|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
![]() |
|
Topic Tools |
#31
|
|||
|
|||
Logfile of HijackThis v1.97.7
Scan saved at 8:01:54 PM, on 5/30/2004 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe C:\Program Files\DesktopAuthority\RaMaint.exe C:\Program Files\DesktopAuthority\DesktopAuthority.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\Command Software\Command AntiVirus\dvpinit.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Command Software\Command AntiVirus\schscnt.exe C:\WINNT\system32\SLClient.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\ccsrvc.exe C:\PROGRA~1\Altiris\CARBON~1\shellker.exe C:\DOCUME~1\sdewey\LOCALS~1\Temp\slagent.exe C:\PROGRA~1\Altiris\CARBON~1\client.exe C:\WINNT\Explorer.EXE C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe C:\Program Files\DesktopAuthority\ragui.exe C:\Program Files\RightFAX\FaxCtrl.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\sdewey\My Documents\shredder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\klpjoj.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\klpjoj.dll/sp.html (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\klpjoj.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\klpjoj.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\klpjoj.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\klpjoj.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O1 - Hosts: 199.231.129.165 www.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 reports.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 fclaw.com # Necessary to access FTP site since AD Domain is fclaw.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0 .dll O2 - BHO: (no name) - {27898C84-3C4B-4E48-A2BF-22F71CC44146} - C:\WINNT\system32\klpjoj.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0 .dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe" O4 - HKLM\..\Run: [DesktopAuthority GUI] "C:\Program Files\DesktopAuthority\ragui.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Desktop Authority GUI] "C:\Program Files\DesktopAuthority\ragui.exe" O4 - Startup: BHO Cop.lnk = C:\Program Files\BHOCop\BHOCop.exe O4 - Startup: Calculator.lnk = C:\WINNT\system32\calc.exe O4 - Startup: Procomm Plus.lnk = C:\Program Files\Procomm Plus\programs\PW4.EXE O4 - Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe O4 - Global Startup: MCategory.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...040.5323842593 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D6A6A09C-C43C-4BCC-90B0-349B71239328} (AXfco Control) - http://workflow.fclaw.com/AXfco.cab O16 - DPF: {D6FB2DA3-A767-4D27-9926-B5F0528B0A08} (UAttach Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {DA018E54-7561-4AB5-A893-A3388C0F511C} (UltSignature Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {E09150AF-9388-450B-8098-0B4F6BBE1419} (Ultimus) - http://workflow.fclaw.com/UltAxClientMin.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fclaw.com Module information for 'Explorer.EXE' MODULE BASE SIZE PATH Explorer.EXE 400000 253952 C:\WINNT\Explorer.EXE 5.00.3502.5321 Windows Explorer ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL ADVAPI32.DLL 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.DLL 5.00.2195.6876 Advanced Windows 32 Base API KERNEL32.DLL 7c570000 753664 C:\WINNT\system32\KERNEL32.DLL 5.00.2195.6897 Windows NT BASE API Client DLL RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime GDI32.DLL 77f40000 253952 C:\WINNT\system32\GDI32.DLL 5.00.2195.6898 GDI Client DLL USER32.DLL 77e10000 413696 C:\WINNT\system32\USER32.DLL 5.00.2195.6897 Windows 2000 USER API Client DLL SHLWAPI.DLL 70bd0000 413696 C:\WINNT\system32\SHLWAPI.DLL 6.00.2800.1106 Shell Light-weight Utility Library msvcrt.dll 78000000 286720 C:\WINNT\system32\msvcrt.dll 6.10.9359.0 Microsoft (R) C Runtime Library COMCTL32.DLL 71710000 540672 C:\WINNT\system32\COMCTL32.DLL 5.81 Common Controls Library shim.dll 732e0000 151552 C:\WINNT\system32\shim.dll 5.00.2195.5308 Shim Engine DLL AcLayers.DLL 23000000 352256 C:\WINNT\AppPatch\AcLayers.DLL 5.00.2195.5308 Windows 2000 Shim Accessory DLL hlpiigf.dll 61c00000 61440 c:\winnt\system32\hlpiigf.dll SHELL32.dll 