• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
gravity_junky

about blank has me!

11 posts in this topic

I am sure this is the place to find help on this. I have the about blank hijack resetting my homepage. I have run Spybot SD, CWShredder, and Hijackthis all from safe mode, but it came back. So i am guessing that i am not deleting something i should be. I have also after thinking i fixed the problem locked my homepage with a reg edit. But this morning i turn on my pc and about blank has returned.

 

Any assistance will be GREATLY appreciated!!! Here is my hijackthis log from this morning.

 

Logfile of HijackThis v1.97.7

Scan saved at 10:14:24 AM, on 5/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\gearsec.exe

E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

E:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Mixer.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\System32\svchost.exe

E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\WINDOWS\System32\hphmon05.exe

E:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

E:\Program Files\Logitech\iTouch\iTouch.exe

E:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe

E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

E:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

E:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

E:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

E:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll

O2 - BHO: (no name) - {B2788927-51C7-4927-BFDE-4EEFE7A0C7D3} - C:\WINDOWS\System32\hkmfbk.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HPHUPD05] E:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] "E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [zBrowser Launcher] E:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

O4 - HKLM\..\Run: [WebRebates] javaw -cp "C:\Program Files\WebRebates\System\Code" Main lp: "C:\Program Files\WebRebates"

O4 - HKLM\..\Run: [GhostStartTrayApp] E:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe -a

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...ector/swdir.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hi there and welcome to Spywareinfo.

 

I'm looking over your log to see what needs to be done. I'll be back once I've figured out what to do next.

 

-- LB

Share this post


Link to post
Share on other sites

See this article for instructions on how to deal with the about:blank problem. Don't forget to post back here with the items mentioned in step 10.

 

-- LB

Share this post


Link to post
Share on other sites

ok here goes....

 

logs.txt from dllfix:

 

CWSDLL Appinit Fix By Shadowwar

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Fri 05/21/2004

04:31 PM

 

Backing up Registry Hive

 

The operation completed successfully

 

Deleting Windows Key

 

The operation completed successfully

 

Restoring Registry Hive

 

The operation completed successfully

 

Deleting temp value

 

The operation completed successfully

 

Running from C:\Documents and Settings\jpeg\Desktop\dllfix

Processing File Manually

C:\WINDOWS\system32\COMD.DLL

Md5 Check of C:\WINDOWS\system32\COMD.DLL

 

Md5 tested As

File was found but md5 didnt match

MD5 was:

Resetting file attributes

Processing ACL of: <\\?\C:\WINDOWS\system32\COMD.DLL>

 

SetACL finished successfully.

File was zipped for submission to Shadowwar

File is located at C:\Documents and Settings\jpeg\Desktop\dllfix\submit.zip

please Email a copy to spywaresubmit at aol.com

Please include a link to your post.

File is still in original location now unlocked.

It is now ok to proceed with Rest of Cleanup.

 

--------------------------------

output.txt from dllfix:

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Fri 05/21/2004

04:25 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "CLI" (5C6B:538C) - FS:NTFS clusters:4k

Total: 15 134 482 432 [14G] - Free: 7 781 298 176 [7.2G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

*Wmplayer version:

8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

 

 

*PC uptime:

4:25pm up 0 days, 5:50

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\COMD.DLL +++ File read error

\\?\C:\WINDOWS\System32\COMD.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

200c4 1768 norm TF_FloatingLangBar_WndTitle

100f8 1768 norm CiceroUIWndFrame

8007a 3720 norm Start Menu

4003e 3720 norm _Shell_TrayWnd

5005c 3720 norm SysFader

40144 2168 norm LgCruiseWindow

5031c 332 norm SysFader

20192 352 norm Norton AntiVirus

10026 484 high NetDDE Agent

101e0 2440 norm CiceroUIWndFrame

101de 2440 norm CiceroUIWndFrame

102b8 2844 norm CiceroUIWndFrame

20248 2844 norm CiceroUIWndFrame

10242 2440 norm View the Details of your Update Requests

1903f0 332 norm CiceroUIWndFrame

e037c 332 norm CiceroUIWndFrame

1003c8 3612 norm C:\WINDOWS\System32\cmd.exe

802dc 332 norm Subratam.org -> Kill Spyware Forums -> The about:blank Fix tutorial - Microsoft

40092 3720 norm dllfix

60306 3720 norm DDE Server Window

60312 3720 norm MCI command handling window

803d4 3720 norm Connections Tray

50304 3720 norm Power Meter

b02da 3720 norm MS_WebcheckMonitor

1003be 332 norm IMMIF UI

30332 332 norm DDE Server Window

10240 2440 norm PlaxoEvent

101d4 2440 norm Inbox - Microsoft Outlook

402f4 332 norm MCI command handling window

20310 332 norm DDE Server Window

c03fe 2440 norm diplomas - Message (HTML)

