• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
dlindsay12

About:blank spyware

23 posts in this topic

Have tried everything, it now hijacks my hotmail. Below is my hijackthis log. I appreciate any and all help, thanks.

 

Logfile of HijackThis v1.97.3

Scan saved at 4:53:13 PM, on 7/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\PackethSvc.exe

C:\Program Files\CA\Common\Alert\ALERT.EXE

C:\WINNT\System32\ati2evxx.exe

C:\WINNT\System32\DRIVERS\dcfssvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4serv.exe

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\CA\eTrust\InoculateIT\realmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\BHODemon 2\BHODemon.exe

C:\Program Files\Stampede\TurboGold\TGCLUI32.EXE

C:\WINNT\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\WinZip\winzip32.exe

C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.250.130.200/main/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {096C9845-6676-428A-AE1E-3AFB5886EB11} - C:\WINNT\system32\panak.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [HP OfficeJet Series 600] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600 NT\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 600\Install"

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Com+] "C:\WINNT\System32\COM_~1.EXE" -nouninst

O4 - HKLM\..\Run: [Winsock2 driver] \UPLOAD.EXE

O4 - HKLM\..\Run: [msmanagerw32] C:\WINNT\System32\msnngr32.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [spyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - HKLM\..\RunServices: [mssysint] IEXPLORE .EXE

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe

O4 - Startup: Stampede TurboGold.lnk = C:\Program Files\Stampede\TurboGold\TGCLUI32.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: ComcastHSI (HKLM)

O9 - Extra button: Support (HKLM)

O9 - Extra button: Help (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: WeatherBug (HKCU)

O12 - Plugin for .MID: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/18ad29caa5d03c96b417/netzip/RdxIE2.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://adsresponse.webex.com/client/latest...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C27EB223-1023-4BD4-8D7A-FCB765679BED}: Domain = tuc.com

 

Thanks again.

Share this post


Link to post
Share on other sites

Hi, the first thing we need to do is to get rid of the sp.html problem. To do that, I'll need for you to download a program called reigstrar lite (it's basically a registry editor program) at this location: reglite

 

Once you download it, please install it and run it.

 

Once it's running please copy and paste the following into the address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs and hit 'go'

 

Double click on the AppInit_DLLs value and copy and paste the contents of the value field into a new post here.

Share this post


Link to post
Share on other sites

You may want to print these instructions out.

 

Okay, please run reglite again and copy and paste the following line into the address bar and hit 'go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Now, you'll want to right click on the windows folder in the left pane and choose the export option. We need to export it so that we can save the permissions that are attached to it for later use. Just name the backup .reg file something like "windowsbackup", and go to save as type: Regedt32... (so it should now end in .hiv and look like this windowsbackup.hiv),and put it in a permanent locaiton.

 

After you did that, please right click on the windows folder again and rename it something else (like "JunkWindows", or something like that).

 

The newly renamed folder should look like this in the address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\JunkWindows

 

Now, once it is renamed, please double click on the 'AppInit_DLLs' value again and delete whatever is found in the 'value' field.

 

The value to delete should be: C:\WINNT\system32\lognl.dll

 

Now, please rename the "JunkWindows" folder in the left pane window back to "Windows" and reboot.

 

First thing after the reboot, you'll have to locate the saved windowsbackup.hiv file you created earlier. You'll need to open up reglite and choose to import the windowsbackup.hiv file. That should restore the permissions.

 

Since that restored the permissions, it also consequently restored what was stored in the value field for the 'AppInit_DLLs' file. No problem though because we can just delete it out. So, follow these steps again to delete the value:

 

Run reglite again and copy and paste the following into the address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

Now, once it is renamed, please double click on the 'AppInit_DLLs' value again and delete whatever is found in the 'value' field.

