• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
even_better

At wits end with About:Blank

15 posts in this topic

For about the last week I've had a problem with an About:Blank hijacker. It flares up when I use Hotmail so at first I thought it was an intrusive popup, but your forum has told me differently.

 

I've used all the advice I can from this forum, but I still can't eliminate it. I feel I need personalized advice so I've decided to post my reports.

 

I've been running adaware almost constantly, and I've noticed that activating IE will reinstall this one bit of spyware:

 

Vendor Type Category Object Comment

CoolWebSearch RegValue Malware HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Internet Explorer\Main\ "HOMEOldSP"

 

I've found I can't use FindnFix because my notepad program has disappeared.

 

Here is my Hijack This log:

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ps2.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Yahoo!\Messenger\ypager.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\downloads\hjt\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.93.1.53:8080

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {AFE441F6-1D15-446B-A003-FEE9FD53B84E} - C:\WINDOWS\System32\dbk.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Yahoo! Login (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - http://survey.prod.there.com/qualsurvey/Th...stallHelper.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7789.5475347222

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

Thank you for your reply. Here's my FindnFix log:

 

»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

Sat 06/26/2004

2:20pm up 0 days, 3:56

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\WDM.DLL +++ File read error

\\?\C:\WINDOWS\System32\WDM.DLL +++ File read error

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»Special 'locked' files scan in 'System32'........

**File C:\FINDnFIX\LIST.TXT

WDM.DLL Can't Open!

 

****Filtering files in System32... (-h -s -r...) ***

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\WINDOWS\SYSTEM32\

wdm.dll Mon Jun 21 2004 8:16:10a A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

 

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\WDM.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group YOUR-N3TY7ATHD5\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-N3TY7ATHD5\Owner

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: YOUR-N3TY7ATHD5\Owner

 

Primary Group: YOUR-N3TY7ATHD5\None

 

 

 

»»»»»»Backups created...»»»»»»

2:24pm up 0 days, 3:59

Sat 06/26/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-26-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-26-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æGÀÿÿÿC

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

Windows

AppInit

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

5swapdisk

TransmissionRetryTimeout

USERProcessHandleQuotaH

 

**File C:\FINDnFIX\WIN.TXT

regf

Share this post


Link to post
Share on other sites

This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:

  1. Open the "FINDnFIX\Keys1" Subfolder!
  2. Locate the "MOVEit.bat" file, Right-Click on it and select => "edit". The file will open as empty text file.
  3. Copy and paste the entire highlighted line in the following quote box
    (all one line) into that blank 'MOVEit' file:
    move C:\WINDOWS\System32\WDM.DLL C:\junkxxx\WDM.DLL

  4. Save the file and close.
  5. Get ready to restart your computer.
  6. In the same folder, DoubleClick on the "FIX.bat" file.
  7. You will be prompted by popup Alert to restart in 15 seconds.
  8. Allow it to restart the computer!
  9. On restart, Navigate to: C:\FINDnFIX\ main folder:
  10. DoubleClick on the "RESTORE.bat" file.
  11. It'll run and produce new log. (log1.txt) post it here!

Share this post


Link to post
Share on other sites

Well, hell

I select the program and hit edit and I get an error message saying:

 

Windows can not find 'C:\FindnFix\keys1\Moveit.bat'

Share this post


Link to post
Share on other sites

Do this ... Open Notepad and paste in the following:

move C:\WINDOWS\System32\WDM.DLL C:\junkxxx\WDM.DLL

 

(Copy and paste from here).

 

Save the files as c:\MOVEit.bat.

 

Click on "Start" = "Run" and type in cmd and press okay - This will open a command prompt. Type in:

copy c:\MOVEit.bat C:\FindnFix\keys1\Moveit.bat

and press enter - You should be prompted to overwrite the file - Say yes and proceed with the instructions.

Share this post


Link to post
Share on other sites

I hope this helps. It finished saying something or other was not a valid application

 

»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

 

Sat 06/26/2004

4:10pm up 0 days, 0:02

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

*Locked files...

* result\\?\C:\junkxxx\WDM.DLL

 

»»»Filtering files in System32.......( 'R;H;S') »»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

No matches found.

 

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\JUNKXXX\

wdm.dll Mon Jun 21 2004 8:16:10a A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\JUNKXXX\WDM.DLL

 

 

Search text: ÝSTREAMINGDEVICESETUP2Þ ®CASE Insensitive Match

Searching ==>C:\JUNKXXX\WDM.DLL

Run Time(sec) 0

**File C:\JUNKXXX\WDM.DLL

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

move C:\WINDOWS\System32\WDM.DLL C:\junkxxx\WDM.DLL

 

 

-ra-- W32i - - - - 57,344 06-21-2004 wdm.dll

A R C:\junkxxx\WDM.DLL

 

»»Permissions:

C:\junkxxx\WDM.DLL Everyone:(special access:)

 

SYNCHRONIZE

FILE_EXECUTE

 

BUILTIN\Administrators:F

 

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-N3TY7ATHD5\Owner

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: YOUR-N3TY7ATHD5\Owner

 

Primary Group: YOUR-N3TY7ATHD5\None

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: NT AUTHORITY\SYSTEM

 

File "C:\junkxxx\WDM.DLL"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

 

Owner: YOUR-N3TY7ATHD5\Owner

 

