# [Solved] Web browser Highjack HJT post...



## CrockerPE (Mar 28, 2004)

My web browser has been highjacked. I have already tried fixing it with HJT, but it still keeps taken over web browser. What should i do?

Logfile of HijackThis v1.97.7
Scan saved at 7:38:24 PM, on 5/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\lexpps.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kechkio.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kechkio.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kechkio.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kechkio.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kechkio.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kechkio.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {2779E620-11A5-4863-A807-2261B91F01F8} - C:\WINDOWS\System32\kechkio.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SpyBlocs\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" 
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [sr32] C:\Documents and Settings\Paul\Application Data\Microsoft\sr32\sr32.exe
O4 - HKCU\..\Run: [Iotn] C:\Documents and Settings\Paul\Application Data\urod.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: Yahoo! MLB StatTracker - http://aud2.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...ts/y/potc_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downl...0367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yah...s/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8049.4126388889
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab


----------



## Flrman1 (Jul 26, 2002)

You have been hijacked by the most complex browser hijacker ever. The removal procedures are quite complex. Before I attempt to give you instructions let me ask you 3 questions,

1: How good are you with computers?

2: Do you have your XP installation Disk?

3: Is it XP Home or Pro?


----------



## CrockerPE (Mar 28, 2004)

probably at a basic to intermediate level with my knowledge of computers. I'm running XP home edition. I have an XP home reinstallation disc.


----------



## CrockerPE (Mar 28, 2004)

Flrman. Can you help me with this.


----------



## Flrman1 (Jul 26, 2002)

Sorry, I didn't receive notification that you replied the first time.

First please do this:

Click on this link to download Find-All.zip.

http://www10.brinkster.com/expl0iter/freeatlast/Find-All.zip

Unzip the files. Open the folder and doubleclick on the FindAll.Bat file in the Find All folder. Wait for it to complete and it will generate two logs ie... an output.txt file and a windows.txt file. Copy and paste the contents of those files here.

**Note:* If your Antivirus is running a scriptblocker, when you run Findall.bat, you will recieve an alert warning you that the script is running. "Allow" the script to run.

After you do that and post it here do this:

Install Recovery Console:

If you have the XP installation disk, put the CD in the drive while on the internet.

Go to Start>Run and execute this command: (Copy and paste the command in and then press enter)

D:\i386\winnt32.exe /cmdcons

Where D is the CD drive Letter. If D is not the drive letter of your CD drive change it accordingly.

After you have installed the Recovery Console and posted the log from the output.txt file, wait for further instructions.


----------



## CrockerPE (Mar 28, 2004)

It only popped up an output text. Here it is:

--==***@@@ FIND-ALL' VERSION 5 5/16 @@@***==--

Mon May 17 14:07:30 2004 -- Results: 
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (9890:9157) - FS:NTFS clusters:4k
Total: 59 954 065 408 [56G] - Free: 48 776 019 968 [45G]

*IE version and Service packs: 
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion	REG_SZ	;SP1;Q832894;Q330994;Q837009;Q831167;

*Google Toolbar version and Attributes: 
Defaults: "A" ;"R" 
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*Wmplayer version: 
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*PC uptime: 
2:07pm up 0 days, 1:09

*Locked or 'Suspect' file(s) found... 
The system cannot execute the specified program.
The system cannot execute the specified program.

