|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
![]() |
|
Topic Tools |
#16
|
|||
|
|||
OK, I tell you again the whole way I asked you to go
Start – run – type”regedit” – OK HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows There in windowsyou have on the right side of the windows a file called AppInit_DLLs Do right click on it and choose the second from above “change binary datas” Now it opens a window in which you might see the numbers |
#17
|
|||
|
|||
Nope
![]() Okay here is a screen shot of my start menu sorry for the poor quality... |
#18
|
|||
|
|||
sorry this link doesnt open
|
#19
|
|||
|
|||
sorry, here its 1:30 am and I need a sleep
previously you posted res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%3 2%5c%64%63%6e%6f%2e%64%6c%6c/ thats a hexagonal code and means C:\WINNT\System32\dcno.dll try to open that file in notepad and look what it is it might be the html-code of a unwanted page tomorrow I want to try to get in contact with u again try to find a way to look into your registry |
#20
|
||||
|
||||
Hi JustMe602 - since I last posted in this thread, we have discovered that Hijack This does not delete the file associated with the BHO as it has in the past and this is why this parasite keeps re-appearing. Also, each time you reboot, the file morphs so it can be difficult to find. I can see that you do not feel comfortable working in your registry so we can try with Hijack This again if you wish. Post a new log but this time, try not to reboot until after I have replied.
|
#21
|
||||
|
||||
CWShredder has just been updated to remove new variants of this parasite. Go here and download and run CWShredder (close IE first and click on Fix). Reboot afterwards and post back a new Hijack This log. Also let us know if you still have a problem.
|
#22
|
|||
|
|||
No hope...
Okay I have posted a new log. I did as instructed. I have downloaded the newest verstion of Shredder and I ran fix and then ran Hijack this and this is the latest log. I presume the you will ask me to remove sp.html (obfuscated) related lines and then ipfpaaa.dll I will wait to here also I have hopefully posted a link that will work with a screen shot of my startup menu..
http://f2.pg.photos.yahoo.com/ph/bio...&.dnm=9180.jpg Well again I thanks for all the input on this matter.... JustMe. Logfile of HijackThis v1.97.7 Scan saved at 9:34:42 AM, on 4/25/2004 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe C:\WINNT\System32\ccsrvc.exe C:\PROGRA~1\Altiris\CARBON~1\shellker.exe C:\Program Files\DesktopAuthority\DesktopAuthority.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\Command Software\Command AntiVirus\dvpinit.exe C:\WINNT\System32\svchost.exe C:\Program Files\DesktopAuthority\RaMaint.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Command Software\Command AntiVirus\schscnt.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\PROGRA~1\Altiris\CARBON~1\client.exe C:\WINNT\Explorer.EXE C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe C:\WINNT\System32\hkcmd.exe C:\WINNT\goff.exe C:\Program Files\RightFAX\FaxCtrl.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\sdewey\My Documents\shredder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O1 - Hosts: 199.231.129.165 www.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 reports.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 fclaw.com # Necessary to access FTP site since AD Domain is fclaw.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\DOCUME~1\sdewey\LOCALS~1\Temp\WorkShare Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {6B0695D2-3EBB-4171-91A3-EDB59041D785} - C:\WINNT\System32\ipfpaaa.dll O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe" O4 - HKLM\..\Run: [cuagentExe] C:\PROGRA~1\COMMAN~1\COMMAN~1\cuagent.exe O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [DesktopAuthority GUI] "C:\Program Files\DesktopAuthority\ragui.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe O4 - HKLM\..\Run: [Kernel.] C:\WINNT\goff.exe O4 - Startup: BHO Cop.lnk = C:\Program Files\BHOCop\BHOCop.exe O4 - Startup: Calculator.lnk = C:\WINNT\system32\calc.exe O4 - Startup: Procomm Plus.lnk = C:\Program Files\Procomm Plus\programs\PW4.EXE O4 - Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe O4 - Global Startup: MCategory.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...040.5323842593 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D6A6A09C-C43C-4BCC-90B0-349B71239328} (AXfco Control) - http://workflow.fclaw.com/AXfco.cab O16 - DPF: {D6FB2DA3-A767-4D27-9926-B5F0528B0A08} (UAttach Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {DA018E54-7561-4AB5-A893-A3388C0F511C} (UltSignature Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {E09150AF-9388-450B-8098-0B4F6BBE1419} (Ultimus) - http://workflow.fclaw.com/UltAxClientMin.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fclaw.com |
