark
SimSafari
SimTown Demo
SolidPeer
SpeedTouch USB Software
Spybot - Search & Destroy 1.2
Super Pool
TES Construction Set
Thai Language Support
The GIMP 2.2.4
The Sims 2
Thief 2
Trend Micro Internet Security
Tribes 2
Uninstall 180search Assistant
USB MassStorage CardReader
U-Storage 1.24
Vietnamese Language Support
WebReaper v9.4
Where in Time is Carmen Sandiego? v3.0.1
WildTangent Web Driver
Windows Media Player system update (9 Series)
WinRAR archiver
WinZip
Yahoo! Companion
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Pin High Country Club Golf
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CWS.hiddendll - Help!
« Reply #5 on: May 07, 2005, 05:36:05 PM »
We have too update your spyware removal programs

But first, Access your Add/Remove programs via Control panel
Remove
Dashbar Toolbar
Uninstall 180search Assistant <allow this Internet connection, read the prompts carefully and ensure your uninstalling and not reinstalling

Restart your computer afterwards

Go back to Add/Remove programs

Your versions of Spybot and Ad-Aware a out of date
Could you Remove
Ad-aware 6 Personal
Spybot - Search & Destroy 1.2

After you have them both uninstalled

Download and Install the free version of Ad-Aware SE Personal 1.05
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Back in Windows

Download and Install Spybot S&D 1.3
Don't activate the Tea Timer when installing, it's a great feature but can get in the way
of any fixes we may still have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
Click the Search & Destroy button on the left
Check for Problems---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish the cleaning process

Back in Windows
Run another scan with Hijackthis and post a fresh log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline itsumofalling

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
CWS.hiddendll - Help!
« Reply #6 on: May 13, 2005, 07:38:29 PM »
Sorry for the late reply. A few things have changed - now everytime the computer starts up, 'EXPLORER caused an invalid page fault in module MSEP.DLL' illegal opporation occurs. Also - the home page has changed from one about:blank site to another. And, popups of porn keep coming up, and I have masses of viruses trying to make their way into my computer. I have run Spyware S&D and Ad-aware. Here's the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:35:55 AM, on 5/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
C:\PROGRAM FILES\MESSENGERPLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TELSTRA\TOOLBAR\BPUMTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\NETKC.EXE
C:\WINDOWS\SYSTEM\CRJI.EXE
C:\WINDOWS\PROFILES\DANIEL\DESKTOP\DANIEL\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lairc.dll/sp.html#24098
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lairc.dll/sp.html#24098
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://msn.dll/msn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = res://msn.dll/index
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2CFEC154-1E18-8A30-5463-8A3A27DAB092} - C:\WINDOWS\MSEP.DLL
O2 - BHO: (no name) - {84F41201-C461-11D9-B4CB-000A2D21B0FA} - C:\WINDOWS\SYSTEM\JKPK.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\SYSTEM\LVCOMS.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRAM FILES\AQUATICA WATERWORLDS\AQ3HELPER.EXE /partner AQ3
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [CRJI.EXE] C:\WINDOWS\SYSTEM\CRJI.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\RunServices: [NETKC.EXE] C:\WINDOWS\SYSTEM\NETKC.EXE /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid%20: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/m0h54e.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt1_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by17fd.bay17.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O21 - SSODL: Sysctl Desktop Handler - {23456789-0000-0020-0900-00AAFF6D2EA4} - C:\WINDOWS\System32\NTOSV.DLL
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - C:\WINDOWS\SYSTEM\thun32.dll (file missing)
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CWS.hiddendll - Help!
« Reply #7 on: May 13, 2005, 10:08:34 PM »
Wow, you came back worse infected
That's why it's important to get you clean before you continue surfing the web
Since it looks like things have changed, before we do any fixes

Can I have you do the following again

Open Hijackthis>>Open Misc Tools Section>>Open Uninstall Manager
Click the SAVE LIST button
Save the list and then copy and paste the contents back here

And rescan with Hijackthis and post a fresh Hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline itsumofalling

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
CWS.hiddendll - Help!
« Reply #8 on: May 14, 2005, 01:04:42 AM »
Ok. Thanks heaps for this again :-). Here's what you requested.