782f0000 2375680 C:\WINNT\system32\SHELL32.dll 5.00.3502.6144 Windows Shell Common Dll OLE32.DLL 77a50000 978944 C:\WINNT\system32\OLE32.DLL 5.00.2195.6906 Microsoft OLE for Windows CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0 OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4518 cscui.dll 77840000 249856 C:\WINNT\system32\cscui.dll 5.00.2195.4104 Client Side Caching UI CSCDLL.DLL 770c0000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.5434 Offline Network Agent SHDOCVW.DLL 71000000 1347584 C:\WINNT\system32\SHDOCVW.DLL 6.00.2800.1106 Shell Doc Object and Control Library browseui.dll 71160000 1036288 C:\WINNT\System32\browseui.dll 6.00.2800.1106 Shell Browser UI Library USERENV.DLL 7c0f0000 397312 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode) NETAPI32.DLL 75170000 323584 C:\WINNT\system32\NETAPI32.DLL 5.00.2195.6897 Net Win32 API DLL SECUR32.DLL 77be0000 61440 C:\WINNT\system32\SECUR32.DLL 5.00.2195.4587 Security Support Provider Interface NETRAP.DLL 751c0000 24576 C:\WINNT\system32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL SAMLIB.DLL 75150000 61440 C:\WINNT\system32\SAMLIB.DLL 5.00.2195.6897 SAM Library DLL WS2_32.DLL 75030000 77824 C:\WINNT\system32\WS2_32.DLL 5.00.2195.4874 Windows Socket 2.0 32-Bit DLL WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.5400 Win32 LDAP API DLL DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.4874 Windows Socket 32-Bit DLL WININET.dll 70200000 610304 C:\WINNT\system32\WININET.dll 6.00.2800.1106 Internet Extensions for Win32 CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32 MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs mydocs.dll 76df0000 69632 C:\WINNT\system32\mydocs.dll 5.00.3315.4065 My Documents Folder UI SLAgent.dll 10000000 53248 C:\DOCUME~1\sdewey\LOCALS~1\Temp\SLAgent.dll 5, 5, 0, 0 SLAgentDll Dynamic Link Library CRTDLL.DLL 74fa0000 159744 C:\WINNT\System32\CRTDLL.DLL 4.00 Microsoft C Runtime Library MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2195.5428 Microsoft® Lan Manager NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2195.4874 NT LM UI Common Code - GUI Classes NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes NETSHELL.dll 76f20000 479232 C:\WINNT\system32\NETSHELL.dll 5.00.2195.5431 Network Connections Shell stobject.dll 766d0000 98304 C:\WINNT\system32\stobject.dll 5.00.2195.4455 Systray shell service object BATMETER.DLL 76740000 32768 C:\WINNT\system32\BATMETER.DLL 5.00.3502.5305 Battery Meter Helper DLL SETUPAPI.DLL 77880000 577536 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.5400 Windows Setup API POWRPROF.DLL 766f0000 28672 C:\WINNT\system32\POWRPROF.DLL 5.00.3502.5305 Power Profile Helper DLL WINMM.DLL 77570000 196608 C:\WINNT\system32\WINMM.DLL 5.00.2161.1 MCI API DLL webcheck.dll 70340000 266240 C:\WINNT\System32\webcheck.dll 6.00.2800.1106 Web Site Monitor MSI.DLL 770f0000 2084864 C:\WINNT\system32\MSI.DLL 2.0.2600.1 Windows Installer wdmaud.drv 77560000 36864 C:\WINNT\system32\wdmaud.drv 5.00.2195.3649 WDM Audio driver mapper msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter LINKINFO.DLL 76710000 36864 C:\WINNT\system32\LINKINFO.DLL 5.00.2134.1 Windows Volume Tracking shdoclc.dll 718c0000 540672 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library CfgMgr32.dll 770b0000 28672 C:\WINNT\system32\CfgMgr32.dll 5.00.2134.1 Configuration Manager Forwarder DLL docprop2.dll 71f00000 315392 C:\WINNT\System32\docprop2.dll 5.00.2178.1 DocProp2 MSVFW32.DLL 6a8f0000 131072 C:\WINNT\System32\MSVFW32.DLL 5.00.2134.1 Microsoft Video for Windows DLL AVIFIL32.DLL 74870000 90112 C:\WINNT\System32\AVIFIL32.DLL 5.00.2134.1 Microsoft AVI File support library faxshell.dll 70020000 20480 C:\WINNT\system32\faxshell.dll 5.00.2134.1 Fax Tiff Data Column Provider actxprxy.dll 703d0000 110592 C:\WINNT\System32\actxprxy.dll 6.00.2800.1106 ActiveX Interface Marshaling Library events.dll 2030000 147456 C:\Program Files\Trillian\events.dll comdlg32.dll 76b30000 249856 C:\WINNT\system32\comdlg32.dll 5.00.3315.3727 Common Dialogs DLL browselc.dll 71960000 73728 C:\WINNT\System32\browselc.dll 6.00.2800.1106 Shell Browser UI Library version.dll 77820000 28672 