 

The value to delete should be: C:\WINNT\system32\lognl.dll

 

Now, please go to the run command and type in "command" (with out the qutoes)

 

Once in the command prompt, please type in the following with no quotes "del C:\WINNT\system32\lognl.dll"

 

Please post back here if you had any problems following my steps or any errors you may have encoutered a long the way...

 

If you didn't encounter any errors, please download the newest version of HJT from here: http://www.downloads.subratam.org/hijackthis.zip

 

And then run it and post an updated HJT log.

 

Also, I just noticed this, please run HJT from a permanent location such as C:\HJT\ instead of a \temp\ directory where it is more likely the backups that are created by HJT will get deleted.

 

Thanks

Edited by guacamel

Share this post


Link to post
Share on other sites

Okay, everything went smooth except when attempting to delete from the command prompt. Tried twice, received "access is denied" message every time.

 

Meantime, here is the updated hijack this....i appreciate your assistance!

 

 

Logfile of HijackThis v1.98.0

Scan saved at 8:20:33 PM, on 7/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\PackethSvc.exe

C:\Program Files\CA\Common\Alert\ALERT.EXE

C:\WINNT\System32\ati2evxx.exe

C:\WINNT\System32\DRIVERS\dcfssvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4serv.exe

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\CA\eTrust\InoculateIT\realmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\AIM95\aim.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\BHODemon 2\BHODemon.exe

C:\Program Files\Stampede\TurboGold\TGCLUI32.EXE

C:\WINNT\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\WinZip\winzip32.exe

C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.250.130.200/main/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {096C9845-6676-428A-AE1E-3AFB5886EB11} - C:\WINNT\system32\panak.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [HP OfficeJet Series 600] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600 NT\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 600\Install"

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Com+] "C:\WINNT\System32\COM_~1.EXE" -nouninst

O4 - HKLM\..\Run: [Winsock2 driver] \UPLOAD.EXE

O4 - HKLM\..\Run: [msmanagerw32] C:\WINNT\System32\msnngr32.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [spyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - HKLM\..\RunServices: [mssysint] IEXPLORE .EXE

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe

O4 - Startup: Stampede TurboGold.lnk = C:\Program Files\Stampede\TurboGold\TGCLUI32.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O12 - Plugin for .MID: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/18ad29caa5d03c96b417/netzip/RdxIE2.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://adsresponse.webex.com/client/latest...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C27EB223-1023-4BD4-8D7A-FCB765679BED}: Domain = tuc.com

O18 - Filter: text/html - {5FC21589-DF44-4E24-92EB-672BCCAD3E5A} - C:\WINNT\system32\panak.dll

O18 - Filter: text/plain - {5FC21589-DF44-4E24-92EB-672BCCAD3E5A} - C:\WINNT\system32\panak.dll

Share this post


Link to post
Share on other sites

Hmm, sorry, I accidently did the last two steps in the wrong order. We should've imported the hive file AFTER we deleted the file!

 

Sorry, I messed up the order!

 

So, unfortunately we'll need to pretty much do everything over again.

 

This time though, we'll import the hive file AFTER we delete the bad .dll file!

 

I am; however, going to assume you still have the .hiv file still saved, so we can skip that step.

 

 

 

You may want to print these instructions out.

 

Okay, please run reglite again and copy and paste the following line into the address bar and hit 'go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Please right click on the windows folder again and rename it something else (like "JunkWindows", or something like that).

 

The newly renamed folder should look like this in the address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\JunkWindows

 

Now, once it is renamed, please double click on the 'AppInit_DLLs' value again and delete whatever is found in the 'value' field.

 

The value to delete should be: C:\WINNT\system32\lognl.dll

 

Now, please rename the "JunkWindows" folder in the left pane window back to "Windows" and reboot into safemode by tapping F8 when you reboot.

 

Now, please go to the run command and type in "command" (with out the qutoes)

 

Once in the command prompt, please type in the following with no quotes "del C:\WINNT\system32\lognl.dll"

 

 

You'll also have to locate the saved windowsbackup.hiv file you created earlier. You'll need to open up reglite and choose to import the windowsbackup.hiv file. That should restore the permissions.

