MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: about:blank and wink.dll help please
July 18, 2019, 04:56:12 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
July 18, 2019, 04:56:12 PM

Login with username, password and session length
 
News
Welcome to MyTechSupport.ca! - Registration is FREE, so why not join our friendly community today?
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: about:blank and wink.dll help please  (Read 3459 times)
jaydub0417
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« on: July 20, 2004, 03:11:36 AM »


Operating System Version: XP
Problem Application Name & Version:wink.dll and about:blank hijack
Problem Hardware Make & Model:
Error Messages:

hey.. this is my first time posting on a tech forum... i have a dll file. wink.dll that keeps trying to install and install... my norton wont detect it... ive tried every updated spyware, shredder, about:remover, etc... and it keeps locking up on the wink.dll..

also.. i remove the about:blank stuff and its randomly reinstalling dll about 5 times a day... just wondering if anyone had any suggestions/help for me.. Smiley thanks
Logged

 
jaydub0417
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #1 on: July 20, 2004, 03:41:21 AM »

another couple of things.. every time i try to run another process.. my norton autodetect pops up a window saying it is denying access to the wink.dll file... it pops up two to three times for every program i start..
and.. heres my hijack this log

Logfile of HijackThis v1.97.7
Scan saved at 8:39:29 PM, on 7/19/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\tgtsoft\StyleXP\stylexp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\Program Files\Sonique\sqstart.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wuauclt.exe
C:\bandstuff\Spyware_Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Panicware Surf &Pal - {0ADCDFE7-8490-406D-91BF-88F71FD7F8AE} - C:\Program Files\Panicware\Surf Pal\pwicc.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINNT\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\tgtsoft\StyleXP\stylexp.exe -Hide
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
Logged

 
jaydub0417
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #2 on: July 20, 2004, 03:54:31 AM »

also, here is a list of programs for spyware that i have downloaded:
cw shredder, hijack this, startuplist, killbox, aboutBuster, adaware 6.0, spyware blaster (not sure if i fully understand this one yet), spybot S&D...

and my virus scanner is norton 02.. i know its old.. but my definitions are up to date

another thing ive noticed... about buster cannot delete the wink.dll... and it keeps trying to.. which crashes the program.. and the norton autoblocking pop up keeps coming up and everytime i tell it to block the file.. it pops up again.. thanks Smiley
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #3 on: July 20, 2004, 03:56:56 AM »

Please delete your copy of hijackthis, there is a newer version
download from
HERE or HERE

Rescan and post a new log

Could you also do the following
Download and install Registrar Lite.
http://www.resplendence.com/reglite
Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

And also
Copy the contents of the quote box to Notepad (START, run, enter NOTEPAD in the BOX and hit OK).
Now in Notepad select file, save as and enter in the filename box "Appinit.bat" (Use the quotes too) and save it on the desktop.

quote:
Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
chkntfs c: > windows.txt
type windows1.hiv >> windows.txt


Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Upload windows.txt in your next reply----Insert file attachmet

What OS are you using? XP Pro or Home
If your not sure go to Start----Run---type in "WINVER" without quotes
« Last Edit: July 20, 2004, 04:00:30 AM by benditup » Logged

 
jaydub0417
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #4 on: July 20, 2004, 03:58:04 AM »

no problem.. ill wait all night to finally get rid of that about:blank trash.. and this new found wink.dll stuff...
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #5 on: July 20, 2004, 04:03:28 AM »

Sorry Jay, I just edited my last post Smiley
Logged

 
jaydub0417
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #6 on: July 20, 2004, 04:13:32 AM »

heres the new hijack log:
Logfile of HijackThis v1.98.0
Scan saved at 9:11:51 PM, on 7/19/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\tgtsoft\StyleXP\stylexp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\Program Files\Sonique\sqstart.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Registrar Lite\rl.exe
C:\WINNT\System32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Panicware Surf &Pal - {0ADCDFE7-8490-406D-91BF-88F71FD7F8AE} - C:\Program Files\Panicware\Surf Pal\pwicc.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINNT\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility]


and heres what was in the value field on that reg program
value: C:\WINNT\System32\wink.dll

im not sure if i understand what you mean by this, im sorta newbish to this stuff:
And also
Copy the contents of the quote box to Notepad (START, run, enter NOTEPAD in the BOX and hit OK).
Now in Notepad select file, save as and enter in the filename box "Appinit.bat" (Use the quotes too) and save it on the desktop.


