• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Acefowl

About:blank Problems

24 posts in this topic

About:blank has taken over my browser, and nothing I try seems to do anything. I've got all the current versions of Ad-Aware and Spybot, and neither seem to work. Also, not only is the net slow as heck, since About:blank hit the computer, something's been eating up virtual memory. I'm forced to reset my computer 2-3 times a night in order to get all my usual things done online. Please help!

 

Logfile of HijackThis v1.98.0

[Outdated log removed]

Edited by WinHelp2002

Share this post


Link to post
Share on other sites

Please do this first:

  • Update to HijackThis 1.98.2:
     
    http://radiosplace.com
     
  • Download and run CleanUp!. Use the CleanUp! button
     
  • Reboot.
     
  • Download the latest version of Ad-Aware:
    http://www.lavasoft.de/support/download/
     
    After installing AAW, and before running the program.
    Please be sure to update the reference file following the instructions here:
    http://www.lavahelp.net/howto/updref/
     
    Reconfigure Ad-Aware for Full Scan:
     
    Launch the program, and click on the Gear at the top of the start screen.
     
    Click the "Scanning" button.
    Under Drives, Folders and Files, select "Scan within Archives".
    Click "Click here to select Drives + folders" and select your installed hard drives.
     
    Under Memory & Registry, select all options.
    Click the "Advanced" button.
    Under "Log-file detail level", select all options.
    Click the "Tweaks" button.
     
    Under "Scanning Engine", select the following:
    "Unload recognized processes during scanning."
    Under "Cleaning Engine", select the following:
    "Let Windows remove files in use after reboot."
    Click on 'Proceed' to save these Preferences.
     
    Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.

  • If you haven't done so Please Scan with Spybot Search and Destroy:
     
    1. Downloaded and Install Spybot S&D, accepting the Default Settings
     
    2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
     
    3. Close ALL windows except Spybot S&D
     
    4. Click the button to ‘Search for Updates’ and download and install the Updates.
     
    5. Next click the button ‘Check for Problems’
     
    6. When Spybot is complete, it will be showing ‘RED’ (RED) entries ‘BLACK’ entries and ‘GREEN’ (GREEN) entries in the window
     
    7. Make certain there is a check mark beside all of the RED (RED) entries ONLY.
     
    8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED (RED) entries.
     
    9. REBOOT to complete the scan.

  • Reboot, make a new HijackThis log and post it here.

Edited by H@ns

Share this post


Link to post
Share on other sites

I did everything you asked of me, except I wasn't able to get either BitDefender or TrendMicro to work. Trendmicro booted me on the Scan Now screen every time, and I couldn't figure out how to start the scan on BitDefender, since no Scan button every showed up. So except for that, here's the result:

 

Logfile of HijackThis v1.98.0

Scan saved at 12:37:12 AM, on 7/15/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\program files\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\fcmbdz.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE

C:\WINDOWS\System32\rnfrcior.exe

C:\Program Files\JUSearch\hcm.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

c:\PROGRA~1\mcafee.com\mps\mscifapp.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmwzkqav] C:\WINDOWS\pgjoqcfi.exe

O4 - HKLM\..\Run: [c] C:\WINDOWS\System32\fcmbdz.exe

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\}

O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"

O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKLM\..\Run: [// do not make any changes to anything past this point or tracking script will not ] c:\WINDOWS\System32\// do not make any changes to anything past this point or tracking script will not work

O4 - HKLM\..\Run: [var d] c:\WINDOWS\System32\var data;

O4 - HKLM\..\Run: [document.cookie='__support_check] c:\WINDOWS\System32\document.cookie='__support_check=1';

O4 - HKLM\..\Run: [} el] c:\WINDOWS\System32\} else {

O4 - HKLM\..\Run: [if (document.referre] c:\WINDOWS\System32\if (document.referrer) {

O4 - HKLM\..\Run: [if (navigator.userAgen] c:\WINDOWS\System32\if (navigator.userAgent) {

O4 - HKLM\..\Run: [if (navigator.appVersio] c:\WINDOWS\System32\if (navigator.appVersion) {

O4 - HKLM\..\Run: [if (navigator.javaEnabled(] c:\WINDOWS\System32\if (navigator.javaEnabled()) {

O4 - HKLM\..\Run: [if (screen.widt] c:\WINDOWS\System32\if (screen.width) {

O4 - HKLM\..\Run: [if (screen.heigh] c:\WINDOWS\System32\if (screen.height) {

O4 - HKLM\..\Run: [if (screen.colorDept] c:\WINDOWS\System32\if (screen.colorDepth) {

O4 - HKLM\..\Run: [data = 'a=track' + domain_name + referrer_website + browser_name + full_browser_info + app_vers] c:\WINDOWS\System32\data = 'a=track' + domain_name + referrer_website + browser_name + full_browser_info + app_version;

O4 - HKLM\..\Run: [data = data + java_enabled + screen_width + screen_height + color_de] c:\WINDOWS\System32\data = data + java_enabled + screen_width + screen_height + color_depth;

O4 - HKLM\..\Run: [rnfrcior] C:\WINDOWS\System32\rnfrcior.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\}

O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKCU\..\Run: [// do not make any changes to anything past this point or tracking script will not ] c:\WINDOWS\System32\// do not make any changes to anything past this point or tracking script will not work

O4 - HKCU\..\Run: [var d] c:\WINDOWS\System32\var data;

O4 - HKCU\..\Run: [document.cookie='__support_check] c:\WINDOWS\System32\document.cookie='__support_check=1';

O4 - HKCU\..\Run: [} el] c:\WINDOWS\System32\} else {

O4 - HKCU\..\Run: [if (document.referre] c:\WINDOWS\System32\if (document.referrer) {

O4 - HKCU\..\Run: [if (navigator.userAgen] c:\WINDOWS\System32\if (navigator.userAgent) {

O4 - HKCU\..\Run: [if (navigator.appVersio] c:\WINDOWS\System32\if (navigator.appVersion) {

O4 - HKCU\..\Run: [if (navigator.javaEnabled(] c:\WINDOWS\System32\if (navigator.javaEnabled()) {

O4 - HKCU\..\Run: [if (screen.widt] c:\WINDOWS\System32\if (screen.width) {

O4 - HKCU\..\Run: [if (screen.heigh] c:\WINDOWS\System32\if (screen.height) {

O4 - HKCU\..\Run: [if (screen.colorDept] c:\WINDOWS\System32\if (screen.colorDepth) {

O4 - HKCU\..\Run: [data = 'a=track' + domain_name + referrer_website + browser_name + full_browser_info + app_vers] c:\WINDOWS\System32\data = 'a=track' + domain_name + referrer_website + browser_name + full_browser_info + app_version;

O4 - HKCU\..\Run: [data = data + java_enabled + screen_width + screen_height + color_de] c:\WINDOWS\System32\data = data + java_enabled + screen_width + screen_height + color_depth;

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)

O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

Share this post


Link to post
Share on other sites

Wow, you have strange things inside.

 

1. Reboot into safe mode by tapping F8 frequently during bootup.

 

2. Check these in HijackThis:

 

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\}

Series" /O6 "USB001" /M "Stylus C84"

O4 - HKLM\..\Run: [// do not make any changes to anything past this point or tracking script will not ] c:\WINDOWS\System32\// do not make any changes to anything past this point or tracking script will not work

O4 - HKLM\..\Run: [var d] c:\WINDOWS\System32\var data;

O4 - HKLM\..\Run: [document.cookie='__support_check] c:\WINDOWS\System32\document.cookie='__support_check=1';

O4 - HKLM\..\Run: [} el] c:\WINDOWS\System32\} else {

O4 - HKLM\..\Run: [if (document.referre] c:\WINDOWS\System32\if (document.referrer) {

O4 - HKLM\..\Run: [if (navigator.userAgen] c:\WINDOWS\System32\if (navigator.userAgent) {

O4 - HKLM\..\Run: [if (navigator.appVersio] c:\WINDOWS\System32\if (navigator.appVersion) {

O4 - HKLM\..\Run: [if (navigator.javaEnabled(] c:\WINDOWS\System32\if (navigator.javaEnabled()) {

O4 - HKLM\..\Run: [if (screen.widt] c:\WINDOWS\System32\if (screen.width) {

O4 - HKLM\..\Run: [if (screen.heigh] c:\WINDOWS\System32\if (screen.height) {

O4 - HKLM\..\Run: [if (screen.colorDept] c:\WINDOWS\System32\if (screen.colorDepth) {

O4 - HKLM\..\Run: [data = 'a=track' + domain_name + referrer_website + browser_name + full_browser_info + app_vers] c:\WINDOWS\System32\data = 'a=track' + domain_name + referrer_website + browser_name + full_browser_info + app_version;

O4 - HKLM\..\Run: [data = data + java_enabled + screen_width + screen_height + color_de] c:\WINDOWS\System32\data = data + java_enabled + screen_width + screen_height + color_depth;

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\}

O4 - HKCU\..\Run: [// do not make any changes to anything past this point or tracking script will not ] c:\WINDOWS\System32\// do not make any changes to anything past this point or tracking script will not work

O4 - HKCU\..\Run: [var d] c:\WINDOWS\System32\var data;

O4 - HKCU\..\Run: [document.cookie='__support_check] c:\WINDOWS\System32\document.cookie='__support_check=1';

O4 - HKCU\..\Run: [} el] c:\WINDOWS\System32\} else {

O4 - HKCU\..\Run: [if (document.referre] c:\WINDOWS\System32\if (document.referrer) {

O4 - HKCU\..\Run: [if (navigator.userAgen] c:\WINDOWS\System32\if (navigator.userAgent) {

O4 - HKCU\..\Run: [if (navigator.appVersio] c:\WINDOWS\System32\if (navigator.appVersion) {

O4 - HKCU\..\Run: [if (navigator.javaEnabled(] c:\WINDOWS\System32\if (navigator.javaEnabled()) {

O4 - HKCU\..\Run: [if (screen.widt] c:\WINDOWS\System32\if (screen.width) {

O4 - HKCU\..\Run: [if (screen.heigh] c:\WINDOWS\System32\if (screen.height) {

O4 - HKCU\..\Run: [if (screen.colorDept] c:\WINDOWS\System32\if (screen.colorDepth) {

O4 - HKCU\..\Run: [data = 'a=track' + domain_name + referrer_website + browser_name + full_browser_info + app_vers] c:\WINDOWS\System32\data = 'a=track' + domain_name + referrer_website + browser_name + full_browser_info + app_version;

O4 - HKCU\..\Run: [data = data + java_enabled + screen_width + screen_height + color_de] c:\WINDOWS\System32\data = data + java_enabled + screen_width + screen_height + color_depth;

 

3. Close all other windows and browsers, and hit Fix Checked.

 

4. Reboot into normal mode, make a new log, and post it here :)

Share this post


Link to post
Share on other sites

Yeah, I was wondering about those. I thought they were weird, but didn't wanna risk it. Here's the new log:

 

Logfile of HijackThis v1.98.2

Scan saved at 11:03:27 PM, on 9/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\program files\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\McAfee.com\MPS\mscifapp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\fcmbdz.exe

C:\WINDOWS\System32\rnfrcior.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Adam's Documents\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll

O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\toolbar.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmwzkqav] C:\WINDOWS\pgjoqcfi.exe

O4 - HKLM\..\Run: [c] C:\WINDOWS\System32\fcmbdz.exe

O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKLM\..\Run: [rnfrcior] C:\WINDOWS\System32\rnfrcior.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

Share this post


Link to post
Share on other sites

Great. Now let's fix the real bad stuff :)

 

1. Check and fix these in HijackThis with all other browsers/windows closed:

 

O4 - HKLM\..\Run: [mmwzkqav] C:\WINDOWS\pgjoqcfi.exe

O4 - HKLM\..\Run: [c] C:\WINDOWS\System32\fcmbdz.exe

O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKLM\..\Run: [rnfrcior] C:\WINDOWS\System32\rnfrcior.exe

O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

 

2. Reboot into safe mode by tapping F8 frequently during bootup.

Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".

 

3. Delete, in safe mode

C:\WINDOWS\pgjoqcfi.exe

C:\WINDOWS\System32\fcmbdz.exe

C:\WINDOWS\System32\zzb.exe

C:\WINDOWS\System32\rnfrcior.exe

 

4. Reboot into normal mode, make a new HijackThis log, and post it here :)

Share this post


Link to post
Share on other sites

Ok, mostly done. I did run into one problem, though. After I cleaned the 5 items in HijackThis, I went in to delete the four .exe files. Thing is, I could only find the last three. "Pgjoqcfi.exe" didn't show up among the files in my Windows folder. I did have it set to find hidden files and folders, too, so I'm not sure where it went. In any case, here's the new log.

 

Thanks for all the help, by the way. I really appreciate this. This "About:Blank" thing has been a thorn in my side for months, so I'm glad you answered my call.

 

Logfile of HijackThis v1.98.2

Scan saved at 3:13:33 AM, on 9/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\program files\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\McAfee.com\MPS\mscifapp.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\JUSearch\hcm.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Adam's Documents\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll

O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\toolbar.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

Share this post


Link to post
Share on other sites

You're talking about About:blank like the problem isn't solved. Is this right or is the About:blank gone?

 

Your log is clean...

Share this post


Link to post
Share on other sites

Oh, crap...

 

Uh, yeah, it appears to be gone, at least according to HijackThis's current scan after a couple sessions. Problem is, the Net still seems slow, and the virtual memory still fills up after about 15-20 minutes of activity, forcing to log off and re-log in to continue my surfing. I had help from Dell a while back in trying to fix the virtual memory problem, bu to no avail. I think at first it had to do with About:Blank (Which is exactly when it started), but now I'm beginning to think it was something I did later.

 

You see, I've had this problem, at least according to my first post, for two months. Since I never got a responce to my original post for so long, I attemted to take matters into my own hands. I did research, I downloaded all the spyware removal I could find, I changed the config according to what I'd seen on this site, and nothing I did could keep it off permantly. I'm thinking, however, that in my attempt to rid the problem, I might have gotten rid of something important on the hard drive that affected how the computer dealt with virtual memory, and that might be why I still have a problem with it. I knew something was wrong when I noticed Notepad was gone. So, I just might have delayed the solution to my problems due to my own ignorance. Oops...

 

On the good side, I know where the re-installation CDs are for the computer if I need to do that, but I'd rather not do that, as I'm not sure if that means reformatting the hard drive or not. I don't know if this falls within your area of expertise, but I don't suppose you have a solution to my ignorance that doesn't require anything too drastic? ::sheepish grin::

Share this post


Link to post
Share on other sites

Please download this tool called 'About:Buster':

 

http://www.downloads.subratam.org/AboutBuster.zip

 

Run AboutBuster

- Click Update, to see if there are any updates available.

- Now click Start.

- Close ALL other browsers and windows.

- Click "OK" to start the scan.

- When the scan is done, click "Save Log". Add this log to your next reply here.

- When it asks you to run it for the 2nd time, choose Yes.

- When the scan is completed, click "Exit" twice.

Share this post


Link to post
Share on other sites

Well, here's the About:Buster log:

 

 

Scanned at: 6:56:01 PM on: 9/27/2004

 

-- Scan 1 ---------------------------

About:Buster Version 3.0

Reference List : 15

 

No ADS found on system

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

-- Scan 2 ---------------------------

About:Buster Version 3.0

Reference List : 15

 

No ADS found on system

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

 

Problem is, on a hunch I scanned on HijackThis immediately after About:Buster and found this:

 

 

Logfile of HijackThis v1.98.2

Scan saved at 6:59:14 PM, on 9/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\program files\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\McAfee.com\MPS\mscifapp.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\JUSearch\hcm.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Adam's Documents\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Acefowl\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Acefowl\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Acefowl\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Acefowl\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Acefowl\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Acefowl\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll

O2 - BHO: (no name) - {151B5F71-4D92-41BB-BA35-B03FD06A9724} - C:\WINDOWS\System32\ecioc.dll

O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\toolbar.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O18 - Filter: text/html - {0E6B839D-FE4F-49F5-A56F-B91E6456CCC9} - C:\WINDOWS\System32\ecioc.dll

O18 - Filter: text/plain - {0E6B839D-FE4F-49F5-A56F-B91E6456CCC9} - C:\WINDOWS\System32\ecioc.dll

 

It took over my McAfee security page again when I logged back in, too. I guess it didn't leave after all. And now I'm confused, as I haven't visited any site I don't usually visit every day since yesterday, which mostly consist of web-based game sites and LiveJournal pages. I don't know how the Sam Hill it came back. Sigh...

Share this post


Link to post
Share on other sites

Yes, I understand why you're infected by about:blank now :D

 

This infection needs a special threatment which I'm not familiar with. I'll ask the more experienced Helpers here to jump into my thread. :)

Share this post


Link to post
Share on other sites

Hi. Please download and install the program Registry Lite from here:

 

http://www.resplendence.com/reglite

 

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

 

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section, the name AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs entry and copy and paste the text found in the value field in your next reply to this post.

Share this post


Link to post
Share on other sites

Hello, mmxx66. Thank you for your time on this, it is very appreciated. And thanks for your previous help too, H@ns, for getting me to a part of the solution I couldn't get to myself.

 

After downloading the program and following your instructions, I got this in the Value field:

 

C:\WINDOWS\System32\kbdf.dll

 

I can only assume that this is the problem file, but I will refrain from beating it within an inch of its life until your next post. Funny thing is, I recognize this file. I followed some instructions I got on this site about searching through my DLLs for problems file of a specific size, but when I saw this one I thought it was cool because it had a convincing description when I held the mouse curser over it. Just in case I'm wrong, though, I'll await your answer before I act on anything.

Share this post


Link to post
Share on other sites

Please follow these steps:

 

Step 1:

Go to Folder Options> View

 

Scroll to the bottom of the list to find the box labeled:

Use Simple File Sharing(Recommended)

Remove the check from that box and press ok.

 

If you are using XP home you won´t see this option in the list, in this case skip this step.

 

Step 2:

 

Download CWShredder.exe

 

Save that file somewhere as we will use it later.

 

Step 3:

 

Download this file and then immediately sign off the

internet and stay off until all steps are finished.

 

 

The file to download is here:

 

http://computercops.biz/modules.php?name=F...ownload&id=1183

 

Extract the batch file (hiving.bat) and run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box.

 

After a reboot the super hidden nasty file will no longer be loaded and will be visible. This will end the constant reinstall of about:Blank.

 

Step 4:

 

Restart the Computer.

 

Find this file:

c:\windows\system32\kbdf.dll

 

Use the security tab on kbdf.dll and take ownership.

Change the 'everyone special' to

'you> with Admin rights-> FULL control

Then try to delete it, if that fails try to rename

it first to different name+ext.

 

Example:

kbdf.dll>bleh.txt

bleh.txt > badfile.111

 

If you are using XP home you won´t see the security tab, just right click the file, go to properties and unmark read only

 

 

 

Step 5:

 

Extract and Run CWShredder immediately.

Press the fix button to clean.

 

Restart and run hijackThis again.

Post your new log here in your next reply.

Share this post


Link to post
Share on other sites

Well, I downloaded Hiving.bat and CWShredder, ran Hiving.bat, and tried to delete kbdf.dll. Nothing doing. It wouldn't even let me remove the check from "Read-Only". And while I'm not the primary account on the computer, I do have Administration rights, so I don't know why I couldn't fix it. After running Ad-Aware, however, it did find a new .dll file, so I think that the Hiving.Bat file did its job, but kbdf.dll is still on the hard drive. Not sure how to get rid of it now, since CWShredder couldn't do it.

 

And yes, I do have Windows XP Home, so no security tab.

Edited by Acefowl

Share this post


Link to post
Share on other sites

Post a new log please. We´ll get rid of it later

Share this post


Link to post
Share on other sites

Understood. Here's the new log:

 

Logfile of HijackThis v1.98.2

Scan saved at 9:20:53 PM, on 9/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\program files\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\McAfee.com\MPS\mscifapp.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Juno\exec.exe

C:\Program Files\Juno\exec.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Adam's Documents\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll

O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\toolbar.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D9FC9D99-8588-4ADC-9FC9-FDCE9CB47D81}: NameServer = 64.136.28.120 64.136.20.120

Share this post


Link to post
Share on other sites

Did you set http://my.juno.com/s/search?r=minisearch as your home page?

 

And did you install the juno toolbar?

Edited by mmxx66

Share this post


Link to post
Share on other sites

Yes and no, and Yes.

 

Juno is the homepage that shows up when it opens Internet Explorer after I log on, but when I open IE myself, I've set it to Yahoo. I don't know to change Juno's preset homepage, if there is a way.

 

And Yes, our internet provider is Juno, so we do have the tooldbar.

Share this post


Link to post
Share on other sites

You have RealPlayer running at Startup and this is not necessary. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself. This is the item to fix in HJT:

O4 - HKLM\..\Run: [TkBellExe] "C:\ProgramFiles\Common Files\Real\Update_OB\realsched.exe" –osboot

 

This item is considered to be resource hog that is not needed and it may be worthwhile to fix it with HJT. You will still be able to start it manually if you need it

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

 

That should do it.

 

How is it running?

Share this post


Link to post
Share on other sites

I can't figure out how to change anything at startup, let alone even find out how to get to the dag-blasted folder, but I did fix the two items through HijackThis, so that's something.

 

As for the performance of the computer and the Internet, it feels like it's gone back to what it used to be. No virtual memory clogging up, not having to logoff and on again to use it, and it's even back to it's original speed. Other than that one freakin' file that I can't delete, it's like the computer was never infected. And thanks to you and H@ns's help, it's better protected against any future hijackings. I thank you two profusely for your help on this.

Share this post


Link to post
Share on other sites

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

 

And also see TonyKlein's good advice

So how did I get infected in the first place?

 

Good luck :D

Share this post


Link to post
Share on other sites

Glad to see you were able to resolve your problem.

 

If you need this topic reopened, please request this by sending the moderating team

an email with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0