C:\WINNT\system32\version.dll 5.00.2134.1 Version Checking and File Installation Libraries LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2134.1 LZ Expand/Compress API DLL clreg.dll 2a90000 126976 C:\Program Files\West Group\Common\clreg.dll 2.2.0.1 WestCiteLink Registry urlmon.dll 702b0000 499712 C:\WINNT\system32\urlmon.dll 6.00.2800.1106 OLE32 Extensions for Win32 wgfile.dll 3a10000 114688 C:\Program Files\West Group\Common\wgfile.dll 2.2.0.1 West Group File Objects WZSHLSTB.DLL 16200000 24576 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL 4.1 (32-bit) WinZip Shell Extension DLL avshext.dll 3ea0000 32768 C:\Program Files\Command Software\Command AntiVirus\avshext.dll 4,80,2,30311 ATL70.DLL 3eb0000 98304 C:\WINNT\system32\ATL70.DLL 7.00.9466.0 ATL Module for Windows (Unicode) MSVCR70.dll 7c000000 344064 C:\WINNT\system32\MSVCR70.dll 7.00.9466.0 Microsoft® C Runtime Library avshelng.dll 3ee0000 20480 C:\Program Files\Command Software\Command AntiVirus\avshelng.dll 4,80,2,30311 clie.dll 3ef0000 237568 C:\Program Files\West Group\CiteLink\clie\clie.dll 2.2.0.1 WestCiteLink for Microsoft Internet Explorer MFC42.DLL 103a0000 991232 C:\WINNT\system32\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version MSVCP60.dll 780c0000 397312 C:\WINNT\system32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library ycomp5_3_16_0.dll 68000000 315392 C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0 .dll 2004, 2, 9, 1 Yahoo! Companion 5.3 for Internet Explorer klpjoj.dll 3fb0000 45056 C:\WINNT\system32\klpjoj.dll SDHelper.dll 3fc0000 733184 C:\PROGRA~1\SPYBOT~1\SDHelper.dll olepro32.dll 695e0000 167936 C:\WINNT\system32\olepro32.dll 5.0.4518 |
#32
|
||||
|
||||
Hi JustMe602 - sorry about the delay in replying to your post. I havent been able to be here much this week. OK, we can see the hidden file, its klpjoj.dll.
Download dllfix.exe from here Doubleclick on it and install in folder of your choice, preferably on your root drive (C ![]() Doubleclick on start.bat and choose option 2 (type 2 after the blinking cursor and hit Enter). Next choose option 1 (type 1 after the blinking cursor and hit Enter). Type klpjoj.dll after the cursor and hit Enter again. The program will do the rest. NB You will be asked if you wish to reboot, you must click YES. When you have rebooted, make sure that you have the latest version of CWShredder and run it again. Reboot afterwards. Next, download the latest version of Ad-Aware from here (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it). After installing AAW, and before running the program, you must FIRST update the reference file following these instructions. (and you must always do this before you run the program at any later date). Now do the following: Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine: check: "Unload recognized processes during scanning." Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine: Check: "Let Windows remove files in use after reboot." Press "Scan Now" - Check option "Use Custom scanning options" - Check option "Activate In-Depth Scan" - Press "Select drives\folders to scan" - Select the active partition which is usually C: Now press "Next" to let Ad-aware scan your drives. It will find a number of spyware files and registry keys. Right-click in that pane and choose "select all" Now press "Next" again. It will ask you whether you'd like to remove all checked items. Click OK. Finally, close Ad-Aware, and reboot. Run Hijack This again and post back a new log. |
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
Lots of missing text, blank start button, blank system restore calender | JetVega | Windows XP | 2 | January 7th, 2006 10:18 PM |
blank/search start page on IE | JamieE | Malware Removal | 32 | August 18th, 2005 06:18 PM |
Please Help with this Trojan - search page About:blank | sunnysthename | Malware Removal | 6 | January 12th, 2005 05:55 PM |
about:blank start-up page | Rryanc | Malware Removal | 1 | September 2nd, 2004 04:13 PM |
Homepage keeps changing to about:blank search page! help plz | Nordhauser | Malware Removal | 2 | May 18th, 2004 07:15 PM |
All times are GMT +1. The time now is 03:46 PM.