 

Since that restored the permissions, it also consequently restored what was stored in the value field for the 'AppInit_DLLs' file. No problem though because we can just delete it out. So, follow these steps again to delete the value:

 

Run reglite again and copy and paste the following into the address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

Please double click on the 'AppInit_DLLs' value again and delete whatever is found in the 'value' field.

 

The value to delete should be: C:\WINNT\system32\lognl.dll

 

Please post back here if you had any problems following my steps or any errors you may have encoutered a long the way...

 

 

(hopefully this should work now)

 

When you are done, please post an updated HJT log.

Edited by guacamel

Share this post


Link to post
Share on other sites

Still didn't work. The AppInit_DLL value did not have anything to remove.

 

I continue to receive the "access is denied" message when attempting to delete the c:\winnt\system32\lognl.dll in the command prompt. I'm wondering if my corporate office has some type of safety built in.

 

Any thoughts?

Share this post


Link to post
Share on other sites

Try putting this in the command prompt line: "ATTRIB -R -S -H C:\WINNT\system32\lognl.dll"

 

After you do that, then try to type in "del C:\WINNT\system32\lognl.dll"

Share this post


Link to post
Share on other sites

This is one of the hardest variants of CWS to remove... I'm having some of my peers look at this case now...

Share this post


Link to post
Share on other sites

Try this first:

 

Go to the run command and type in "command" (no quotes)

 

Then type in "cd C:\WINNT\system32\" and then hit enter.

After that, please type in "ren lognl.dll junk.dll"

And then type in "del junk.dll"

 

If that does work, then try the following suggestion by bobby fleckman:

 

[rename]
NUL=C:\WINNT\system32\lognl.dll

 

Check if there's a file called wininit.ini in c:\WinNt. If there is add Code segment to it (you can append that code segment by opening up the document with notepad and pasting that code segment to the end of the file), else save this code there under the name of wininit.ini by opening up notepad and pasting the code segment into it and then saving it as wininit.ini Then you'll need to reboot.

 

This should delete the file. This is the same trick that installers use, when they're deleting things or installing updates. It's why you're supposed to reboot.

Edited by guacamel

Share this post


Link to post
Share on other sites

Okay, I was able to rename the lognl.dll to junk.dll, but it still would NOT allow me to delete junk.dll - access is denied. I changed the name back to lognl.dll just to stay consistent.

 

I assume the next step was to be tried if your first recommendation did NOT work. There was not a file wininit.ini within the WINNT folder, so I created one using notepad and copied the code, then rebooted.

 

Not sure what this was supposed to clear up or if we have next steps...I'm still being redirected to about: blank! Here is my latest hijack this after doing those steps....thanks again for following up on this:

 

 

Logfile of HijackThis v1.98.0

Scan saved at 10:55:54 AM, on 7/31/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\PackethSvc.exe

C:\Program Files\CA\Common\Alert\ALERT.EXE

C:\WINNT\System32\ati2evxx.exe

C:\WINNT\System32\DRIVERS\dcfssvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4serv.exe

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\CA\eTrust\InoculateIT\realmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\BHODemon 2\BHODemon.exe

C:\Program Files\Stampede\TurboGold\TGCLUI32.EXE

C:\WINNT\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\WinZip\winzip32.exe

C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.250.130.200/main/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {096C9845-6676-428A-AE1E-3AFB5886EB11} - C:\WINNT\system32\panak.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [HP OfficeJet Series 600] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600 NT\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 600\Install"

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Com+] "C:\WINNT\System32\COM_~1.EXE" -nouninst

O4 - HKLM\..\Run: [Winsock2 driver] \UPLOAD.EXE

O4 - HKLM\..\Run: [msmanagerw32] C:\WINNT\System32\msnngr32.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [spyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - HKLM\..\RunServices: [mssysint] IEXPLORE .EXE