**Hijackthis Uninstall List**

602Pro PC SUITE 2001
ACDSee 4.0.1 Standard
Ad-Aware SE Personal
Adobe Acrobat 5.0
Arabic Language Support
Astonia 3
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATP
BankshotBilliards
BankshotBilliards
Battle Realms
BigPond ADSL SIK 5.5 Files
BigPond Toolbar
BitTorrent 3.4.2
Blasterball 2 Remix from WildTangent (remove only)
Canon i350
Carnivores
Chinese (Simplified) Language Support
Chinese (Traditional) Language Support
Cricket 2004
DataTraveler 2.0
DivX 5.0.2 Bundle
GoldWave v5.10
GTK+ 2.6.2 runtime environment
Gutterball
Hebrew Language Support
HijackThis 1.99.1
Home Search  Assistent
HyperLoad - Golf Course
InfoMagic
Japanese Language Support
Kodak EasyShare software
Korean Language Support
Living 3D Dolphins Screen Saver
Logitech QuickCam
Macromedia Shockwave Player
Madeline Rainy Day Activities
Magical Jellybean Dictionary
Messenger Plus! 3
Microsoft Global IME for Chinese (Simplified)
Microsoft Global IME for Chinese (Traditional)
Microsoft Global IME for Chinese (Traditional) ChangJie
Microsoft Global IME for Japanese
Microsoft Global IME for Korean
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Outlook Express 6
mIRC
Morpheus 4.7 (remove only)
Morrowind
MSN Gaming Zone
MSN Messenger 4.6
Nero - Burning ROM
Netscape Browser (remove only)
Pacific Poker
Pan-European Language Support
Populous: The Beginning (Demo)
QuickTime
QuickTime for Windows (32-bit)
RealPlayer 7 Basic
Realtek AC'97 Audio
RelevantKnowledge
RocketBowl
Search Assistant Uninstall
Search Extender
Serif PhotoPlus 6.0
Shopping Wizard  
SimCity 3000
SimPark
SimSafari
SimTown Demo
SolidPeer
SpeedTouch USB Software
Spybot - Search & Destroy 1.3
Super Pool
TES Construction Set
Thai Language Support
The GIMP 2.2.4
The Sims 2
Thief 2
Trend Micro Internet Security
Tribes 2
USB MassStorage CardReader
U-Storage 1.24
Vietnamese Language Support
WebReaper v9.4
Where in Time is Carmen Sandiego? v3.0.1
WildTangent Web Driver
Windows Media Player system update (9 Series)
WinRAR archiver
WinZip
Yahoo! Companion
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Pin High Country Club Golf

**HijackThis Log**

Logfile of HijackThis v1.99.1
Scan saved at 3:57:20 PM, on 5/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
C:\PROGRAM FILES\MESSENGERPLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\NETKC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TELSTRA\TOOLBAR\BPUMTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\CRJI.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\PROFILES\DANIEL\DESKTOP\DANIEL\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lairc.dll/sp.html#24098
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lairc.dll/sp.html#24098
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://msn.dll/msn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = res://msn.dll/index
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2CFEC154-1E18-8A30-5463-8A3A27DAB092} - C:\WINDOWS\MSEP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\SYSTEM\LVCOMS.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRAM FILES\AQUATICA WATERWORLDS\AQ3HELPER.EXE /partner AQ3
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [CRJI.EXE] C:\WINDOWS\SYSTEM\CRJI.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\RunServices: [NETKC.EXE] C:\WINDOWS\SYSTEM\NETKC.EXE /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid%20: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/m0h54e.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt1_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by17fd.bay17.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O21 - SSODL: Sysctl Desktop Handler - {23456789-0000-0020-0900-00AAFF6D2EA4} - C:\WINDOWS\System32\NTOSV.DLL
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - C:\WINDOWS\SYSTEM\thun32.dll (file missing)
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CWS.hiddendll - Help!
« Reply #9 on: May 14, 2005, 01:33:07 AM »
Download and save to desktop CWShredder.exe from my signature below

==Download to desktop About:Buster.zip
by RubbeR Ducky
Unzip the contents to desktop, a folder will be placed on your desktop
Open it and run About:buster.exe
Click the Update Button and check for updates, if any, download them
Then close it for now, we'll need this later

==Download and UNZIP to desktop IEFix.zip, so you now have IEFix.reg on the desktop
We'll need this later
[attachment=222:attachment]

