Jump to content


yes ! it's about/blank !!!!!!!!!

  • Please log in to reply
5 replies to this topic

#1 trollafrogg



  • Full Member
  • Pip
  • 13 posts

Posted 26 June 2004 - 03:46 PM

gee i read everything and now i'm drawing an about/blank , please help.

after running spybot , and using my outpost firewall to give new rules to block this : website ,and i have , at least temporarily ?? , stopped the pop-up ads when using IE6, although i am starting IE6 from windowsupdate icon, not the IE6 icon, and of course the about/blank still is refreshing itself as the homepage whenever it wants to.
[edit] i also ran GRC.com 's discombobulator and saw that DCOM had been enabled, idisabled DCOM again. also the GRC.com 's shootthemessenger reported that messenger had been enabled and i disabled messenger also.[end edit]

also, anti-virus keeps reporting a trojan, pandasoft online temporarily neutralized it, but upon machine reboot, it appears again in a new spot, each time as a .dll ?

trendmicro online virus detection is non-operable.

notepad was disabled. however after running a search (windows) for notepad and then running the hijackthis app, notepad appeared as the text file service for the hijackthis logfile. i was using wordpad before that for copy/paste items for review.

please help me,

oh yes FireFox Browser is unaffected. although niether pandasoft, trendmicro. or symantec online viruscan will work with FireFox.

i have run BHO deamon, ad-aware6, and spybot. have i left anything out of what you ask for ? please advise.

Logfile of HijackThis v1.97.7
Scan saved at 11:26:31 AM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\URBANP~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\URBANP~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\URBANP~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\URBANP~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\URBANP~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\URBANP~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BFA22763-81FB-4D91-AD5B-21153B7C8418} - C:\WINDOWS\System32\goannn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [NetMeter] C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\bin\win2k\tidslmon.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [Uptime-Project] C:\Documents and Settings\urban peasant\My Documents\My Received Files\New Folder\client.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmtracer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmtracer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmtracer.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.....0_SILENT_2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37999.903587963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft...ols/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C243490-8BE8-49E7-866D-DCAE0C67F018}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C243490-8BE8-49E7-866D-DCAE0C67F018}: NameServer =

Edited by trollafrogg, 26 June 2004 - 03:58 PM.

#2 trollafrogg



  • Full Member
  • Pip
  • 13 posts

Posted 26 June 2004 - 04:30 PM

very interesting !!!!!!!!!!!

i checked the notepad.exe icon properties tag and have discovered that it is pointing to a new setup :

target type : application

target : C:\WINDOWS\system32\actmovie.exe


shortcut key : None

run : Normal window

also !!!!!!!!!!! under the General Tab it reports itself to be a DirectShow Setup Tool

have we a culprit ????????

#3 shaunw



  • Full Member
  • Pip
  • 15 posts

Posted 26 June 2004 - 04:56 PM

Problems with notepad and anti-virus software are a sure sign of a virus or
trojan. Many browser hijacks are also trojan driven. If you get rid of them
then the virus will reinstall them when you reboot. The dll is only part of the
Go to nai.com search for the stinger program and download and run it. If it finds
a virus delete it. You may have to reinstall your anti-virus software if it won't run.
Don't forget to update the virus data files to the latest version.
Scan your hard disks for futher viruses. Get rid of them. Then think about getting
rid of your browser hijack using ad-aware, spybot or hijackthis.
Remember if the hijack keeps returning this is a sure sign that you still have a
virus (or are visiting the same unsafe websites). Hope this helps


#4 trollafrogg



  • Full Member
  • Pip
  • 13 posts

Posted 26 June 2004 - 11:21 PM

thanks for your input.

stinger prog did not locate a virus.

avg anti virus found backdoor.agent.ba trojan but will not clean it..

am going to use the findnfix solution given onthis forum page

am wondering what to do about the browser hijack located in the notepad shortcut properties.

wish me luck

#5 trollafrogg



  • Full Member
  • Pip
  • 13 posts

Posted 27 June 2004 - 02:34 AM

using the FINDnFIX prog in conjunction with the instructions found on this forum threadfollow "freeatlast" instructions seems to have worked, comp is running better and homepage is staying true as microsoft.com

also i did a DNS lookup on the server the pop-up ads were coming from and the office is only 30 miles from my house. the contact is named emil k. , sounds like a russian dude. should i call his home number ?

also to fix the NOTEPAD.EXE not found error

i went to START>ALL PROGRAMS>ACCESSORIES then RIGHT CLICK NOTEPAD which brings up a menu > click the "properties" tag in that menu which brings up a properties box/window> under the "SHORTCUT" tab replace "target" info with
C:\WINDOWS\NOTEPAD.EXE , then highlight and delete text in the "START IN" area { in mine it read "%HOMEDRIVE%%HOMEPATH%" > click "APPLY" button in lower lright corner of properties box/window. and NOTEPAD returns to life.

Edited by trollafrogg, 27 June 2004 - 11:12 AM.

#6 trollafrogg



  • Full Member
  • Pip
  • 13 posts

Posted 29 June 2004 - 05:13 PM

still working

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button