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe

O4 - Startup: Stampede TurboGold.lnk = C:\Program Files\Stampede\TurboGold\TGCLUI32.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O12 - Plugin for .MID: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/18ad29caa5d03c96b417/netzip/RdxIE2.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://adsresponse.webex.com/client/latest...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C27EB223-1023-4BD4-8D7A-FCB765679BED}: Domain = tuc.com

O18 - Filter: text/html - {5FC21589-DF44-4E24-92EB-672BCCAD3E5A} - C:\WINNT\system32\panak.dll

O18 - Filter: text/plain - {5FC21589-DF44-4E24-92EB-672BCCAD3E5A} - C:\WINNT\system32\panak.dll

Share this post


Link to post
Share on other sites

An update (good I think) since my last posting above. In Windows Explorer, I was able to delete the winnt\system32\lognl.dll file by unchecking hidden and read only and checking the full control box in security - then it allowed me to delete that file. I made sure reglite showed nothing in the value section.

 

I then removed the two obvious "about:blank" lines in my startup sequence....but it's still switching over, same as always, and the "about:blank" sequences continue to show on my hijack this.....so here is the latest. I'm hoping at this point it's just capturing all of the correct lines in the startup and that I have not found.

 

 

Logfile of HijackThis v1.98.0

Scan saved at 3:56:34 PM, on 7/31/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\PackethSvc.exe

C:\Program Files\CA\Common\Alert\ALERT.EXE

C:\WINNT\System32\ati2evxx.exe

C:\WINNT\System32\DRIVERS\dcfssvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4serv.exe

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\CA\eTrust\InoculateIT\realmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\AIM95\aim.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\BHODemon 2\BHODemon.exe

C:\Program Files\Stampede\TurboGold\TGCLUI32.EXE

C:\WINNT\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\WinZip\winzip32.exe

C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.250.130.200/main/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {096C9845-6676-428A-AE1E-3AFB5886EB11} - C:\WINNT\system32\panak.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [HP OfficeJet Series 600] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600 NT\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 600\Install"

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Com+] "C:\WINNT\System32\COM_~1.EXE" -nouninst

O4 - HKLM\..\Run: [Winsock2 driver] \UPLOAD.EXE

O4 - HKLM\..\Run: [msmanagerw32] C:\WINNT\System32\msnngr32.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [spyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - HKLM\..\RunServices: [mssysint] IEXPLORE .EXE

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe

O4 - Startup: Stampede TurboGold.lnk = C:\Program Files\Stampede\TurboGold\TGCLUI32.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O12 - Plugin for .MID: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/18ad29caa5d03c96b417/netzip/RdxIE2.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://adsresponse.webex.com/client/latest...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C27EB223-1023-4BD4-8D7A-FCB765679BED}: Domain = tuc.com

O18 - Filter: text/html - {60B1CCF3-3B8D-4E96-A1D9-39C00262321F} - C:\WINNT\system32\panak.dll

O18 - Filter: text/plain - {60B1CCF3-3B8D-4E96-A1D9-39C00262321F} - C:\WINNT\system32\panak.dll

Share this post


Link to post
Share on other sites

Great news, I'm glad you were finally able to delete the bad file!

 

That .dll file was what would've prevented us from being able to fix anything in HJT and have it stayed fixed. Now that that's gone, we should be able to fix it for good now.

 

Before we do that though, I think you may have some viruses/trojans on your computer. Please go to this site: http://housecall.trendmicro.com/housecall/start_corp.asp

 

And run the free online scan. Have it scan your hard drive and have it auto clean whatever it finds. If it can't clean the files it finds, just have it delete the bad files.

 

When you are done with that, please run adaware by following these instructions:

 

 

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

 

Install the program and launch it.

 

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

 

Next, we need to configure Ad-aware for a full scan.