*List of top level windows: 
HWND PID PRIO TITLE
100ea 1520 norm TF_FloatingLangBar_WndTitle
100ec 1520 norm CiceroUIWndFrame
3035e 1112 norm SysFader
a0246 1112 norm SysFader
4002e 1112 norm _Shell_TrayWnd
20084 1112 norm Start Menu
20264 3896 norm SysFader
201b8 1196 norm Norton AntiVirus
10026 740 high NetDDE Agent
6033c 3928 norm C:\WINDOWS\System32\cmd.exe
270212 1112 norm Find-All
3c0234 1112 norm Find-All
2d02f4 1292 norm ActiveMovie Window
6202f2 1292 norm ActiveMovie Window
2302d8 1292 norm MSP PNP Notification Window
460232 1292 norm CRTCClient
1f0244 1292 norm CRTCIMService
22025e 1292 norm DDE Server Window
901fa 3896 norm Tech Support Guy Forums - Web browser Highjack HJT post... - Microsoft Internet
2e0300 1112 norm MCI command handling window
1019e 2596 norm SpywareGuard Brower Hijacking Protection
10198 2596 norm SG Browser Hijacking Protection
20112 2464 norm _Static
10124 2464 norm SpywareGuard
1011c 2464 norm SpywareGuard
2602ac 1196 norm MCI command handling window
30230 3896 norm MCI command handling window
20214 3896 norm IMMIF UI
120046 3896 norm DDE Server Window
101e0 2176 norm WindowsFormsParkingWindow
200c4 2176 norm Hidden NotifyIconTarget Window
200a4 2176 norm .NET-BroadcastEventWindow.1.0.3300.0.11
200f6 1196 norm DefAlert_Window_29DABAC8-AB93-43f3-926D-1DDE0C909FDF
101b2 1196 norm ISLALERT_WINDOWNAME_{DA5EA0DE-0190-4755-9ABE-C6DBF5A1008B}
10192 2500 norm Webshots Tray
1011a 1984 norm DirectCD
10114 1196 norm ccApp
10100 2148 norm Digital Line Detect
100f8 1940 norm lxbabmon
100d8 1324 norm Creative Volume Control
100dc 1460 norm CTDVDDET
100d6 1324 norm Creative Volume Control
100d2 1892 norm CtSpkHlp
100ca 636 norm LXBABMGR
100c2 460 norm Support
100c6 1112 norm Connections Tray
100bc 1892 norm CtHelper - Apollo
100b2 1112 norm Power Meter
100b0 1112 norm MS_WebcheckMonitor
100ae 1240 norm ATI video bios poller
100ac 416 norm lxba POR Monitor
20064 416 norm LEXLMPM
10074 448 norm 
10072 448 norm LexPPS BCE Comm Window
101e4 2176 norm GDI+ Window
201de 2176 norm NotifyAlert
2902d4 1112 norm SysFader
10082 1112 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
@="SpywareGuard Download Protection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
@="Web assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{851F85B2-F18F-4F93-BC2C-39D6A2B48C7C}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{851F85B2-F18F-4F93-BC2C-39D6A2B48C7C}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls	REG_SZ

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




----------



## Flrman1 (Jul 26, 2002)

Did you unzip the Findall.zip file before you ran Findall.bat?


----------



## CrockerPE (Mar 28, 2004)

When i click on that link you sent me, should i click open or save? I guess my question is how do you unzip?


----------



## CrockerPE (Mar 28, 2004)

I've already installed the recovery disc.


----------



## Flrman1 (Jul 26, 2002)

You should save the file to your Desktop. Then go to the Findall.zip file on your desktop and right click it and choose "Extract All" This will extract the files to a new Findall folder on your desktop. Open that new Findall folder and inside you will find the Findall.bat file. Run it again as you did before and post the output.txt log. It must be unzipped (Extracted) first or it will not find the hidden file that I am looking for.


----------



## CrockerPE (Mar 28, 2004)

--==***@@@ FIND-ALL' VERSION 5 5/16 @@@***==--

Mon May 17 14:41:19 2004 -- Results: 
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (9890:9157) - FS:NTFS clusters:4k
Total: 59 954 065 408 [56G] - Free: 48 766 681 088 [45G]

*IE version and Service packs: 
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion	REG_SZ	;SP1;Q832894;Q330994;Q837009;Q831167;

*Google Toolbar version and Attributes: 
Defaults: "A" ;"R" 
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*Wmplayer version: 
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*PC uptime: 
2:41pm up 0 days, 0:10

*Locked or 'Suspect' file(s) found... 
\\?\C:\WINDOWS\System32\WINHK.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINHK.DLL +++ File read error

