Member Avatar for GaryTheK

Hi Crunchie,
I tried to find the problen dll myself but I can't seem to find it. I think it's masked or cloaked as a legitimate dll such as for a google toolbar, but I just may not know what I'm looking for. Ad-aware finds the bug, but as usual it reappears. I fix the R1's with HyjackThis but again they reappear. Can you give me some guidance? I have APM all ready to go. Here is the HJT log:
(Venturi is a ISP for Verizon Wireless and it's clean - I have used it for about a year.)

Logfile of HijackThis v1.97.7
Scan saved at 9:13:58 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWX\System32\smss.exe
C:\WINDOWX\system32\winlogon.exe
C:\WINDOWX\system32\services.exe
C:\WINDOWX\system32\lsass.exe
C:\WINDOWX\system32\svchost.exe
C:\WINDOWX\System32\svchost.exe
C:\WINDOWX\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWX\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\mail.com\mcalert.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Venturi182\venturi.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Venturi182\jre\bin\jrew.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWX\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWX\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWX\system32\ZoneLabs\vsmon.exe
C:\Security\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWX\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [window.exe] C:\WINDOWX\System32\window.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Venturi.lnk = C:\Program Files\Venturi182\venturi.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O10 - Broken Internet access because of LSP provider 'vlsp.dll' missing
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

  • 3 Contributors
  • 5 Replies
  • 155 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by GaryTheK
Member Avatar for crunchie

Also fix this with hijackthis:

O4 - HKCU\..\Run: [window.exe] C:\WINDOWX\System32\window.exe

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWX\System32\window.exe

Reboot normally.

Post another log after following the instructions given at the link that catweazle gave.

Member Avatar for GaryTheK

Hi Crunchie,
I had a problem following Phage's procedure. However, since it looked like a quick fix, I followed your suggestion to place a couple of brackets around about:blank and it worked. I now have complete control over the IE home page. Thanks a lot for that quick "fix" or work around. That process seems to make about:blank into a hypertext format which then responds to being over written. I wonder though if the offending files might still be on my hard drive?

I also followed your procedure to fix 04, but I didn't find any window.exe file in System32 while in Safe Mode..
Here is my latest HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 10:17:09 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWX\System32\smss.exe
C:\WINDOWX\system32\winlogon.exe
C:\WINDOWX\system32\services.exe
C:\WINDOWX\system32\lsass.exe
C:\WINDOWX\system32\svchost.exe
C:\WINDOWX\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWX\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWX\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\mail.com\mcalert.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Venturi182\venturi.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Venturi182\jre\bin\jrew.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWX\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWX\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWX\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Security\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWX\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Venturi.lnk = C:\Program Files\Venturi182\venturi.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O10 - Broken Internet access because of LSP provider 'vlsp.dll' missing
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

Before I performed your suggestions, I ran Ad-aware again and it found a malware dll in a folder directly on the hard drive labeled RECYCLER. This was right under my RECYLCLED folder. In RECYCLER I found two files, they both were long numbered files and Ad-aware was able to delete the dll, but I can't remove the other one at all. It looks the same (S-1-5-21-1606980848-113...etc) but with no extension. Is there a program out there that I can run that will allow me to kill a read only file such as this?
Thanks again for your help!

Member Avatar for crunchie

Right click on the file & go to properties & uncheck the read only box. Press apply then try deleting it. Or
Download moveonboot from here & the file(s) you choose will be deleted on reboot.

MoveOnBoot allows you to copy, move or delete files on the next system boot. This comes in very handy, if you need to replace or delete files which are locked by other applications, loaded into memory or cannot be changed until next system boot. You could manually enter a line to the wininit files, but using MoveOnBoot is much simpler, since the program can be integrated into shell - it creates the "Copy/Move/Delete on boot" context menu item.

Member Avatar for GaryTheK

Thanks Crunchie,
I tried unchecking the read only box before but it wouldn't stay, but moveonboot did the trick. I guess based upon my last HJT log you may mark my thread as solved. Thanks again for all your help! :D

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.