30272 820 norm Trillian

100154 820 norm Trillian

160124 820 norm MCI command handling window

e0118 820 norm ICQ - 256317695 - Console

c033a 820 norm AIM - TobuZen - Console

120142 2440 norm MCI command handling window

130148 2440 norm OutlookFbThreadWnd

102be 2440 norm IMMIF UI

5028c 2844 norm DDE Server Window

40250 2844 norm Microsoft Word

20258 2440 norm Outlook Send/Receive Progress

10252 2440 norm DDE Server Window

1021e 2624 norm HP Task Scheduler Monitor

101fa 2440 norm WMS ST Notif Window 00000988 0000098C

101f6 2440 norm WMS Idle

101ca 2440 norm W

101c0 2528 norm ActiveMovie Window

101be 2528 norm ActiveMovie Window

101bc 2528 norm MSP PNP Notification Window

101ba 2528 norm CRTCClient

101b4 2528 norm CRTCIMService

101b0 2528 norm DDE Server Window

101ac 2440 norm Microsoft Outlook

20194 2168 norm Logitech GetMessage Hook

101a0 2168 norm LogiTrayMgrWnd

1019e 2168 norm Logitech E/M Executive

1019c 336 norm DIEmWin

1016c 2200 norm AcrobatTrayIcon

10112 616 norm iTouchWin

100fc 308 norm Mixer

100ee 1704 norm GhostStartTrayApp

100de 552 norm iTunes Helper

100d0 452 norm HP Photosmart Printer Series

100ce 772 norm QTPlayer Tray Icon

100c8 336 norm ATI Tray Icon Application

100c6 436 norm HPWU

100b4 352 norm ccApp

100b0 344 norm CanoScan D660U Energy Star

30054 1932 norm ATI video bios poller client

1002a 708 norm ATI video bios poller

40232 2440 norm GDI+ Window

70066 3720 norm Program Manager

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}]

"KeyVersion"="2.0.1"

"BHOVersion"="2.0.1"

"BHONew"="0"

"KeyNew"="0"

"KeyNew_Url"=""

"BHONew_Url"=""

"KeyNew_Version"=""

"BHONew_Version"=""

"BHO_Path"="4G>`[MRHS[W`6c4c5Fvs{wivLiptiv62hpp0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2788927-51C7-4927-BFDE-4EEFE7A0C7D3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{7033AEA2-76BC-4C75-8E79-23285ACF1A47}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{7033AEA2-76BC-4C75-8E79-23285ACF1A47}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]

"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

-------------------------------

hijackthis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:55:01 PM, on 5/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\gearsec.exe

E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

E:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Mixer.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\WINDOWS\System32\hphmon05.exe

E:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

E:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe

C:\Program Files\iPod\bin\iPodService.exe

E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

E:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\Program Files\Messenger\msmsgs.exe

E:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HPHUPD05] E:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] "E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [zBrowser Launcher] E:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

O4 - HKLM\..\Run: [GhostStartTrayApp] E:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe -a

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...ector/swdir.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

-------------------------

for the record, on the reboot after running hijackthis, my home page changed from the about this search page to msn.com!! yea!

 

Please let me know if this is fixed or if there is more to do. Again, I am VERY gratefull for your help!!

Share this post


Link to post
Share on other sites

There is more to be done. I'm checking with the experts to see what the next step is.

 

-- LB

Share this post


Link to post
Share on other sites

Apparently the fix I had you do didn't work. I'll see what needs to be tried next.

 

-- LB

Share this post


Link to post
Share on other sites

Try running the fix again and see what happens.

 

The fix was supposed to remove the following file: hkmfbk.dll

 

Somehow it didn't happen.

 

-- LB

Share this post


Link to post
Share on other sites

Try the following below and see if that works. Some of the programs listed below (besides reglite) you've probably downloaded already.

 

If you're not comfortable with any of the steps or have questions, let me know.

 

-- LB

 

------------------------------------------------------------------------------------------------------------

 

Download reglite

 

install "Reglite" and run it, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ into the address bar.

Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file; then this is the hidden file you need to get rid off.

You should not be able to delete this file if you try to clear the value field, IMPORTANT: take note of the path and name of the .dll file. Write it down so you do not forget it.

Rename the Folder "Windows" (This is a purple "highlighted" folder in the left hand window) to NOTWINDOWS. Simply click on the folder, click on "Edit" in the menu bar and select "Rename".

Click AppInit_DLLs again and clear the value containing the .dll and ok it. This should have removed the .dll

Rename the windows folder back to its original name "Windows".

 

Run SpyBot, Ad-Aware and CWShredder

Check the following three links for instructions on downloading and running the applications listed:

 

How to use Spybot to remove Spyware

How to use Ad-Aware to remove Spyware

How to Remove CoolWebSearch with CoolWeb Shredder

 

Next step will be to remove this dll file so make sure you have it noted down.

Procedure 1

Download KillBox

Unzip and start the application

Paste in the dir <path and name of dll as found in the appinit value box> e.g. C:\Windows\System32\nameofdll.dll

Menu Select Action => Delete on Reboot

Select File => Add file <It should add the path automatically>

<Same Window> Select Action => Process and Reboot

 

Procedure 2 (If Procedure 1 did not work)

Click "Start" => "Run" and type in "cmd" (Without the quotations) and click on "Okay".

This will open a command window I will assume you have a basic knowledge of DOS if you have any problems at this point just write back I will outline the commands.

Type in dir <path and name of dll as found in the appinit value box> and press "Enter". You should see the name of the file listed.

Go to the system32 folder (This is where the .dll file will typically reside) and type attrib -R "nameofdll".dll

Carry out Procedure 1 again

 

Restart your computer in safemode (How do I boot into "Safe" mode?)

Open cmd window again as before

Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.

While in safe mode, run the 3 ad-removal programs again, just to make sure all traces are gone.

Boot up pc as normal and the infection should be gone...

 

 

Now post a fresh log to see if you have any other infections...

 

 

Good Luck...

Share this post


Link to post
Share on other sites

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0