Make sure you still have
SPSeHjFix

Print the rest of this out

Restart into safe mode
Find and delete these files or folders if found
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE <-file, notice the spelling
C:\WINDOWS\SYSTEM\NETKC.EXE
C:\WINDOWS\SYSTEM\CRJI.EXE
C:\WINDOWS\System32\NTOSV.DLL
C:\WINDOWS\SYSTEM\thun32.dll
C:\WINDOWS\SYSTEM\Thun.dll
C:\WINDOWS\lairc.dll
C:\WINDOWS\shch.exe
C:\WINDOWS\MSEP.DLL

Stay in safe mode

==Start About:Buster and hit ok.   Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to scan more than twice, try 3 or 4 times until no files or Data Streams are found

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lairc.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lairc.dll/sp.html#24098
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lairc.dll/sp.html#24098
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://msn.dll/msn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = res://msn.dll/index
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2CFEC154-1E18-8A30-5463-8A3A27DAB092} - C:\WINDOWS\MSEP.DLL

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\shch.exe /i

O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\RunServices: [NETKC.EXE] C:\WINDOWS\SYSTEM\NETKC.EXE /s

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/m0h54e.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab

O21 - SSODL: Sysctl Desktop Handler - {23456789-0000-0020-0900-00AAFF6D2EA4} - C:\WINDOWS\System32\NTOSV.DLL
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - C:\WINDOWS\SYSTEM\thun32.dll (file missing)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

After that>>>Run SpSeHjfix109.exe by clicking the Start Disinfection
It should reboot your computer
If not Reboot anyways back to Normal mode
Back in Windows

Don't open a Browser yet
 Instead>>Double click on IEFix.reg and allow to merge to the registry
 Run CWShredder.exe and click The FIX button
Let it fix what it finds
Restart your computer again

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Come back here and run another scan with Hijackthis and post a fresh log
Also post the new log from SpSeHjfix109
Could you also run DLLCompare again and post the log
« Last Edit: May 14, 2005, 02:08:55 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
CWS.hiddendll - Help!
« Reply #10 on: May 14, 2005, 09:20:44 AM »
*** HijackThis Log ***

Logfile of HijackThis v1.99.1
Scan saved at 12:17:46 AM, on 5/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
C:\PROGRAM FILES\MESSENGERPLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TELSTRA\TOOLBAR\BPUMTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\PROFILES\DANIEL\DESKTOP\DANIEL\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\SYSTEM\LVCOMS.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRAM FILES\AQUATICA WATERWORLDS\AQ3HELPER.EXE /partner AQ3
O4 - HKLM\..\Run: [CRJI.EXE] C:\WINDOWS\SYSTEM\CRJI.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid%20: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt1_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by17fd.bay17.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au

*** SpSeHjfix109 Log ***

(5/15/05 12:07:48 AM) SPSeHjFix started v1.09
(5/15/05 12:07:48 AM) OS: Win98SE A (4.10.67766446)
(5/15/05 12:07:48 AM) Language: english
(5/15/05 12:07:53 AM) Disinfect started
(5/15/05 12:07:53 AM) Bad-Dll(IEP): (not found)
(5/15/05 12:07:53 AM) Bad-Dll(IEP) in BHO: (not found)
(5/15/05 12:07:53 AM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\JKPK.DLL  
(5/15/05 12:07:53 AM) Searchassistant Uninstaller - Keys Deleted
(5/15/05 12:07:53 AM) UBF: 4
(5/15/05 12:07:53 AM) UBB: 0
(5/15/05 12:07:53 AM) UBR: 30
(5/15/05 12:07:53 AM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(5/15/05 12:07:53 AM) Bad IE-pages:
(5/15/05 12:07:53 AM) Stealth-String not found:
(5/15/05 12:07:53 AM) File added to delete: c:\windows\system\jkpk.dll  
(5/15/05 12:07:53 AM) File added to delete: c:\windows\temp\se.dll
(5/15/05 12:07:53 AM) Reboot
(5/15/05 12:09:24 AM) SPSeHjFix 2nd Step
(5/15/05 12:09:24 AM) RunServicesOnce-Key: (edited)
(5/15/05 12:09:32 AM) Cleaned