*List of top level windows: 
HWND PID PRIO TITLE
100f4 2664 norm TF_FloatingLangBar_WndTitle
100f6 2664 norm CiceroUIWndFrame
4031a 2168 norm SysFader
101ee 3412 norm SysFader
201c2 2548 norm Norton AntiVirus
10094 2168 norm Start Menu
3003c 2168 norm _Shell_TrayWnd
10026 696 high NetDDE Agent
4021c 3064 norm ActiveMovie Window
4021e 3064 norm ActiveMovie Window
401de 3064 norm MSP PNP Notification Window
40216 3064 norm CRTCClient
401dc 3064 norm CRTCIMService
501be 3064 norm DDE Server Window
702e0 432 norm C:\WINDOWS\System32\cmd.exe
302c4 2168 norm Find-All
60300 2168 norm MCI command handling window
101e0 3412 norm Tech Support Guy Forums - Web browser Highjack HJT post... - Microsoft Internet
202fc 3412 norm Download complete
40054 3412 norm MCI command handling window
1019c 3084 norm SpywareGuard Brower Hijacking Protection
10196 3084 norm SG Browser Hijacking Protection
10232 3412 norm IMMIF UI
10218 3412 norm DDE Server Window
101d0 2548 norm DefAlert_Window_29DABAC8-AB93-43f3-926D-1DDE0C909FDF
101b2 2684 norm WindowsFormsParkingWindow
101ae 2684 norm Hidden NotifyIconTarget Window
201aa 2684 norm .NET-BroadcastEventWindow.1.0.3300.0.11
101a8 2548 norm ccApp
10192 3040 norm Webshots Tray
10126 2420 norm DirectCD
10120 3000 norm _Static
20112 3000 norm SpywareGuard
200b4 3000 norm SpywareGuard
200fe 2824 norm Digital Line Detect
100d6 2596 norm Creative Volume Control
100ec 2168 norm Connections Tray
100e2 2168 norm Power Meter
100e0 2168 norm MS_WebcheckMonitor
100d8 2652 norm lxbabmon
100da 2616 norm CTDVDDET
100d2 2596 norm Creative Volume Control
100ce 2384 norm CtSpkHlp
100c4 2440 norm Support
100c2 2480 norm LXBABMGR
100bc 2384 norm CtHelper - Apollo
1007a 660 norm ATI video bios poller
10078 404 norm lxba POR Monitor
10076 404 norm LEXLMPM
10074 436 norm 
10072 436 norm LexPPS BCE Comm Window
101b4 2684 norm GDI+ Window
101b0 2684 norm NotifyAlert
101bc 2548 norm ISLALERT_WINDOWNAME_{DA5EA0DE-0190-4755-9ABE-C6DBF5A1008B}
10092 2168 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
@="SpywareGuard Download Protection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
@="Web assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{851F85B2-F18F-4F93-BC2C-39D6A2B48C7C}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{851F85B2-F18F-4F93-BC2C-39D6A2B48C7C}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls	REG_SZ

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




----------



## Flrman1 (Jul 26, 2002)

OK I am attaching the next steps in a Directions for CrockerPE.zip file. Download the file and save it to your Desktop and unzip the file (Right click it and choose "Extract All" just like you did the Findall.zip file) . Inside you will find the directions in a Readme.txt file follow those directions first and then please only *after* following those directions run Adaware and CWShredder according to these directions:

It would be a good idea to go ahead and download these programs if you do not already have them and have them ready and then go offline and remane offline until you have completed everything and are ready to come back and post the new logs. Again I repeat *DO NOT* run CWShredder and Adawre until after you have completed the steps in the Readme.txt file.

Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click *"Fix" (Not "Scan only")* and let it do it's thing.

When it is finished *restart your computer*.

o here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on *Check for updates now* and download the latest referencefiles.

Make sure the following settings are made and on -------*ON=GREEN*

From main window :Click *Start* then *Activate in-depth scan (recommended)*

Click *Use custom scanning options* then click *Customize* and have these options selected: Under *Drives and Folders* put a check by *Scan within archives* and below that under *Memory and Registry* put a check by *all* the options there.

Now click on the *Tweak* button in that same window. Under *Scanning engine* select *Unload recognized processes during scanning* and under *Cleaning Engine* select *Let windows remove files in use at next reboot*

Click *proceed* to save your settings.

Now to scan just click the *Next* button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose *select all* from the drop down menu and click *Next*)

*Restart your computer*.

Then go here and download Spybot Search & Destroy.

Install the program and launch it.

Before scanning press *Online* and *Search for Updates* .

Put a check mark at and install *all updates*.

Click *Check for Problems* and when the scan is finished let Spybot fix/remove *all* it finds marked in RED.

*Restart your computer*.

After completing all that come back here and post a new HJT log and a new output.txt log and windows.txt log from Findall.bat.


----------



## CrockerPE (Mar 28, 2004)

I followed all of your directions here is my new HJT post:

Logfile of HijackThis v1.97.7
Scan saved at 5:18:02 PM, on 5/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kechkio.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kechkio.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kechkio.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SpyBlocs\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" 
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [sr32] C:\Documents and Settings\Paul\Application Data\Microsoft\sr32\sr32.exe
O4 - HKCU\..\Run: [Iotn] C:\Documents and Settings\Paul\Application Data\urod.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: Yahoo! MLB StatTracker - http://aud2.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38049.4126388889
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Flrman1 (Jul 26, 2002)

I also need you to run Findall.bat and post another output.txt file.


----------



## CrockerPE (Mar 28, 2004)

I ran Findall.bat and here is the post:

--==***@@@ FIND-ALL' VERSION 5 5/16 @@@***==--

Mon May 17 22:11:37 2004 -- Results: 
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (9890:9157) - FS:NTFS clusters:4k
Total: 59 954 065 408 [56G] - Free: 48 681 275 392 [45G]

*IE version and Service packs: 
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion	REG_SZ	;SP1;Q832894;Q330994;Q837009;Q831167;

*Google Toolbar version and Attributes: 
Defaults: "A" ;"R" 
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*Wmplayer version: 
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*PC uptime: 
10:11pm up 0 days, 5:48

*Locked or 'Suspect' file(s) found... 
\\?\C:\WINDOWS\System32\WINHK.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINHK.DLL +++ File read error

*List of top level windows: 
HWND PID PRIO TITLE
200e4 3044 norm TF_FloatingLangBar_WndTitle
200e2 3044 norm CiceroUIWndFrame
1101fa 1524 norm SysFader
4026a 2120 norm SysFader
300c4 1524 norm Start Menu
60090 1524 norm _Shell_TrayWnd
201ae 3736 norm Norton AntiVirus
80038 744 high NetDDE Agent
1401fc 2232 norm C:\WINDOWS\System32\cmd.exe
19016a 1524 norm Find-All
e024a 2120 norm Tech Support Guy Forums - Web browser Highjack HJT post... - Microsoft Internet
11015e 1524 norm MCI command handling window
120244 2120 norm MCI command handling window
701dc 2120 norm IMMIF UI
80202 2120 norm DDE Server Window
2017c 1716 norm WindowsFormsParkingWindow
20180 1716 norm Hidden NotifyIconTarget Window
20184 1716 norm .NET-BroadcastEventWindow.1.0.3300.0.11
3009a 4056 norm CtHelper - Apollo
2011c 4056 norm CtSpkHlp
201a0 3736 norm DefAlert_Window_29DABAC8-AB93-43f3-926D-1DDE0C909FDF
201b8 3736 norm ISLALERT_WINDOWNAME_{DA5EA0DE-0190-4755-9ABE-C6DBF5A1008B}
201c6 2296 norm SpywareGuard Brower Hijacking Protection
201c4 2296 norm SG Browser Hijacking Protection
2013e 3420 norm _Static
2010e 3420 norm SpywareGuard
4012e 3420 norm SpywareGuard
40124 3244 norm Webshots Tray
30126 3224 norm Creative Volume Control
3012c 3224 norm Creative Volume Control
30142 2996 norm DirectCD
70040 1672 norm Digital Line Detect
7003c 2600 norm 
3014e 2600 norm LexPPS BCE Comm Window
600d0 3736 norm ccApp
400bc 2624 norm CTDVDDET
800fc 3104 norm lxbabmon
400b2 3952 norm Support
20100 1524 norm Connections Tray
2009c 1524 norm Power Meter
20094 1524 norm MS_WebcheckMonitor
600ce 164 norm LXBABMGR
1007a 704 norm ATI video bios poller
10078 424 norm lxba POR Monitor
10076 424 norm LEXLMPM
20176 1716 norm GDI+ Window
2017a 1716 norm NotifyAlert
90282 1524 norm SysFader
80030 1524 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
@="SpywareGuard Download Protection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
@="Web assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls	REG_SZ

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




----------



## Flrman1 (Jul 26, 2002)

Well that failed. I want to try another method using a new removal tool that is still in the testing stages. I can't make the link to the tool public yet so I am going to pm the link and the diredtions to you.

Check your PM box.


----------



## Flrman1 (Jul 26, 2002)

I see you don't have your private messaging enabled on the board so I am sending the directions via email.


----------



## CrockerPE (Mar 28, 2004)

Are you still there flrman. I'm still having problems with this.


----------



## CrockerPE (Mar 28, 2004)

I got the email you sent me and followed all the instructions. Here is my output.txt:

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Tue 05/18/2004 
09:12 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (9890:9157) - FS:NTFS clusters:4k
Total: 59 954 065 408 [56G] - Free: 48 710 131 712 [45G]

*IE version and Service packs: 
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion	REG_SZ	;SP1;Q832894;Q330994;Q837009;Q831167;

*Google Toolbar version and Attributes: 
Defaults: "A" ;"R" 
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent: 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

*Wmplayer version: 
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version: 
5.0.3810.0 C:\WINDOWS\System32\msjava.dll

*PC uptime: 
9:12pm up 0 days, 0:06
Locked or 'Suspect' file(s) found...

*List of top level windows: 
HWND PID PRIO TITLE
100fc 2796 norm TF_FloatingLangBar_WndTitle
10100 2796 norm CiceroUIWndFrame
102f0 1252 norm SysFader
1008c 1252 norm Start Menu
30066 1252 norm _Shell_TrayWnd
102b0 3532 norm SysFader
10230 3532 norm SysFader
101e2 2704 norm Norton AntiVirus
10026 704 high NetDDE Agent
f0274 3532 norm AOL.COM | Message View - Microsoft Internet Explorer
20316 3960 norm C:\WINDOWS\System32\cmd.exe
2020a 872 norm ActiveMovie Window
20206 872 norm ActiveMovie Window
20202 872 norm MSP PNP Notification Window
2021a 872 norm CRTCClient
20200 872 norm CRTCIMService
201fc 872 norm DDE Server Window
102e2 3532 norm IMMIF UI
20272 3532 norm MCI command handling window
10262 3532 norm IMMIF UI
10258 3532 norm DDE Server Window
101f4 2704 norm DefAlert_Window_29DABAC8-AB93-43f3-926D-1DDE0C909FDF
101e0 2764 norm WindowsFormsParkingWindow
101dc 2764 norm Hidden NotifyIconTarget Window
201cc 2764 norm .NET-BroadcastEventWindow.1.0.3300.0.11
101d6 2704 norm ISLALERT_WINDOWNAME_{DA5EA0DE-0190-4755-9ABE-C6DBF5A1008B}
101ce 2704 norm ccApp
101be 2924 norm SpywareGuard Brower Hijacking Protection
101b8 2924 norm SG Browser Hijacking Protection
10150 2856 norm _Static
2011e 2856 norm SpywareGuard
1013c 2856 norm SpywareGuard
30122 2876 norm Webshots Tray
100c4 2480 norm CtHelper - Apollo
10114 2752 norm Creative Volume Control
10112 2752 norm Creative Volume Control
100d6 2480 norm CtSpkHlp
10106 2836 norm Digital Line Detect
100f2 2760 norm CTDVDDET
100e8 2564 norm DirectCD
200e4 2680 norm Support
100e2 2724 norm lxbabmon
200d4 2688 norm LXBABMGR
100da 1252 norm Connections Tray
100ca 1252 norm Power Meter
1007a 328 norm ATI video bios poller
10078 2028 norm lxba POR Monitor
10076 2028 norm LEXLMPM
10074 2040 norm 
10072 2040 norm LexPPS BCE Comm Window
200be 1252 norm MS_WebcheckMonitor
101f2 2764 norm GDI+ Window
10086 2276 norm logs.txt - Notepad
202e6 1252 norm dllfix
20220 3532 norm AOL.COM | AOL Mail - Microsoft Internet Explorer
101de 2764 norm NotifyAlert
10090 1252 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
@="SpywareGuard Download Protection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
@="Web assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




----------



## CrockerPE (Mar 28, 2004)

I never got this prompt at the end though:

You will arrive at a prompt like this:

*Enter full name and hit Enter C:\Windows\System32\*

Enter this file name and hit enter:

*WINHK.DLL*


----------



## CrockerPE (Mar 28, 2004)

Here is my new HJT post:

Logfile of HijackThis v1.97.7
Scan saved at 9:16:42 PM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lcmhp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lcmhp.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lcmhp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lcmhp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SpyBlocs\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" 
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [sr32] C:\Documents and Settings\Paul\Application Data\Microsoft\sr32\sr32.exe
O4 - HKCU\..\Run: [Iotn] C:\Documents and Settings\Paul\Application Data\urod.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: Yahoo! MLB StatTracker - http://aud2.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38049.4126388889
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Flrman1 (Jul 26, 2002)

Actually I sent you the wrong directions. What I sent you were the directions to let dllfix look for and delete the hidden file itself. I meant for you to do it differently and enter the filename yourself, but it looks like it worked. Now please do this:

Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click *"Fix" (Not "Scan only")* and let it do it's thing.

When it is finished *restart your computer*.

Go here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on *Check for updates now* and download the latest referencefiles.

Make sure the following settings are made and on -------*ON=GREEN*

From main window :Click *Start* then *Activate in-depth scan (recommended)*

Click *Use custom scanning options* then click *Customize* and have these options selected: Under *Drives and Folders* put a check by *Scan within archives* and below that under *Memory and Registry* put a check by *all* the options there.

Now click on the *Tweak* button in that same window. Under *Scanning engine* select *Unload recognized processes during scanning* and under *Cleaning Engine* select *Let windows remove files in use at next reboot*

Click *proceed* to save your settings.

Now to scan just click the *Next* button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose *select all* from the drop down menu and click *Next*)

*Restart your computer*.

After completing all that come back here and post a new HJT log and a new output.txt log and windows.txt log from Findall.bat.


----------



## CrockerPE (Mar 28, 2004)

All your instructions again. Here is my new HJT post:

Logfile of HijackThis v1.97.7
Scan saved at 11:41:07 PM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lcmhp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lcmhp.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lcmhp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lcmhp.dll/sp.html (obfuscated)
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SpyBlocs\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" 
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [sr32] C:\Documents and Settings\Paul\Application Data\Microsoft\sr32\sr32.exe
O4 - HKCU\..\Run: [Iotn] C:\Documents and Settings\Paul\Application Data\urod.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: Yahoo! MLB StatTracker - http://aud2.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38049.4126388889
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## CrockerPE (Mar 28, 2004)

Here is a new output.txt:

--==***@@@ FIND-ALL' VERSION 5 5/16 @@@***==--

Tue May 18 23:44:32 2004 -- Results: 
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (9890:9157) - FS:NTFS clusters:4k
Total: 59 954 065 408 [56G] - Free: 48 725 647 360 [45G]

*IE version and Service packs: 
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion	REG_SZ	;SP1;Q832894;Q330994;Q837009;Q831167;

*Google Toolbar version and Attributes: 
Defaults: "A" ;"R" 
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*Wmplayer version: 
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*PC uptime: 
11:44pm up 0 days, 0:05

*Locked or 'Suspect' file(s) found...

*List of top level windows: 
HWND PID PRIO TITLE
100e6 2192 norm TF_FloatingLangBar_WndTitle
100e8 2192 norm CiceroUIWndFrame
1041c 3276 norm SysFader
201f4 988 norm SysFader
101c0 2100 norm Norton AntiVirus
10094 988 norm Start Menu
4002e 988 norm _Shell_TrayWnd
10026 692 high NetDDE Agent
30286 3988 norm C:\WINDOWS\System32\cmd.exe
101fa 988 norm Find-All
20402 3276 norm Tech Support Guy Forums - Web browser Highjack HJT post... - Microsoft Internet
90344 988 norm MCI command handling window
201de 3712 norm ActiveMovie Window
201e0 3712 norm ActiveMovie Window
201dc 3712 norm MSP PNP Notification Window
201d8 3712 norm CRTCClient
201ee 3712 norm CRTCIMService
201ce 3712 norm DDE Server Window
10450 3276 norm IMMIF UI
20404 3276 norm MCI command handling window
203f8 3276 norm DDE Server Window
2029c 3096 norm HijackThis - v1.97.7
40274 3096 norm HijackThis
20088 2100 norm DefAlert_Window_29DABAC8-AB93-43f3-926D-1DDE0C909FDF
101ba 2152 norm WindowsFormsParkingWindow
101b6 2152 norm Hidden NotifyIconTarget Window
101b2 2152 norm .NET-BroadcastEventWindow.1.0.3300.0.11
201b0 2100 norm ISLALERT_WINDOWNAME_{DA5EA0DE-0190-4755-9ABE-C6DBF5A1008B}
101a2 2504 norm SpywareGuard Brower Hijacking Protection
1019c 2504 norm SG Browser Hijacking Protection
10198 988 norm Connections Tray
20182 988 norm Power Meter
20180 2460 norm Webshots Tray
30104 988 norm MS_WebcheckMonitor
1010e 1840 norm DirectCD
200b4 2436 norm _Static
1011c 2436 norm SpywareGuard
10110 2436 norm SpywareGuard
100f6 2296 norm Digital Line Detect
200d2 2100 norm ccApp
100d6 2168 norm Creative Volume Control
100da 2184 norm CTDVDDET
100d4 2168 norm Creative Volume Control
100ce 2108 norm lxbabmon
100c8 1892 norm Support
100c6 2064 norm LXBABMGR
100c2 1760 norm CtSpkHlp
200b8 1760 norm CtHelper - Apollo
1007a 308 norm ATI video bios poller
10078 2020 norm lxba POR Monitor
10076 2020 norm LEXLMPM
10074 2028 norm 
10072 2028 norm LexPPS BCE Comm Window
101bc 2152 norm GDI+ Window
101b8 2152 norm NotifyAlert
10092 988 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
@="SpywareGuard Download Protection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
@="Web assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls	REG_SZ

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




----------



## CrockerPE (Mar 28, 2004)

Do you think we are getting anywhere with this?


----------



## Flrman1 (Jul 26, 2002)

Well that last output.txt file shows that the infection is gone, but your HJT log stll shows the Hijacker.

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lcmhp.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lcmhp.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lcmhp.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lcmhp.dll/sp.html (obfuscated)

R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [Iotn] C:\Documents and Settings\Paul\Application Data\urod.exe*

Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

The C:\Documents and Settings\Paul\Application Data\*urod.exe* file

After that run Findall.bat again. Post another output.txt log and also look in the Findall folder for a Windows.txt file and copy and paste it's contents here. Post another HJT log as well.


----------



## CrockerPE (Mar 28, 2004)

I follow your instructions again. Here is my output.txt:

--==***@@@ FIND-ALL' VERSION 5 5/16 @@@***==--

Wed May 19 21:46:19 2004 -- Results: 
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (9890:9157) - FS:NTFS clusters:4k
Total: 59 954 065 408 [56G] - Free: 49 206 865 920 [46G]

*IE version and Service packs: 
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion	REG_SZ	;SP1;Q832894;Q330994;Q837009;Q831167;

*Google Toolbar version and Attributes: 
Defaults: "A" ;"R" 
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*Wmplayer version: 
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*PC uptime: 
9:46pm up 0 days, 0:20

*Locked or 'Suspect' file(s) found...

*List of top level windows: 
HWND PID PRIO TITLE
10146 1580 norm TF_FloatingLangBar_WndTitle
10148 1580 norm CiceroUIWndFrame
e0074 716 norm SysFader
10060 716 norm Start Menu
40046 716 norm _Shell_TrayWnd
10026 244 high NetDDE Agent
70110 1668 norm C:\WINDOWS\System32\cmd.exe
600a4 716 norm Find-All
400e0 716 norm MCI command handling window
1009a 716 norm SysFader
1005e 716 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
@="SpywareGuard Download Protection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
@="Web assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls	REG_SZ

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




----------



## CrockerPE (Mar 28, 2004)

Disregard that last output.txt. Here is the most recent one:

--==***@@@ FIND-ALL' VERSION 5 5/16 @@@***==--

Wed May 19 21:57:39 2004 -- Results: 
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (9890:9157) - FS:NTFS clusters:4k
Total: 59 954 065 408 [56G] - Free: 48 670 969 856 [45G]

*IE version and Service packs: 
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion	REG_SZ	;SP1;Q832894;Q330994;Q837009;Q831167;

*Google Toolbar version and Attributes: 
Defaults: "A" ;"R" 
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*Wmplayer version: 
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*PC uptime: 
9:57pm up 0 days, 0:07

*Locked or 'Suspect' file(s) found...

*List of top level windows: 
HWND PID PRIO TITLE
100e8 2176 norm TF_FloatingLangBar_WndTitle
100ea 2176 norm CiceroUIWndFrame
103f0 3492 norm SysFader
102c2 992 norm SysFader
201c2 2096 norm Norton AntiVirus
10090 992 norm Start Menu
40030 992 norm _Shell_TrayWnd
10026 700 high NetDDE Agent
301d8 2456 norm ActiveMovie Window
301da 2456 norm ActiveMovie Window
301de 2456 norm MSP PNP Notification Window
301ee 2456 norm CRTCClient
301d6 2456 norm CRTCIMService
400a4 2456 norm DDE Server Window
1f0384 2260 norm C:\WINDOWS\System32\cmd.exe
102b8 992 norm Find-All
10392 3492 norm Tech Support Guy Forums - Web browser Highjack HJT post... - Microsoft Internet
10422 3492 norm IMMIF UI
30388 3492 norm MCI command handling window
2032e 3492 norm DDE Server Window
102da 992 norm MCI command handling window
200b8 1852 norm CtHelper - Apollo
100cc 1852 norm CtSpkHlp
201bc 2096 norm DefAlert_Window_29DABAC8-AB93-43f3-926D-1DDE0C909FDF
101b8 2128 norm WindowsFormsParkingWindow
101b4 2128 norm Hidden NotifyIconTarget Window
101b0 992 norm Connections Tray
101ac 2128 norm .NET-BroadcastEventWindow.1.0.3300.0.11
101ae 2096 norm ISLALERT_WINDOWNAME_{DA5EA0DE-0190-4755-9ABE-C6DBF5A1008B}
101a2 992 norm Power Meter
101a0 992 norm MS_WebcheckMonitor
10192 2540 norm SpywareGuard Brower Hijacking Protection
1018a 2540 norm SG Browser Hijacking Protection
10186 2476 norm Webshots Tray
10120 2444 norm _Static
200b4 2444 norm SpywareGuard
20118 2444 norm SpywareGuard
1010e 2292 norm Digital Line Detect
100f4 1912 norm DirectCD
10102 2096 norm ccApp
100e0 2136 norm Creative Volume Control
100d6 2136 norm Creative Volume Control
100da 2160 norm CTDVDDET
100ca 2108 norm lxbabmon
100c4 2080 norm LXBABMGR
100c2 2072 norm Support
1007a 2036 norm lxba POR Monitor
10078 324 norm ATI video bios poller
10076 2036 norm LEXLMPM
10074 2040 norm 
10072 2040 norm LexPPS BCE Comm Window
101ba 2128 norm GDI+ Window
101b6 2128 norm NotifyAlert
10094 992 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
@="SpywareGuard Download Protection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
@="Web assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls	REG_SZ

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




----------



## CrockerPE (Mar 28, 2004)

Here is my Windows.txt:

regf        Pugf hbin  ¨ÿÿÿnk, E=Ä ÿÿÿÿ ÿÿÿÿÿÿÿÿ ¸ x ÿÿÿÿ 0 < 0 0  Windows ÿÿÿsk x x  Ô  ¸ È   ¤       !    !  ?          ?               Ðÿÿÿvk     ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  (  h Ðÿÿÿvk  '   zGDIProcessHandleQuota"þðÿÿÿ9 0  ë=tÀàÿÿÿvk     °ºSpooler2ðÿÿÿy e s 
Ñ_åàÿÿÿvk     5swapdisk h ° ð  X Ðÿÿÿvk  à   .	TransmissionRetryTimeoutÐÿÿÿvk  '   b USERProcessHandleQuota3 àÿÿÿh ° ð  X  Ø Øÿÿÿvk     y AppInit_DLLsndle


----------



## CrockerPE (Mar 28, 2004)

regf       Pugf  hbin  ¨ÿÿÿnk, E=Ä ÿÿÿÿ ÿÿÿÿÿÿÿÿ ¸ x ÿÿÿÿ 0 < 0 0  Windows ÿÿÿsk x x  Ô  ¸ È   ¤       !    !  ?          ?               Ðÿÿÿvk     ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  (  h Ðÿÿÿvk  '   zGDIProcessHandleQuota"þðÿÿÿ9 0  ë=tÀàÿÿÿvk     °ºSpooler2ðÿÿÿy e s 
Ñ_åàÿÿÿvk     5swapdisk h ° ð  X Ðÿÿÿvk  à   .	TransmissionRetryTimeoutÐÿÿÿvk  '   b USERProcessHandleQuota3 àÿÿÿh ° ð  X  Ø Øÿÿÿvk     y AppInit_DLLsndle


----------



## CrockerPE (Mar 28, 2004)

Here is my new HJT post:

Logfile of HijackThis v1.97.7
Scan saved at 10:01:33 PM, on 5/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SpyBlocs\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" 
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [sr32] C:\Documents and Settings\Paul\Application Data\Microsoft\sr32\sr32.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: Yahoo! MLB StatTracker - http://aud2.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38049.4126388889
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## CrockerPE (Mar 28, 2004)

In those last directions you gave me, I wasn't able to delete urod.exe because it was nowhere to be found.


----------



## Flrman1 (Jul 26, 2002)

Well the log looks good now. Let's give this a day or two and see how it goes. Post back here and let us know if it has returned or not.


----------



## CrockerPE (Mar 28, 2004)

Thanks alot. Thats twice you've helped me so far. Hopefully i won't have anymore problems.


----------



## Flrman1 (Jul 26, 2002)

Glad we could help! :up:

Do you think we can mark this one solved now?


----------



## CrockerPE (Mar 28, 2004)

Looks like everything is solved. Thanks alot.


----------



## Flrman1 (Jul 26, 2002)

Good deal! 

Happy Surfing! 

I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".


----------