quote:
--------------------------------------------------------------------------------
Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
chkntfs c: > windows.txt
type windows1.hiv >> windows.txt
--------------------------------------------------------------------------------
Logged

 
jaydub0417
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #7 on: July 20, 2004, 04:14:32 AM »

oh ya.. and im using .. xp home
Logged

 
jaydub0417
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #8 on: July 20, 2004, 04:17:57 AM »

heres the appinit.bat thing.. figured it out:)

Download Attachment: windows.txt 8.72 KB
Right click and select Save Target As... then rename the file as shown here and save.
Logged

 
jaydub0417
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #9 on: July 20, 2004, 04:22:35 AM »

i apologize for my mistakes so far Undecided
heres another post of the hijack log, *frown* my bad:

Logfile of HijackThis v1.98.0
Scan saved at 9:11:51 PM, on 7/19/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\tgtsoft\StyleXP\stylexp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\Program Files\Sonique\sqstart.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Registrar Lite\rl.exe
C:\WINNT\System32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Panicware Surf &Pal - {0ADCDFE7-8490-406D-91BF-88F71FD7F8AE} - C:\Program Files\Panicware\Surf Pal\pwicc.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINNT\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\tgtsoft\StyleXP\stylexp.exe -Hide
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: C:\WINNT\System32\wink.dll
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #10 on: July 20, 2004, 04:41:48 AM »

Good Work Jay, unfortunately I have to go and won't be able to see how
you made out until tomorrow, but I'm sure you'll do fine Cool
Assuming you are signed in as Administrator on your PC
Set windows to show Hidden files and folders
* Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.

Read these instructions carefully
Ensure that Ad-Aware and Spybot are right up to date (Check for updates)
Make sure CWShredder is up to date, I believe the latest version
is 1.59.1

Download this zip file and then immediately sign off the internet and stay off until all steps are finished.
hiving.zip

Extract(Unzip) the batch file (hiving.bat) within it and run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box. Double click on the batch to run it. After Reboot the hidden .dll should now be visible and not loaded anymore

IMPORTANT
RESTART your Computer in SAFE MODE

Find this file:
C : \ W I N N T \ S y s t e m 3 2 \ w i n k . d l l

Right click and use the security tab on wink.dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control'
Then try to delete it, if that fails try to rename it first to different name+ext.

Example:
wink.dll>bleh.txt
bleh.txt > badfile.111

Once you have successfully deleted the file:

Open CWShredder and let it FIX all problems

RESTART your computer in Normal mode

Do another Scan with Spybot----Fix everything in RED
Do another scan with ad-aware
Set these additional options for a custom scan
click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

RESTART your computer one more time

DELETE the Windows.txt on the desktop you created earlier
Then double click on Appinit.bat to create a new Windows.txt
Attach that new txt file again in your next post
Also let me see the value from Registrar lite again
And Post back with a Fresh hijackthis log, thanx....

How to take ownership of a file, in case you have troubles
http://support.microsoft.com/?kbid=308421
Logged

 
jaydub0417
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #11 on: July 20, 2004, 09:11:02 AM »

okay... the regestrar app value was no longer there on the reg scan i did .. i dunno if thats good...

but heres my hijack list again:
Logfile of HijackThis v1.98.0
Scan saved at 2:06:43 AM, on 7/20/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\tgtsoft\StyleXP\stylexp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Sonique\sqstart.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\bandstuff\Spyware_Stuff\HijackThis.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Panicware Surf &Pal - {0ADCDFE7-8490-406D-91BF-88F71FD7F8AE} - C:\Program Files\Panicware\Surf Pal\pwicc.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINNT\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\tgtsoft\StyleXP\stylexp.exe -Hide
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

which looks much better than the last one...
and last but not least.. heres the new windows text

Download Attachment: windows.txt 8.71 KB
Right click and select Save Target As... then rename the file as shown here and save.

i dont know where you dig this stuff up.. or how you do it.. but .. WOW ... thanks a bunch;D
Logged

 
kvarga
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 9


Bookmark and Share

View Profile
« Reply #12 on: July 20, 2004, 02:02:29 PM »

Dont mean to hijack the thread but i have a very similar problem...im at work now but  just want to know if the fixes here would be relevent to my issue...the only real difference is my file in system 32 folder is winf.dll which i cant delete...oh and for some reason i dont appear to be able to log on as admin...password rejected...99% sure im using right password. Using Win XP pro aswell.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #13 on: July 21, 2004, 02:40:10 AM »

Hi jay, if you put this into registrar lites' address bar and hit GO

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Let me know if you can find the AppInit_DLLs key, if not we may need to restore your Windows Hive... Please let me know
Logged

 
jaydub0417
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #14 on: July 21, 2004, 02:42:27 AM »

nope.. in reg lite.. the appinit_dlls isnt there
Logged

 
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page July 27, 2017, 08:07:35 PM