*** DLLCompare Log ***

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\svchost.dll    Fri May 13 2005   9:14:16p  ..SHR         16,384    16.00 K
________________________________________________

863 items found:  863 files (1 H/S), 0 directories.
Total of file sizes:  175,243,006 bytes    167.12 M

--------------------End log---------------------

***********

Okay - there's your log files :-)
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CWS.hiddendll - Help!
« Reply #11 on: May 14, 2005, 03:28:12 PM »
Still a bit more cleaning

Can you do the following please

Save these instructions too a Notepad file on the desktop and then Disconnect from the Internet

Run About:Buster again>>Save the log afterwards

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [CRJI.EXE] C:\WINDOWS\SYSTEM\CRJI.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Next:Open Hijackthis>>Open Misc tools section>>Click the "Delete a File on Reboot" button
In the File Name field, copy and paste (Don't type this in) the full path to the file in bold directly below

C:\WINDOWS\SYSTEM\svchost.dll

Then click the OPEN button
Hijackthis should prompt you that the file will be deleted and to Reboot your computer
Allow to do so or restart anyways

Back in Windows
Run another scan with Hijackthis and post a fresh log

Could you also
Download Startdreck.zip

Unzip it to it's own folder

run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post this log too, thanks!
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
CWS.hiddendll - Help!
« Reply #12 on: May 14, 2005, 07:20:20 PM »
*** HijackThis Log ***

Logfile of HijackThis v1.99.1
Scan saved at 10:00:16 AM, on 5/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MESSENGERPLUS! 3\MSGPLUS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TELSTRA\TOOLBAR\BPUMTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\PROFILES\DANIEL\DESKTOP\DANIEL\DOWNLOADS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\SYSTEM\LVCOMS.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid%20: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt1_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by17fd.bay17.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au

*** StartDreck Log ***

StartDreck (build 2.1.7 public stable) - 2005-05-15 @ 10:02:09 (GMT +10:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Daniel at EDMUNDS

»Registry
 »Run Keys
  »Current User
   »Run
    *Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    *MessengerPlus3="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    *msnmsgr="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
   »RunOnce
  »Default User
   »Run
    *Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    *MessengerPlus3="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    *MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
   »RunOnce
  »Local Machine
   »Run
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SoundMan=SOUNDMAN.EXE
    *ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    *LVCOMS=C:\WINDOWS\SYSTEM\LVCOMS.EXE
    *DXM6Patch_981116=C:\WINDOWS\p_981116.exe /Q:A
    *KodakCCS=C:\WINDOWS\System32\Drivers\KodakCCS.exe
    *StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
    *pccguide.exe="C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    *PCCIOMON.exe="C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    *PCClient.exe="C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    *TM Outbreak Agent="C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    *SpeedTouch USB Diagnostics="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    *BigPond Toolbar="C:\Program Files\Telstra\Toolbar\bpumTray.exe"
   »RunOnce
   »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *PCCIOMON.exe="C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    *PccPfw=C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    *tmproxy=C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    *MessengerPlus3="C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
   »RunServicesOnce
   »RunOnceEx
   »RunServicesOnceEx
 »Browser Helper Objects (LM)
»Files
»System/Drivers
 »Running Processes
  +FFCF4393=C:\WINDOWS\SYSTEM\KERNEL32.DLL
  +FFFEB83B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
  +FFFE86AB=C:\WINDOWS\SYSTEM\MPREXE.EXE
  +FFFE381B=C:\WINDOWS\SYSTEM\MSTASK.EXE
  +FFFE0577=C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
  +FFFE60AF=C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
  +FFFDA0DB=C:\WINDOWS\SYSTEM\mmtask.tsk
  +FFFDB39B=C:\PROGRAM FILES\MESSENGERPLUS! 3\MSGPLUS.EXE
  +FFFE7C3B=C:\WINDOWS\EXPLORER.EXE
  +FFFCD757=C:\WINDOWS\TASKMON.EXE
  +FFFC3F5B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
  +FFFC7907=C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
  +FFFC48F7=C:\WINDOWS\SYSTEM\LVCOMS.EXE
  +FFF39B37=C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
  +FFFC493F=C:\WINDOWS\SYSTEM\STIMON.EXE
  +FFFCC783=C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
  +FFF33FBF=C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
  +FFF305BB=C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
  +FFF2A647=C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
  +FFF28617=C:\PROGRAM FILES\TELSTRA\TOOLBAR\BPUMTRAY.EXE
  +FFF28F9B=C:\WINDOWS\RunDLL.exe
  +FFF24373=C:\WINDOWS\SYSTEM\DDHELP.EXE
  +FFF1E52B=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
  +FFF107DB=C:\WINDOWS\SYSTEM\WMIEXE.EXE
  +FFF0DD0F=C:\WINDOWS\PROFILES\DANIEL\DESKTOP\START DRECK\STARTDRECK.EXE
»Application specific

