Jump to content


Photo

about blank has me!


  • This topic is locked This topic is locked
10 replies to this topic

#1 gravity_junky

gravity_junky

    Member

  • New Member
  • Pip
  • 4 posts

Posted 21 May 2004 - 09:23 AM

I am sure this is the place to find help on this. I have the about blank hijack resetting my homepage. I have run Spybot SD, CWShredder, and Hijackthis all from safe mode, but it came back. So i am guessing that i am not deleting something i should be. I have also after thinking i fixed the problem locked my homepage with a reg edit. But this morning i turn on my pc and about blank has returned.

Any assistance will be GREATLY appreciated!!! Here is my hijackthis log from this morning.

Logfile of HijackThis v1.97.7
Scan saved at 10:14:24 AM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\gearsec.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\Logitech\iTouch\iTouch.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
E:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
E:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: (no name) - {B2788927-51C7-4927-BFDE-4EEFE7A0C7D3} - C:\WINDOWS\System32\hkmfbk.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] E:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] E:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [WebRebates] javaw -cp "C:\Program Files\WebRebates\System\Code" Main lp: "C:\Program Files\WebRebates"
O4 - HKLM\..\Run: [GhostStartTrayApp] E:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe -a
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 21 May 2004 - 09:54 AM

Hi there and welcome to Spywareinfo.

I'm looking over your log to see what needs to be done. I'll be back once I've figured out what to do next.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#3 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 21 May 2004 - 12:35 PM

See this article for instructions on how to deal with the about:blank problem. Don't forget to post back here with the items mentioned in step 10.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#4 gravity_junky

gravity_junky

    Member

  • New Member
  • Pip
  • 4 posts

Posted 21 May 2004 - 03:22 PM

VashonDude, I will follow the steps and post back here with step 10 items. Thank you for you help!!!! :D

#5 gravity_junky

gravity_junky

    Member

  • New Member
  • Pip
  • 4 posts

Posted 21 May 2004 - 03:59 PM

ok here goes....

logs.txt from dllfix:

CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Fri 05/21/2004
04:31 PM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully

Deleting temp value

The operation completed successfully

Running from C:\Documents and Settings\jpeg\Desktop\dllfix
Processing File Manually
C:\WINDOWS\system32\COMD.DLL
Md5 Check of C:\WINDOWS\system32\COMD.DLL

Md5 tested As
File was found but md5 didnt match
MD5 was:
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\system32\COMD.DLL>

SetACL finished successfully.
File was zipped for submission to Shadowwar
File is located at C:\Documents and Settings\jpeg\Desktop\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

--------------------------------
output.txt from dllfix:

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Fri 05/21/2004
04:25 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "CLI" (5C6B:538C) - FS:NTFS clusters:4k
Total: 15 134 482 432 [14G] - Free: 7 781 298 176 [7.2G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:


*PC uptime:
4:25pm up 0 days, 5:50
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\COMD.DLL +++ File read error
\\?\C:\WINDOWS\System32\COMD.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
200c4 1768 norm TF_FloatingLangBar_WndTitle
100f8 1768 norm CiceroUIWndFrame
8007a 3720 norm Start Menu
4003e 3720 norm _Shell_TrayWnd
5005c 3720 norm SysFader
40144 2168 norm LgCruiseWindow
5031c 332 norm SysFader
20192 352 norm Norton AntiVirus
10026 484 high NetDDE Agent
101e0 2440 norm CiceroUIWndFrame
101de 2440 norm CiceroUIWndFrame
102b8 2844 norm CiceroUIWndFrame
20248 2844 norm CiceroUIWndFrame
10242 2440 norm View the Details of your Update Requests
1903f0 332 norm CiceroUIWndFrame
e037c 332 norm CiceroUIWndFrame
1003c8 3612 norm C:\WINDOWS\System32\cmd.exe
802dc 332 norm Subratam.org -> Kill Spyware Forums -> The about:blank Fix tutorial - Microsoft
40092 3720 norm dllfix
60306 3720 norm DDE Server Window
60312 3720 norm MCI command handling window
803d4 3720 norm Connections Tray
50304 3720 norm Power Meter
b02da 3720 norm MS_WebcheckMonitor
1003be 332 norm IMMIF UI
30332 332 norm DDE Server Window
10240 2440 norm PlaxoEvent
101d4 2440 norm Inbox - Microsoft Outlook
402f4 332 norm MCI command handling window
20310 332 norm DDE Server Window
c03fe 2440 norm diplomas - Message (HTML)
30272 820 norm Trillian
100154 820 norm Trillian
160124 820 norm MCI command handling window
e0118 820 norm ICQ - 256317695 - Console
c033a 820 norm AIM - TobuZen - Console
120142 2440 norm MCI command handling window
130148 2440 norm OutlookFbThreadWnd
102be 2440 norm IMMIF UI
5028c 2844 norm DDE Server Window
40250 2844 norm Microsoft Word
20258 2440 norm Outlook Send/Receive Progress
10252 2440 norm DDE Server Window
1021e 2624 norm HP Task Scheduler Monitor
101fa 2440 norm WMS ST Notif Window 00000988 0000098C
101f6 2440 norm WMS Idle
101ca 2440 norm W
101c0 2528 norm ActiveMovie Window
101be 2528 norm ActiveMovie Window
101bc 2528 norm MSP PNP Notification Window
101ba 2528 norm CRTCClient
101b4 2528 norm CRTCIMService
101b0 2528 norm DDE Server Window
101ac 2440 norm Microsoft Outlook
20194 2168 norm Logitech GetMessage Hook
101a0 2168 norm LogiTrayMgrWnd
1019e 2168 norm Logitech E/M Executive
1019c 336 norm DIEmWin
1016c 2200 norm AcrobatTrayIcon
10112 616 norm iTouchWin
100fc 308 norm Mixer
100ee 1704 norm GhostStartTrayApp
100de 552 norm iTunes Helper
100d0 452 norm HP Photosmart Printer Series
100ce 772 norm QTPlayer Tray Icon
100c8 336 norm ATI Tray Icon Application
100c6 436 norm HPWU
100b4 352 norm ccApp
100b0 344 norm CanoScan D660U Energy Star
30054 1932 norm ATI video bios poller client
1002a 708 norm ATI video bios poller
40232 2440 norm GDI+ Window
70066 3720 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}]
"KeyVersion"="2.0.1"
"BHOVersion"="2.0.1"
"BHONew"="0"
"KeyNew"="0"
"KeyNew_Url"=""
"BHONew_Url"=""
"KeyNew_Version"=""
"BHONew_Version"=""
"BHO_Path"="4G>`[MRHS[W`6c4c5Fvs{wivLiptiv62hpp0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2788927-51C7-4927-BFDE-4EEFE7A0C7D3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{7033AEA2-76BC-4C75-8E79-23285ACF1A47}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{7033AEA2-76BC-4C75-8E79-23285ACF1A47}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