#23
|
||||
|
||||
Hi JustMe602 - Close IE and all open windows and run Hijack This again. Check the below entries and click on Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {6B0695D2-3EBB-4171-91A3-EDB59041D785} - C:\WINNT\System32\ipfpaaa.dll O4 - HKLM\..\Run: [Kernel.] C:\WINNT\goff.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts), make sure that you can view hidden files and folders and run a search for and delete the below folders/files in bold. C:\WINNT\System32\ipfpaaa.dll C:\WINNT\goff.exe Reboot. If you have restarted your PC since posting your log, the filename will have changed. You will notice in the R1 and O2 entries, the filename is the same (ipfpaaa.dll). You will have to fix the R1 entries and O2 entry again and then delete the new dll in Safe Mode. If you are not sure what to do, post back and we will help you. Post back a new Hijack This log anyway. Re no Run box, I dont know about Win2K but showing this is an option in WinXP. Rightclick on your Start button and choose Properties > Start Menu > Customize or Adjust > Advanced. Is there a check box for Run? If so, check it and reboot. If not, what happens when you depress the Win key + R? |
#24
|
|||
|
|||
Okay did as instructed...
The system admin doesn't give us peons the access rights to the run command I found out that's why I don't have access rights or that's why it is not in the windows start button.... Well here is the log from my most recent attempt to rectify this situation.
Logfile of HijackThis v1.97.7 Scan saved at 7:57:10 AM, on 4/28/2004 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe C:\WINNT\System32\ccsrvc.exe C:\PROGRA~1\Altiris\CARBON~1\shellker.exe C:\Program Files\DesktopAuthority\DesktopAuthority.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\Command Software\Command AntiVirus\dvpinit.exe C:\WINNT\System32\svchost.exe C:\Program Files\DesktopAuthority\RaMaint.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Command Software\Command AntiVirus\schscnt.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\PROGRA~1\Altiris\CARBON~1\client.exe C:\WINNT\Explorer.EXE C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe C:\WINNT\System32\hkcmd.exe C:\WINNT\System32\calc.exe C:\Program Files\Procomm Plus\programs\PW4.EXE C:\Program Files\RightFAX\FaxCtrl.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Documents and Settings\sdewey\My Documents\shredder\HijackThis.exe O1 - Hosts: 199.231.129.165 www.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 reports.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 fclaw.com # Necessary to access FTP site since AD Domain is fclaw.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0 .dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\DOCUME~1\sdewey\LOCALS~1\Temp\WorkShare Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0 .dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe" O4 - HKLM\..\Run: [cuagentExe] C:\PROGRA~1\COMMAN~1\COMMAN~1\cuagent.exe O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [DesktopAuthority GUI] "C:\Program Files\DesktopAuthority\ragui.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe O4 - Startup: BHO Cop.lnk = C:\Program Files\BHOCop\BHOCop.exe O4 - Startup: Calculator.lnk = C:\WINNT\system32\calc.exe O4 - Startup: Procomm Plus.lnk = C:\Program Files\Procomm Plus\programs\PW4.EXE O4 - Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe O4 - Global Startup: MCategory.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...040.5323842593 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D6A6A09C-C43C-4BCC-90B0-349B71239328} (AXfco Control) - http://workflow.fclaw.com/AXfco.cab O16 - DPF: {D6FB2DA3-A767-4D27-9926-B5F0528B0A08} (UAttach Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {DA018E54-7561-4AB5-A893-A3388C0F511C} (UltSignature Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {E09150AF-9388-450B-8098-0B4F6BBE1419} (Ultimus) - http://workflow.fclaw.com/UltAxClientMin.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fclaw.com |
#25
|
|||
|
|||
what are these?
O1 - Hosts: 199.231.129.165 www.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 reports.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 fclaw.com # Necessary to access FTP site since AD Domain is fclaw.com do u know??? |
#26
|
||||
|
||||
Please read the thread Meangean. That question was asked quite some posts ago.