*** About:Buster Log ***

Scanned at: 12:02:01 AM   on: 5/15/05


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 9:52:10 AM   on: 5/15/05


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CWS.hiddendll - Help!
« Reply #13 on: May 14, 2005, 07:46:24 PM »
That looks fine now

Can you look in this folder and let me know if the file SDHelper.dll exists
Sometimes this hijacker deletes this file from Spybot
Look for it in this folder
C:\Program Files\Spybot - Search & Destroy
If it doesn't exist, we can replace it
If it does exist you should Open Spybot
and click on Immunizations>>OK>>Immunize at the top
Do this after every Spybot update

Then put a tick in "Enable permanent blocking of bad addresses in IE"

Can you do the below now to keep safe
You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Could you also run System File Checker one more time and let me know any files corrupt or need replaced

Could you also run DllCompare one more time and post a fresh log, thanks
« Last Edit: May 14, 2005, 07:47:09 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
CWS.hiddendll - Help!
« Reply #14 on: May 14, 2005, 08:37:09 PM »
*** HijackThis Log ***

Logfile of HijackThis v1.99.1
Scan saved at 11:32:13 AM, on 5/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\PROGRAM FILES\MESSENGERPLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TELSTRA\TOOLBAR\BPUMTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\PROFILES\DANIEL\DESKTOP\COMPUTER OPTIMIZATION PROGRAMS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\SYSTEM\LVCOMS.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid%20: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt1_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by17fd.bay17.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au

*** DllCompare Log ***

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"
________________________________________________

860 items found:  860 files, 0 directories.
Total of file sizes:  174,857,982 bytes    166.75 M

--------------------End log---------------------

*** ***

'System File Checker' -> By this did you mean HijackThis? If not, what program, so I can run it and get you a log.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CWS.hiddendll - Help!
« Reply #15 on: May 15, 2005, 09:42:24 AM »
Sorry about the System File checker, that was meant for another poster  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

Doesn't look like your totally clean yet

Can you do the following please

Have Hijackths fix these 2 entries
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

Then double click on IEFix.reg and allow to merge to the registry

Restart the computer

Back in Windows
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post a fresh hijackthis log

Could you also open Hijackthis>>Open Misc tools section>>Open Hosts file manager
Click "Open In Notepad"
Copy and paste the contents of the Hosts text file that opens back here
« Last Edit: May 15, 2005, 09:43:04 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline itsumofalling

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
CWS.hiddendll - Help!
« Reply #16 on: May 17, 2005, 12:57:27 AM »
*** HijackThis Log ***

Logfile of HijackThis v1.99.1
Scan saved at 3:52:41 PM, on 5/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
C:\PROGRAM FILES\MESSENGERPLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TELSTRA\TOOLBAR\BPUMTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SOFTWARE602\602PRO PC SUITE\602TEXT\EXEC\602TEXT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\PROFILES\DANIEL\DESKTOP\COMPUTER OPTIMIZATION PROGRAMS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\SYSTEM\LVCOMS.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid%20: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt1_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by17fd.bay17.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au

Cheers
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CWS.hiddendll - Help!
« Reply #17 on: May 17, 2005, 11:19:38 PM »
That's looking good now

You should set up protection against future attacks

SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection


Can you still do the following for me please
open Hijackthis>>Open Misc tools section>>Open Hosts file manager
Click "Open In Notepad"
Copy and paste the contents of the Hosts text file that opens back here
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline itsumofalling

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
CWS.hiddendll - Help!
« Reply #18 on: May 18, 2005, 01:46:43 AM »
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CWS.hiddendll - Help!
« Reply #19 on: May 20, 2005, 12:13:25 AM »
Hosts file looks good

Thanks for posting back

Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »