• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
GroundControl

About:Buster Temporarily Worked, Popups remain

12 posts in this topic

I've always depended on the kindness of strangers..

 

I've visited the FAQ page.

 

I've ran updated versions of Ad-Aware (log file included) and Spy-Bot where no immediate threats were found.

 

I've ran HijackThis. Log file included.

 

I also ran About:Buster in safe mode and had my homepage back for the next time I opened IE but About:Blank returned the second time I opened IE and continues to return. (About:Buster log file included)

 

Popups still come up with the titles; "Welcome to the System Performance Wizard - Microsoft Internet Explorer", "Ad-ware, Spyware, Pop-ups - They Invade your privacy and harm your PC - Microsoft Internet Explorer", "Spyware Removal - Microsoft Internet Explorer", or "Warning - Microsoft Internet Explorer."

 

The same pop-ups also appear after I sign into AIM.

 

 

Well anywho, About:Blank is bigger than I thought. Hopefully through feedback and development we will be able to kill it off and prevent it from happening in the future.

 

Thanks to anyone who takes a look at this.

 

Here are the logs;

 

AD-AWARE LOG

 

Lavasoft Ad-aware Plus Build 6.181

Logfile created on :Saturday, July 17, 2004 2:56:21 AM

Using reference-file :01R331 08.07.2004

______________________________________________________

 

Reffile status:

=========================

Reference file loaded:

Reference Number : 01R331 08.07.2004

Internal build : 263

File location : C:\Program Files\Ad-aware 6\reflist.ref

Total size : 1300142 Bytes

Signature data size : 1279388 Bytes

Reference data size : 20690 Bytes

Signatures total : 28395

Target categories : 10

Target families : 519

 

Memory + processor status:

==========================

Number of processors : 1

Processor architecture : Intel Pentium II

Memory available:36 %

Total physical memory:261684 kb

Available physical memory:92864 kb

Total page file size:1027040 kb

Available on page file:792388 kb

Total virtual memory:2097024 kb

Available virtual memory:2049692 kb

OS:

 

Ad-aware Settings

=========================

Set : Activate in-depth scan (Recommended)

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-aware Settings

=========================

Set : Unload recognized processes during scanning

Set : Include basic Ad-aware settings in logfile

Set : Include additional Ad-aware settings in logfile

Set : Automatically mark all objects in result list

Set : Let windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Block Popups and banned sites

Set : Automatically pop up event log if event occours

Set : Show splash screen

Set : Always back up reference file, before updating

Set : Play sound if scan produced a result

 

 

7-17-2004 2:56:21 AM - Scan started. (Custom mode)

 

Listing running processes

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ThreadCreationTime : 7-17-2004 7:10:29 AM

BasePriority : Normal

 

 

#:2 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ThreadCreationTime : 7-17-2004 7:10:31 AM

BasePriority : High

 

 

#:3 [services.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-17-2004 7:10:33 AM

BasePriority : Normal

FileSize : 99 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

OriginalFilename : services.exe

ProductName : Microsoft

Created on : 8/23/2001 12:00:00 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 8/23/2001 12:00:00 PM

 

#:4 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-17-2004 7:10:33 AM

BasePriority : Normal

FileSize : 11 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

OriginalFilename : lsass.exe

ProductName : Microsoft

Created on : 8/23/2001 12:00:00 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 8/23/2001 12:00:00 PM

 

#:5 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-17-2004 7:10:37 AM

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 8/23/2001 12:00:00 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 8/23/2001 12:00:00 PM

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 7-17-2004 7:10:38 AM

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 8/23/2001 12:00:00 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 8/23/2001 12:00:00 PM

 

#:7 [lexbces.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-17-2004 7:10:47 AM

BasePriority : Normal

FileSize : 296 KB

FileVersion : 7.4

ProductVersion : 7.4

Copyright : © 1993 - 2002 Lexmark International, Inc.

CompanyName : Lexmark International, Inc.

FileDescription : LexBce Service

InternalName : LexBce Service

OriginalFilename : LexBceS.exe

ProductName : MarkVision for Windows (32 bit)

Created on : 10/14/2002 8:03:18 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 10/14/2002 8:03:18 PM

 

#:8 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-17-2004 7:10:47 AM

BasePriority : Normal

FileSize : 50 KB

FileVersion : 5.1.2600.0 (XPClient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

OriginalFilename : spoolsv.exe

ProductName : Microsoft

Created on : 8/23/2001 12:00:00 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 8/23/2001 12:00:00 PM

 

#:9 [lexpps.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-17-2004 7:10:47 AM

BasePriority : Normal

FileSize : 170 KB

FileVersion : 7.4

ProductVersion : 7.4

Copyright : © 1993 - 2002 Lexmark International, Inc.

CompanyName : Lexmark International, Inc.

FileDescription : LEXPPS.EXE

InternalName : LEXPPS

OriginalFilename : LEXPPS.EXE

ProductName : MarkVision for Windows (32 bit)

Created on : 10/14/2002 8:00:41 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 10/14/2002 8:00:41 PM

 

#:10 [atievxx.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 7-17-2004 7:10:51 AM

BasePriority : Normal

FileSize : 36 KB

FileVersion : 5.1.2482.0 (Lab01_N(ericks).010524-2202)

ProductVersion : 5.1.2482.0

CompanyName : Microsoft Corporation

FileDescription : ATI Hotkey polling utility

InternalName : atievxx.exe

OriginalFilename : atievxx.exe

ProductName : Microsoft

Created on : 5/6/2004 2:28:41 AM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 8/17/2001 10:36:38 PM

 

#:11 [defwatch.exe]

FilePath : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\

ThreadCreationTime : 7-17-2004 7:10:52 AM

BasePriority : Normal

FileSize : 32 KB

FileVersion : 8.00.00.9374

ProductVersion : 8.00.00.9374

Copyright : Copyright

CompanyName : Symantec Corporation

FileDescription : Virus Definition Daemon

InternalName : DefWatch

OriginalFilename : DefWatch.exe

ProductName : Norton AntiVirus

Created on : 7/30/2002 4:36:00 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 7/30/2002 4:36:00 PM

 

#:12 [mdm.exe]

FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\

ThreadCreationTime : 7-17-2004 7:10:53 AM

BasePriority : Normal

FileSize : 314 KB

FileVersion : 7.00.9466

ProductVersion : 7.00.9466

CompanyName : Microsoft Corporation

FileDescription : Machine Debug Manager

InternalName : mdm.exe

OriginalFilename : mdm.exe

ProductName : Microsoft

Created on : 6/20/2003 4:25:00 AM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 6/20/2003 4:25:00 AM

 

#:13 [rtvscan.exe]

FilePath : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\

ThreadCreationTime : 7-17-2004 7:10:54 AM

BasePriority : Normal

FileSize : 560 KB

FileVersion : 8.00.00.9374

ProductVersion : 8.00.00.9374

Copyright : Copyright © Symantec Corporation 1991-2002

CompanyName : Symantec Corporation

FileDescription : Symantec AntiVirus

ProductName : Symantec AntiVirus

Created on : 7/30/2002 4:40:44 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 7/30/2002 4:40:44 PM

 

#:14 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 7-17-2004 7:10:59 AM

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 8/23/2001 12:00:00 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 8/23/2001 12:00:00 PM

 

#:15 [explorer.exe]

FilePath : C:\WINDOWS\

ThreadCreationTime : 7-17-2004 7:11:04 AM

BasePriority : Normal

FileSize : 977 KB

FileVersion : 6.00.2600.0000 (xpclient.010817-1148)

ProductVersion : 6.00.2600.0000

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

ProductName : Microsoft

Created on : 8/23/2001 12:00:00 PM

Last accessed : 7/17/2004 7:11:09 AM

Last modified : 8/23/2001 12:00:00 PM

 

#:16 [vptray.exe]

FilePath : C:\PROGRA~1\SYMANT~1\SYMANT~1\

ThreadCreationTime : 7-17-2004 7:11:14 AM

BasePriority : Normal

FileSize : 76 KB

FileVersion : 8.00.00.9374

ProductVersion : 8.00.00.9374

Copyright : Copyright © Symantec Corporation 1991-2002

CompanyName : Symantec Corporation

FileDescription : Symantec AntiVirus

ProductName : Symantec AntiVirus

Created on : 7/30/2002 4:35:04 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 7/30/2002 4:35:04 PM

 

#:17 [ituneshelper.exe]

FilePath : C:\Program Files\iTunes\

ThreadCreationTime : 7-17-2004 7:11:14 AM

BasePriority : Normal

FileSize : 280 KB

FileVersion : 4.5.0.31

ProductVersion : 4.5.0.31

CompanyName : Apple Computer, Inc.

FileDescription : iTunesHelper Module

InternalName : iTunesHelper

OriginalFilename : iTunesHelper.exe

ProductName : iTunes

Created on : 4/21/2004 4:28:18 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 4/21/2004 4:28:18 PM

 

#:18 [lxbbbmgr.exe]

FilePath : C:\Program Files\Lexmark X74-X75\

ThreadCreationTime : 7-17-2004 7:11:14 AM

BasePriority : Normal

FileSize : 56 KB

FileVersion : 1.0.6.0

ProductVersion : 1.0.6.0

Copyright : © 2002 Lexmark International, Inc.

CompanyName : Lexmark International, Inc.

FileDescription : Lexmark X74-X75 Button Manager

InternalName : lxbbbmgr.exe

OriginalFilename : lxbbbmgr.exe

ProductName : Button Manager Executable

Created on : 10/14/2002 8:09:12 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 10/14/2002 8:09:12 PM

 

#:19 [ctfmon.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 7-17-2004 7:11:15 AM

BasePriority : Normal

FileSize : 13 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : CTF Loader

InternalName : CTFMON

OriginalFilename : CTFMON.EXE

ProductName : Microsoft

Created on : 8/23/2001 12:00:00 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 8/23/2001 12:00:00 PM

 

#:20 [lxbbbmon.exe]

FilePath : C:\Program Files\Lexmark X74-X75\

ThreadCreationTime : 7-17-2004 7:11:25 AM

BasePriority : Normal

FileSize : 48 KB

FileVersion : 1.0.6.0

ProductVersion : 1.0.6.0

Copyright : © 2002 Lexmark International, Inc.

CompanyName : Lexmark International, Inc.

FileDescription : Lexmark X74-X75 Button Monitor

InternalName : lxbbbmon.exe

OriginalFilename : lxbbbmon.exe

ProductName : Button Monitor Executable

Created on : 10/14/2002 8:22:04 PM

Last accessed : 7/17/2004 7:10:27 AM

Last modified : 10/14/2002 8:22:04 PM

 

#:21 [ipodservice.exe]

FilePath : C:\Program Files\iPod\bin\

ThreadCreationTime : 7-17-2004 7:11:39 AM

BasePriority : Normal

FileSize : 392 KB

FileVersion : 4.5.0.31

ProductVersion : 4.5.0.31

CompanyName : Apple Computer, Inc.

FileDescription : iPodService Module

InternalName : iPodService

OriginalFilename : iPodService.exe

ProductName : iTunes

Created on : 4/21/2004 4:28:04 PM

Last accessed : 7/17/2004 7:07:37 AM

Last modified : 4/21/2004 4:28:04 PM

 

#:22 [iexplore.exe]

FilePath : C:\Program Files\Internet Explorer\

ThreadCreationTime : 7-17-2004 7:13:39 AM

BasePriority : Normal

FileSize : 89 KB

FileVersion : 6.00.2600.0000 (xpclient.010817-1148)

ProductVersion : 6.00.2600.0000

CompanyName : Microsoft Corporation

FileDescription : Internet Explorer

InternalName : iexplore

OriginalFilename : IEXPLORE.EXE

ProductName : Microsoft

Created on : 5/6/2004 7:40:07 AM

Last accessed : 7/17/2004 7:13:42 AM

Last modified : 8/23/2001 12:00:00 PM

 

#:23 [ad-aware.exe]

FilePath : C:\Program Files\Ad-aware 6\

ThreadCreationTime : 7-17-2004 7:52:09 AM

BasePriority : Normal

FileSize : 671 KB

FileVersion : 6.0.1.182

ProductVersion : 6.0.0.0

Copyright : Copyright

CompanyName : Lavasoft Sweden

FileDescription : Ad-aware 6 core application

InternalName : Ad-aware.exe

OriginalFilename : Ad-aware.exe

ProductName : Lavasoft Ad-aware Plus

Created on : 6/30/2004 8:31:51 PM

Last accessed : 7/17/2004 7:52:09 AM

Last modified : 7/13/2003 3:01:14 AM

 

Memory scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

 

Data : "about:blank"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "about:blank"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Main

Value : Search Page

Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Main

Value : Search Bar

Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Search

Value : SearchAssistant

Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Search Page

Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Search Bar

Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Search

Value : SearchAssistant

Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

 

 

Deep registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 8

Objects found so far: 8

 

 

Deep scanning and examining files (A:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Disk scan result for A:\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 8

 

 

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Disk scan result for C:\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 8

 

 

Deep scanning and examining files (D:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Disk scan result for D:\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 8

 

 

Deep scanning and examining files (E:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Disk scan result for E:\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 8

 

 

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Hosts file scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

1 entries scanned.

New objects :0

Objects found so far: 8

 

 

 

 

Performing conditional scans..

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Conditional scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 8

 

 

3:20:12 AM Scan complete

 

Summary of this scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Total scanning time :00:23:49:696

Objects scanned :95450

Objects identified :8

Objects ignored :0

New objects :8

 

 

HIJACKTHIS LOG

 

Logfile of HijackThis v1.97.7

Scan saved at 1:22:33 AM, on 7/17/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\atievxx.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\winlogon.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Aut Phanthavong\My Documents\Download Installation Files\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {38E38CFD-D89E-482E-B400-D7E4B360E4F4} - C:\WINDOWS\System32\gfbmm.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_204/w...OCX/FlashAX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FDB9AAC2-52F6-46D6-B968-3A24B00FABBE}: NameServer = 129.74.250.100 129.74.4.18

 

 

ABOUT:BUSTER LOG

 

-- Scan 1 --------

About:Buster Version 1.30

Attempted Clean Of Temp folder.

Pages Reset... Done!

Share this post


Link to post
Share on other sites

To anyone other than the originator of this topic: do not copy this thread and try to fix your system or anyone elses by following it - this is not an automatic fix and requires the logs to be properly interpreted.

 

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

Share this post


Link to post
Share on other sites

Thank you Daemon for responding.

 

Here are the contents of the FINDnFix.exe logfile;

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder

and is the destination for the file to be moved..

-*Previous directions will no longer work...

»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q837009-Q832894-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

Sat 17 Jul 04 12:50:29

12:50am up 0 days, 0:23

 

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»

The list will produce a small database of files that will match certain criteria.

You must know how to ID the file based on the filters provided in

the scan, as not all the files flagged are bad.

Ex: read only files, s/h files, last modified date. size, etc.

The filters provided should help narrow down the list, and hopefully

pinpoint the culprit.

Along with that,registry scan logged at the end should match the

corresponding file(s) listed.

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Unless the file match the entire criteria, it should not be pointed to remove!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

*For *Helpers/Mods and/or users that are not familiar with any of the

items on the scan results- I recommend using an alternative, once

you know what to look for!

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/16)»»»»»»»»»»»»»»»»

 

»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

C:\WINDOWS\System32\RESBA.DLL +++ File read error

\\?\C:\WINDOWS\System32\RESBA.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

RESBA.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

resba.dll Fri Jun 25 2004 9:40:50p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\RESBA.DLL

 

»»»»»(*5*)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

¯ Access denied ® ..................... RESBA.DLL .....57344 25.06.2004

 

»»»»»(*6*)»»»»»

fgrep: can't open input C:\WINDOWS\SYSTEM32\RESBA.DLL

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

C:\WINDOWS\SYSTEM32\

resba.dll Fri Jun 25 2004 9:40:50p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\RESBA.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group BPHANTHA\None.

User is a member of group \Everyone.

User is a member of group BPHANTHA\Debugger Users.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

 

»»»»»»Backups created...»»»»»»

12:52am up 0 days, 0:25

Sat 17 Jul 04 12:52:52

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-17-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-17-2004 winkey.reg

*Temp backups...

A----- KEYBACK2.HIV 00002000 12:50.22 17/07/2004

A----- WINKEY2 .REG 0000011F 12:50.24 17/07/2004

 

C:\FINDNFIX\

JUNKXXX Sat Jul 17 2004 12:50:20p .D... <Dir>

 

1 item found: 0 files, 1 directory.

 

»»Performing string scan....

00001150: ?

00001190: vk < f AppInit_

000011D0:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ r e s b a .

00001210:d l l vk P UDeviceNotSelectedTimeout

00001250: 1 5 ( W 9 0 ! vk ' zGDIProce

00001290:ssHandleQuota" vk Spooler2 y e s

000012D0: p vk =pswapdisk vk

00001310: ` R TransmissionRetryTimeout p

00001350: X vk ' , USERProcessHandleQuota, x

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

00001590:

000015D0:

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æGÀÿÿÿC

--------------

--------------

$011C8: AppInit_DLLs

$01237: UDeviceNotSelectedTimeout

$01287: zGDIProcessHandleQuota

$01320: TransmissionRetryTimeout

$01370: USERProcessHandleQuota

--------------

--------------

C:\WINDOWS\System32\resba.dll

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value exists and reports as 60 bytes, including the 2 for string termination.

 

[AppInitDLLs]

Ansi string : "C:\WINDOWS\System32\resba.dll"

0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.

0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.

0020 6d 00 33 00 32 00 5c 00 72 00 65 00 73 00 62 00 | m.3.2.\.r.e.s.b.

0030 61 00 2e 00 64 00 6c 00 6c 00 00 00 | a...d.l.l...

Share this post


Link to post
Share on other sites

It seems I have the same problem. About:Buster temporarily fixes it, but when I go into IE a second time it's back to the about:blank page again. Should I install FindNFix.exe and create a new thread with the log in it?

Edited by oshmir

Share this post


Link to post
Share on other sites

In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the RESBA.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

 

Select C:\Findnfix\junkxxx as destination. Move the file.

 

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log2.txt - post it's contents in your next reply.

 

oshmir: start a new topic with a HJT log and send me a link.

Share this post


Link to post
Share on other sites

Log2.txt

 

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Sat 17 Jul 04 14:36:50

2:36pm up 0 days, 0:03

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q837009-Q832894-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG2!***»»»»»»»»»»»»»»»»

 

This log will confirm if the file was successfully moved, and/or the right file was selected.

 

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

No matches found.

Unknown/hidden files...

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»»»(5)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

 

»»»»»(*6*)»»»»»

 

»»»»»»» Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

 

\\?\C:\FINDnFIX\junkxxx\RESBA.222 +++ File read error

C:\FINDnFIX\junkxxx\RESBA.222 +++ File read error

 

 

C:\FINDNFIX\JUNKXXX\

resba.222 Fri Jun 25 2004 9:40:50p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\FINDNFIX\JUNKXXX\RESBA.222

 

fgrep: can't open input C:\FINDNFIX\JUNKXXX\RESBA.222

 

A----R RESBA .222 0000E000 21:40.50 25/06/2004

 

-ra-- - - - - - 57,344 06-25-2004 resba.222

A R C:\FINDnFIX\junkxxx\resba.222

 

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.

MD5 Message Digest Algorithm by RSA Data Security, Inc.

 

File name Size Date Time MD5 Hash

________________________________________________________________________C:\FINDnFIX\junkxxx\RESBA.222 can't be opened.

 

File: <C:\FINDnFIX\junkxxx\resba.222>

 

 

 

 

»»Permissions:

C:\FINDnFIX\junkxxx\resba.222

Directory "C:\FINDnFIX\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BPHANTHA\Aut Phanthavong

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: BPHANTHA\Aut Phanthavong

 

Primary Group: BPHANTHA\None

 

Directory "C:\FINDnFIX\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BPHANTHA\Aut Phanthavong

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: BPHANTHA\Aut Phanthavong

 

Primary Group: BPHANTHA\None

 

File "C:\FINDnFIX\junkxxx\resba.222"

Access is denied.

 

erreur dans ListAccessRights sur C:\FINDnFIX\junkxxx\resba.222

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

00001150: ?

00001190: vk UDeviceNo

000011D0:tSelectedTimeout 1 5 ( W vk ' z

00001210:GDIProcessHandleQuota" 9 0 ! vk X

00001250:Spooler2 y e s vk =pswapdisk

00001290: 8 h vk ( R TransmissionRetryTimeout

000012D0: vk ' , USERProcessHandleQuota, 8

00001310:h vk y AppInit_DLLsecte

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

 

---------- NEWWIN.TXT

AppInit_DLLsecte¸

--------------

--------------

$011C7: UDeviceNotSelectedTimeout

$0120F: zGDIProcessHandleQuota

$012B8: TransmissionRetryTimeout

$012E8: USERProcessHandleQuota

$01338: AppInit_DLLsecte

--------------

--------------

No strings found.

 

 

d.... 0 Jul 17 12:50 .

d.... 0 Jul 17 12:50 ..

...ra 57344 Jun 25 21:40 resba.222

 

3 files found occupying 55296 bytes

 

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

 

C:\FINDNFIX\JUNKXXX

 

 

===============================================================================

57,344 bytes 955,733 cps

Files: 0 Records: 0 Matches: 0 Elapsed Time: 00:00:00.06

 

VDIR v1.00

Path: C:\FINDNFIX\JUNKXXX\*.*

---------------------------------------+---------------------------------------

. <dir> 07-17-:4 12:50|RESBA 222 57344 A R 06-25-:4 21:40

.. <dir> 07-17-:4 12:50|

---------------------------------------+---------------------------------------

3 files totaling 57344 bytes consuming 65024 bytes of disk space.

17299968 bytes available on Drive C: No volume label

Share this post


Link to post
Share on other sites
oshmir: start a new topic with a HJT log and send me a link.

Actually 808Chick has been helping me out with my log, but unfortunately it doesn't really seem to be doing much. link

 

edit: Well nevermind. It appears she has fixed my homepage problem.

Edited by oshmir

Share this post


Link to post
Share on other sites

Well done GroundControl :D Nearly there, open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat. It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions. Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

 

Please be sure to include a link to this thread in the body of your email. Reboot when done, then delete the entire FINDnFIX folder. Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.

Share this post


Link to post
Share on other sites

Thank you for helping me Daemon, you are quite the blessing.

 

A few updates, I opened the ZIPZAP.bat file, I've emailed the junkxxx.zip file, and I've ran CWShredder, but I could not delete the entire FINDnFIX folder.

 

The message "Cannot delete resba.333 : Access is denied Make sure the disk is not full or write-protected and that the file is not currently in use" appears when I try to delete the FINDnFIX folder.

 

Also, when I open IE my homepage's URL is still "about:blank" but the page is actually blank now instead of a random search page.

 

On a good note, the pop ups are gone!

 

And here is the HijackThis log you requested;

 

 

Logfile of HijackThis v1.97.7

Scan saved at 12:41:51 PM, on 7/18/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\atievxx.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Aut Phanthavong\My Documents\Download Installation Files\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_204/w...OCX/FlashAX.cab

Edited by GroundControl

Share this post


Link to post
Share on other sites

You need to restart in Safe mode in order to have access to the security tab on files and folders in "XP HOME EDITION"

 

How to take ownership of a file or folder in Windows XP

 

In Safe mode:

 

Right-click on resba.333>properties>Advanced>Security/permissions and take ownership giving yourself 'Full control'. Right click the 'junkxxx' folder itself and hit properties, go to the security tab and click the advanced button. Check the box to reset permissions on all child objects.

 

Hit apply and OK. You should be able to remove it now.

 

Boot back into normal mode and go online. In IE click Tools>Internet Options and set your homepage.

 

Let me know how you get on.

Share this post


Link to post
Share on other sites

:D Daemon, THANK YOU SO MUCH.

 

You are very well skilled.

 

I have my homepage back and the pop ups are gone....for now, haha.

 

Would you recommend any steps to take in order for further prevention?

 

So I would consider this case RESOLVED unless you have any further comments.

 

Thank you SO MUCH Daemon.

Share this post


Link to post
Share on other sites

You're welcome - glad to help :D

 

To help keep you clean follow the recommendations in Tony's article here:

 

So how did I get infected in the first place?

 

 

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0