Primary Group: YOUR-N3TY7ATHD5\None

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æGÀÿÿÿC

 

---------- NEWWIN.TXT

AppInit_DLLsecte

**File C:\FINDnFIX\NEWWIN.TXT

regf ý ­rgf hbin x ¨ÿÿÿnk, €ïúÁ[Ä ÿÿÿÿ ÿÿÿÿÿÿÿÿ ¸ x ÿÿÿÿ 0 8 M , Windows ÿÿÿsk x x Ô „¸ È ¤ ! € ! ? ? Ðÿÿÿvk ˜ ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 ( h Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ë=tÀàÿÿÿvk °ºSpooler2ðÿÿÿy e s

Ñ_åàÿÿÿvk € 5swapdisk h ° ð X Ðÿÿÿvk à . TransmissionRetryTimeoutÐÿÿÿvk €' a USERProcessHandleQuotaH àÿÿÿh ° ð X ˆ Ø Øÿÿÿvk € y AppInit_DLLsecte

ÿÿÿÿ ÿÿÿÿ ÿÿÿÿ ÿÿÿÿ ÿÿÿÿ & Y x

**File C:\FINDnFIX\NEWWIN.TXT

000012F0: 01 00 00 00 01 00 79 00 . 5F 44 4C 4C 73 65 63 74 ......y. _DLLsect

**File C:\FINDnFIX\NEWWIN.TXT

Ñ_åàÿÿÿvk € 5swapdisk h ° ð X Ðÿÿÿvk à . TransmissionRetryTimeoutÐÿÿÿvk €' a USERProcessHandleQuotaH àÿÿÿh ° ð X ˆ Ø Øÿÿÿvk € y AppInit_DLLsecte

Share this post


Link to post
Share on other sites

i also believe i am in a similar problem and i have found that the notepad shortcuts on my machine have been canged to point to a file in windows\system32 called

actmovie.exe

 

go to start/all programs/accessories/notepad and right click on notepad and check click the properties menu selection you will see that the file path for the shortcut is C:\\windows\system32\actmovie.exe

 

and that it shows %HOMEDRIVE%%HOMEPATH% as the start in

 

just posting this as a heads up, i have no more info as to what to do from here.

oh yes on google i found actmovie.exe called a virus but little other info about it

Share this post


Link to post
Share on other sites

While I appreciate the assist, my most pressing concern is removing the Hijacker from my computer.

 

Can anyone assist me with that?

Share this post


Link to post
Share on other sites

even_Better - Your persistence is pushing the thread even though I told you I would help and I am helping makes me very reluctant to continue. I am monitoring the thread, when I sign on I will respond and finish cleaning it up - PLEASE do not respond every hour or two asking "ANYONE??" <= That is just rude and inconsiderate as I am not on 24 hours a day.

 

That off my chest - To continue with your fix ...

Open the FINDnFIX\Files2< Subfolder and run the => "ZIPZAP.bat" file. It will quickly clean the rest.

When done, Restart your computer and Delete and entire 'FINDnFIX' file+folder(s) From C:\.

Post a follow up HijackThis log when done!

 

You will be prompted to email the file - Please do so.

Share this post


Link to post
Share on other sites

I should apologize. I was unaware my problem was being monitored, but rather I thought one needed to shout to be heard in the forum. If I come here with a problem in the future, I shall act with considerably more patience.

 

My about:blank camper seemed to have disappeared before I even restarted my computer, so I thank you for that.

 

As requested here is my supplemental Hijack This log:

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ps2.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Yahoo!\Messenger\ypager.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\downloads\hjt\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.93.1.53:8080

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {9AD8A749-FECE-4DD0-8A1B-3EB4350B9386} - C:\WINDOWS\System32\dbk.dll (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Yahoo! Login (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - http://survey.prod.there.com/qualsurvey/Th...stallHelper.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7789.5475347222

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

Not a problem - When I work on a case - The next time I sign on, those cases are all in a list and if there have been any responses - They are my first priority.

 

Your log still shows the infection? It may be a phantom entry but to be sure can you do this first step again ...

Please download "FINDnFIX.exe". Run the "!LOG!.bat" file and post the results into this message for further review.

 

If nothing shows up, we can get rid of the entries.

Share this post


Link to post
Share on other sites

Here's my FindnFix log. Any problems?

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

Tue 06/29/2004

6:01pm up 1 day, 9:47

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Locked or 'Suspect' file(s) found...

 

 

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»Special 'locked' files scan in 'System32'........

**File C:\FINDnFIX\LIST.TXT

 

****Filtering files in System32... (-h -s -r...) ***

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

No matches found.

 

No matches found.

 

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group YOUR-N3TY7ATHD5\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-N3TY7ATHD5\Owner

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: YOUR-N3TY7ATHD5\Owner

 

Primary Group: YOUR-N3TY7ATHD5\None

 

 

 

»»»»»»Backups created...»»»»»»

6:03pm up 1 day, 9:49

Tue 06/29/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-29-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-29-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

AppInit_DLLsecte

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

Windows

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

5swapdisk

TransmissionRetryTimeout

USERProcessHandleQuotaH

AppInit

DLLsecte

 

**File C:\FINDnFIX\WIN.TXT

Share this post


Link to post
Share on other sites

Nothing in that log - Which is good :) Please post a fresh HijackThis log to confirm...

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0