-------------------------------
hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 4:55:01 PM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\gearsec.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hkmfbk.dll/sp.html (obfuscated)
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] E:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] E:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [GhostStartTrayApp] E:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe -a
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

-------------------------
for the record, on the reboot after running hijackthis, my home page changed from the about this search page to msn.com!! yea!

Please let me know if this is fixed or if there is more to do. Again, I am VERY gratefull for your help!!

#6 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 21 May 2004 - 04:10 PM

There is more to be done. I'm checking with the experts to see what the next step is.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#7 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 21 May 2004 - 04:48 PM

Apparently the fix I had you do didn't work. I'll see what needs to be tried next.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#8 gravity_junky

gravity_junky

    Member

  • New Member
  • Pip
  • 4 posts

Posted 21 May 2004 - 04:50 PM

oh ok, it did return my homepage to msn.com. but, i am with ya, i DO want to get everything taken care of.

#9 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 21 May 2004 - 05:10 PM

Try running the fix again and see what happens.

The fix was supposed to remove the following file: hkmfbk.dll

Somehow it didn't happen.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#10 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 21 May 2004 - 11:47 PM

Try the following below and see if that works. Some of the programs listed below (besides reglite) you've probably downloaded already.

If you're not comfortable with any of the steps or have questions, let me know.

-- LB

------------------------------------------------------------------------------------------------------------

Download reglite

install "Reglite" and run it, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ into the address bar.
Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file; then this is the hidden file you need to get rid off.
You should not be able to delete this file if you try to clear the value field, IMPORTANT: take note of the path and name of the .dll file. Write it down so you do not forget it.
Rename the Folder "Windows" (This is a purple "highlighted" folder in the left hand window) to NOTWINDOWS. Simply click on the folder, click on "Edit" in the menu bar and select "Rename".
Click AppInit_DLLs again and clear the value containing the .dll and ok it. This should have removed the .dll
Rename the windows folder back to its original name "Windows".

Run SpyBot, Ad-Aware and CWShredder
Check the following three links for instructions on downloading and running the applications listed:

How to use Spybot to remove Spyware
How to use Ad-Aware to remove Spyware
How to Remove CoolWebSearch with CoolWeb Shredder

Next step will be to remove this dll file so make sure you have it noted down.
Procedure 1
Download KillBox
Unzip and start the application
Paste in the dir <path and name of dll as found in the appinit value box> e.g. C:\Windows\System32\nameofdll.dll
Menu Select Action => Delete on Reboot
Select File => Add file <It should add the path automatically>
<Same Window> Select Action => Process and Reboot

Procedure 2 (If Procedure 1 did not work)
Click "Start" => "Run" and type in "cmd" (Without the quotations) and click on "Okay".
This will open a command window I will assume you have a basic knowledge of DOS if you have any problems at this point just write back I will outline the commands.
Type in dir <path and name of dll as found in the appinit value box> and press "Enter". You should see the name of the file listed.
Go to the system32 folder (This is where the .dll file will typically reside) and type attrib -R "nameofdll".dll
Carry out Procedure 1 again

Restart your computer in safemode (How do I boot into "Safe" mode?)
Open cmd window again as before
Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.
While in safe mode, run the 3 ad-removal programs again, just to make sure all traces are gone.
Boot up pc as normal and the infection should be gone...


Now post a fresh log to see if you have any other infections...


Good Luck...
Want to help in the fight against malware? Join the SWI boot camp.

#11 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 11 October 2004 - 03:42 PM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button