That's a clean log JustMe602. What method did you use to resolve the issue and have you had any further problems? |
#27
|
|||
|
|||
Well that worked for about... oh an hour or so...
I didn't get to excited about it, and for good reason about an hour or so I was able to log in and out of IE without having to worry about it however to no avail I still keeps coming back..... :confused:
|
#28
|
||||
|
||||
Darn, I was hoping that the updated version of CWShredder would get rid of the problem.
Go here and download pv.zip. Extract the folder to the desktop and open it up. Make sure that you have at least one Internet Explorer window open. Double click on the runme.bat and Type 1 for explorer dll's. Hit return. Notepad will open with a log in it. Please copy and paste the log into this post. |
#29
|
|||
|
|||
Okay....
Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH Explorer.EXE 400000 253952 C:\WINNT\Explorer.EXE 5.00.3502.5321 Windows Explorer ntdll.dll 77f80000 499712 C:\WINNT\system32\ntdll.dll 5.00.2195.6685 NT Layer DLL ADVAPI32.DLL 77db0000 380928 C:\WINNT\system32\ADVAPI32.DLL 5.00.2195.5385 Advanced Windows 32 Base API KERNEL32.DLL 77e80000 745472 C:\WINNT\system32\KERNEL32.DLL 5.00.2195.5400 Windows NT BASE API Client DLL RPCRT4.DLL 77d30000 450560 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6802 Remote Procedure Call Runtime GDI32.DLL 77f40000 245760 C:\WINNT\system32\GDI32.DLL 5.00.2195.5252 GDI Client DLL USER32.DLL 77e10000 413696 C:\WINNT\system32\USER32.DLL 5.00.2195.4314 Windows 2000 USER API Client DLL SHLWAPI.DLL 70bd0000 413696 C:\WINNT\system32\SHLWAPI.DLL 6.00.2800.1106 Shell Light-weight Utility Library msvcrt.dll 78000000 286720 C:\WINNT\system32\msvcrt.dll 6.10.9359.0 Microsoft (R) C Runtime Library COMCTL32.DLL 71710000 540672 C:\WINNT\system32\COMCTL32.DLL 5.81 Common Controls Library shim.dll 732e0000 151552 C:\WINNT\System32\shim.dll 5.00.2195.5308 Shim Engine DLL AcLayers.DLL 23000000 352256 C:\WINNT\AppPatch\AcLayers.DLL 5.00.2195.5308 Windows 2000 Shim Accessory DLL hlpiigf.dll 61c00000 61440 c:\winnt\system32\hlpiigf.dll SHELL32.dll 782f0000 2383872 C:\WINNT\system32\SHELL32.dll 5.00.3502.5436 Windows Shell Common Dll OLE32.DLL 77a50000 966656 C:\WINNT\system32\OLE32.DLL 5.00.2195.6810 Microsoft OLE for Windows CLBCATQ.DLL 775a0000 544768 C:\WINNT\System32\CLBCATQ.DLL 2000.2.3497.0 OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4518 cscui.dll 77840000 249856 C:\WINNT\System32\cscui.dll 5.00.2195.4104 Client Side Caching UI CSCDLL.DLL 770c0000 143360 C:\WINNT\System32\CSCDLL.DLL 5.00.2195.5434 Offline Network Agent SHDOCVW.DLL 71000000 1347584 C:\WINNT\System32\SHDOCVW.DLL 6.00.2800.1106 Shell Doc Object and Control Library browseui.dll 71160000 1036288 C:\WINNT\System32\browseui.dll 6.00.2800.1106 Shell Browser UI Library USERENV.DLL 77c10000 385024 C:\WINNT\System32\USERENV.DLL 5.00.2195.5425 Userenv WININET.dll 70200000 610304 C:\WINNT\system32\WININET.dll 6.00.2800.1106 Internet Extensions for Win32 CRYPT32.dll 77440000 487424 C:\WINNT\system32\CRYPT32.dll 5.131.2195.4558 Crypto API32 MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6823 ASN.1 Runtime APIs mydocs.dll 76df0000 69632 C:\WINNT\System32\mydocs.dll 5.00.3315.4065 My Documents Folder UI ntshrui.dll 76fa0000 61440 C:\WINNT\System32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing ATL.DLL 773e0000 86016 C:\WINNT\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode) NETAPI32.DLL 75170000 323584 C:\WINNT\System32\NETAPI32.DLL 5.00.2195.5427 Net Win32 API DLL SECUR32.DLL 77be0000 61440 C:\WINNT\System32\SECUR32.DLL 5.00.2195.4587 Security Support Provider Interface NETRAP.DLL 751c0000 24576 C:\WINNT\System32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL SAMLIB.DLL 75150000 65536 C:\WINNT\System32\SAMLIB.DLL 5.00.2195.4827 SAM Library DLL WS2_32.DLL 75030000 77824 C:\WINNT\System32\WS2_32.DLL 5.00.2195.4874 Windows Socket 2.0 32-Bit DLL WS2HELP.DLL 75020000 32768 C:\WINNT\System32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.5400 Win32 LDAP API DLL DNSAPI.DLL 77980000 147456 C:\WINNT\System32\DNSAPI.DLL 5.00.2195.5354 DNS Client API DLL WSOCK32.DLL 75050000 32768 C:\WINNT\System32\WSOCK32.DLL 5.00.2195.4874 Windows Socket 32-Bit DLL CRTDLL.DLL 74fa0000 159744 C:\WINNT\System32\CRTDLL.DLL 4.00 Microsoft C Runtime Library MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.3649 Multiple Provider Router DLL ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2195.5428 Microsoft® Lan Manager NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2195.4874 NT LM UI Common Code - GUI Classes NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes NETSHELL.dll 76f20000 479232 C:\WINNT\system32\NETSHELL.dll 5.00.2195.5431 Network Connections Shell stobject.dll 766d0000 98304 C:\WINNT\System32\stobject.dll 5.00.2195.4455 Systray shell service object BATMETER.DLL 76740000 32768 C:\WINNT\System32\BATMETER.DLL 5.00.3502.5305 Battery Meter Helper DLL SETUPAPI.DLL 77880000 577536 C:\WINNT\System32\SETUPAPI.DLL 5.00.2195.5400 Windows Setup API POWRPROF.DLL 766f0000 28672 C:\WINNT\System32\POWRPROF.DLL 5.00.3502.5305 Power Profile Helper DLL WINMM.DLL 77570000 196608 C:\WINNT\System32\WINMM.DLL 5.00.2161.1 MCI API DLL webcheck.dll 70340000 266240 C:\WINNT\System32\webcheck.dll 6.00.2800.1106 Web Site Monitor MSI.DLL 770f0000 2084864 C:\WINNT\System32\MSI.DLL 2.0.2600.1 Windows Installer wdmaud.drv 77560000 36864 C:\WINNT\System32\wdmaud.drv 5.00.2195.3649 WDM Audio driver mapper LINKINFO.DLL 76710000 36864 C:\WINNT\System32\LINKINFO.DLL 5.00.2134.1 Windows Volume Tracking msacm32.drv 77400000 32768 C:\WINNT\System32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper MSACM32.dll 77410000 77824 C:\WINNT\System32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter SLAgent.dll 10000000 53248 C:\DOCUME~1\sdewey\LOCALS~1\Temp\SLAgent.dll 5, 5, 0, 0 SLAgentDll Dynamic Link Library CfgMgr32.dll 770b0000 28672 C:\WINNT\System32\CfgMgr32.dll 5.00.2134.1 Configuration Manager Forwarder DLL docprop2.dll 71f00000 315392 C:\WINNT\System32\docprop2.dll 5.00.2178.1 DocProp2 MSVFW32.DLL 6a8f0000 131072 C:\WINNT\System32\MSVFW32.DLL 5.00.2134.1 Microsoft Video for Windows DLL AVIFIL32.DLL 74870000 90112 C:\WINNT\System32\AVIFIL32.DLL 5.00.2134.1 Microsoft AVI File support library faxshell.dll 70020000 20480 C:\WINNT\system32\faxshell.dll 5.00.2134.1 Fax Tiff Data Column Provider shdoclc.dll 718c0000 540672 C:\WINNT\System32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library actxprxy.dll 703d0000 110592 C:\WINNT\System32\actxprxy.dll 6.00.2800.1106 ActiveX Interface Marshaling Library browselc.dll 71960000 73728 C:\WINNT\System32\browselc.dll 6.00.2800.1106 Shell Browser UI Library version.dll 77820000 28672 C:\WINNT\system32\version.dll 5.00.2134.1 Version Checking and File Installation Libraries LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2134.1 LZ Expand/Compress API DLL clreg.dll 28b0000 126976 C:\Program Files\West Group\Common\clreg.dll 2.2.0.1 WestCiteLink Registry urlmon.dll 702b0000 499712 C:\WINNT\system32\urlmon.dll 6.00.2800.1106 OLE32 Extensions for Win32 RASAPI32.DLL 774e0000 204800 C:\WINNT\System32\RASAPI32.DLL 5.00.2195.5438 Remote Access API RASMAN.DLL 774c0000 69632 C:\WINNT\System32\RASMAN.DLL 5.00.2195.5292 Remote Access Connection Manager TAPI32.DLL 77530000 139264 C:\WINNT\System32\TAPI32.DLL 5.00.2182.1 Microsoft® Windows(TM) Telephony API Client DLL RTUTILS.DLL 77830000 57344 C:\WINNT\System32\RTUTILS.DLL 5.00.2168.1 Routing Utilities sensapi.dll 75ab0000 20480 C:\WINNT\System32\sensapi.dll 5.00.2163.1 SENS Connectivity API DLL WZSHLSTB.DLL 16200000 24576 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL 4.1 (32-bit) WinZip Shell Extension DLL MSONSEXT.DLL 379b0000 573440 C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L ycomp5_3_16_0.dll 68000000 315392 C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0 .dll 2004, 2, 9, 1 Yahoo! Companion 5.3 for Internet Explorer AcroIEHelper.ocx 47b0000 32768 C:\DOCUME~1\sdewey\LOCALS~1\Temp\WorkShare Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module ljpkpf.dll 4800000 53248 C:\WINNT\System32\ljpkpf.dll SDHelper.dll 4810000 733184 C:\PROGRA~1\SPYBOT~1\SDHelper.dll olepro32.dll 695e0000 167936 C:\WINNT\System32\olepro32.dll 5.0.4518 clie.dll 4df0000 237568 C:\Program Files\West Group\CiteLink\clie\clie.dll 2.2.0.1 WestCiteLink for Microsoft Internet Explorer MFC42.DLL 103a0000 991232 C:\WINNT\System32\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version MSVCP60.dll 780c0000 397312 C:\WINNT\System32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library |
#30
|
|||
|
|||
Hi justme602,
Sorry, but need a new HJT log too, in case of file name change from running CWShredder. Need to see a line similar to this when About:blank is present in HJT: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated) 4 things ,please. 1. New HJT log.( with about:blank present) 2. Download TheKillbox from: http://download.broadbandmedic.com/VbStuff/KillBox.zip 3.Download " Xfind.zip" from: http://www10.brinkster.com/expl0iter...ast/PVtool.htm 4. New log from PV (same steps as you did before): Make sure that you have at least one Internet Explorer window open. Double click on the runme.bat and Type 1 for explorer dll's. Hit return. Notepad will open with a log in it. Please copy and paste the log into this post. Post back the new PV log, along with a new HJT log. Save Killbox and Xfind in a new folder, please, Don`t do anything with them just yet. What Firewall do you have?. Cheers |
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
Lots of missing text, blank start button, blank system restore calender | JetVega | Windows XP | 2 | January 7th, 2006 10:18 PM |
blank/search start page on IE | JamieE | Malware Removal | 32 | August 18th, 2005 06:18 PM |
Please Help with this Trojan - search page About:blank | sunnysthename | Malware Removal | 6 | January 12th, 2005 05:55 PM |
about:blank start-up page | Rryanc | Malware Removal | 1 | September 2nd, 2004 04:13 PM |
Homepage keeps changing to about:blank search page! help plz | Nordhauser | Malware Removal | 2 | May 18th, 2004 07:15 PM |
All times are GMT +1. The time now is 04:07 PM.