 

icon11.gif Click on the Gear icon (second from the left) to access the preferences/settings window

  • In the General window make sure the following are selected:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)

    [*]Click on the Scanning button on the left and select :

    • Scan Within Archives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
    • Under Click here to select drives + folders, choose:
      • All of your hard drives

icon11.gif Click on the Advanced button on the left and select:

  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details

icon11.gif Click the Tweak button and select:

  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile

    [*]Under the Cleaning Engine:

    • Let Windows remove files in use at next reboot

icon11.gif Click on Proceed to save the settings.

 

icon11.gif Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page, and then choose:

  • Use Custom Scanning Options

icon11.gif Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

 

icon11.gif Save the log file when it asks and then click Finish

 

icon11.gif When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

 

icon11.gifReboot your computer.. Then post another HijackThis log.

 

 

(ad-aware instructions formatting by Fireflyer)

 

Also, before you post another HJT log, please move HJT to a "permanent" location such as C:\HJT\ You are currently running it from a \temp\ folder which isn't good because when you have HJT fix items, it makes a backup, and if it's in a temp folder, there's a chance those backups can get deleted...

Edited by guacamel

Share this post


Link to post
Share on other sites

Ugghhh. I ran the Housecall and it found 23 viruses. It was able to delete all of them but one, this was c:\winnt\system32\panak.dll. I also noticed this on the more recent startup logs, and it wasn't there before I was able to delete the original lognl.dll file. Wondering if it's the same thing.

 

I attempted to delete this file but I could not delete it using any of the methods you told me before or what worked for the last one. Any thoughts on this?

Share this post


Link to post
Share on other sites
Ugghhh. I ran the Housecall and it found 23 viruses. It was able to delete all of them but one, this was c:\winnt\system32\panak.dll. I also noticed this on the more recent startup logs, and it wasn't there before I was able to delete the original lognl.dll file. Wondering if it's the same thing.

 

I attempted to delete this file but I could not delete it using any of the methods you told me before or what worked for the last one. Any thoughts on this?

The c:\winnt\system32\panak.dll file has been in your HJT logs since the beginning. The variant of CWS that you have basically uses two randomly generated .dll files. One is the "super-hidden" one that we have already deleted. What I mean by lognll.dll being super-hidden is that if you would've tried to view the file in explorer before we did that stuff with reglite, you wouldn't have been able to see it-- even with viewing hidden files enabled. The other randomly generated .dll isn't "super-hidden" like the previously mentioned one, but it shows up in the HJT log as a BHO.

 

Now, our next challenge will be to actually clean up your log to get rid of the about:blank problem.

 

Please post an updated HJT log after you had completed the anti-virus scan and the ad-aware.

 

Thanks!

 

(don't have HJT fix anything yet until I tell you which ones to fix)

Share this post


Link to post
Share on other sites

Okay, ran the anti-virus and the ad-aware. Here is my latest HJT log:

 

 

Logfile of HijackThis v1.98.0

Scan saved at 9:25:38 AM, on 8/2/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\PackethSvc.exe

C:\Program Files\CA\Common\Alert\ALERT.EXE

C:\WINNT\System32\ati2evxx.exe

C:\WINNT\System32\DRIVERS\dcfssvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4serv.exe

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\CA\eTrust\InoculateIT\realmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\AIM95\aim.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\BHODemon 2\BHODemon.exe

C:\Program Files\Stampede\TurboGold\TGCLUI32.EXE

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.250.130.200/main/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {096C9845-6676-428A-AE1E-3AFB5886EB11} - C:\WINNT\system32\panak.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [HP OfficeJet Series 600] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600 NT\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 600\Install"

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Com+] "C:\WINNT\System32\COM_~1.EXE" -nouninst

O4 - HKLM\..\Run: [Winsock2 driver] \UPLOAD.EXE

O4 - HKLM\..\Run: [msmanagerw32] C:\WINNT\System32\msnngr32.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [spyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe

O4 - Startup: Stampede TurboGold.lnk = C:\Program Files\Stampede\TurboGold\TGCLUI32.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O12 - Plugin for .MID: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/18ad29caa5d03c96b417/netzip/RdxIE2.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://adsresponse.webex.com/client/latest...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C27EB223-1023-4BD4-8D7A-FCB765679BED}: Domain = tuc.com

O18 - Filter: text/html - {60B1CCF3-3B8D-4E96-A1D9-39C00262321F} - C:\WINNT\system32\panak.dll

O18 - Filter: text/plain - {60B1CCF3-3B8D-4E96-A1D9-39C00262321F} - C:\WINNT\system32\panak.dll

Share this post


Link to post
Share on other sites

Okay, please run HJT with no other windows open and have it fix the following:

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.250.130.200/main/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {096C9845-6676-428A-AE1E-3AFB5886EB11} - C:\WINNT\system32\panak.dll

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe

O4 - HKLM\..\Run: [Com+] "C:\WINNT\System32\COM_~1.EXE" -nouninst

O4 - HKLM\..\Run: [Winsock2 driver] \UPLOAD.EXE

O4 - HKLM\..\Run: [spyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O18 - Filter: text/html - {60B1CCF3-3B8D-4E96-A1D9-39C00262321F} - C:\WINNT\system32\panak.dll

O18 - Filter: text/plain - {60B1CCF3-3B8D-4E96-A1D9-39C00262321F} - C:\WINNT\system32\panak.dll

 

Then, after you fix them, please reboot into safe mode and delete the following files or folders:

 

files:

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe

C:\WINNT\System32\COM_~1.EXE

\UPLOAD.EXE <----- I don't know where this one is located, you may have to search for it

C:\WINNT\system32\panak.dll

 

folder:

C:\Program Files\SpyBlocs\

 

Once you are done deleting those, please reboot back into normal mode and post an updated HJT log.

Share this post


Link to post
Share on other sites

Did all those fixes on HJT, then rebooted into safe.

 

Could not find c:\winnt\system32\com_~1.exe, also could not locate \upload.exe. Removed the other 3 files you mentioned, no problem, then rebooted. Here is my latest HJT:

 

 

Logfile of HijackThis v1.98.0

Scan saved at 9:59:09 PM, on 8/2/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\PackethSvc.exe

C:\Program Files\CA\Common\Alert\ALERT.EXE

C:\WINNT\System32\ati2evxx.exe

C:\WINNT\System32\DRIVERS\dcfssvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4serv.exe

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\CA\eTrust\InoculateIT\realmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\AIM95\aim.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\BHODemon 2\BHODemon.exe

C:\Program Files\Stampede\TurboGold\TGCLUI32.EXE

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {CE3CC7E6-9C01-4C38-8EAE-A01ACA311127} - C:\WINNT\system32\panak.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [HP OfficeJet Series 600] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600 NT\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 600\Install"

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [msmanagerw32] C:\WINNT\System32\msnngr32.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe

O4 - Startup: Stampede TurboGold.lnk = C:\Program Files\Stampede\TurboGold\TGCLUI32.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O12 - Plugin for .MID: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/18ad29caa5d03c96b417/netzip/RdxIE2.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://adsresponse.webex.com/client/latest...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C27EB223-1023-4BD4-8D7A-FCB765679BED}: Domain = tuc.com

O18 - Filter: text/html - {DAC076E7-4B5C-42C6-9F73-7CC3A2C87456} - C:\WINNT\system32\panak.dll

O18 - Filter: text/plain - {DAC076E7-4B5C-42C6-9F73-7CC3A2C87456} - C:\WINNT\system32\panak.dll

Share this post


Link to post
Share on other sites

Hmm, you're still having problems...

 

Please download cwshredder from here: http://www.downloads.subratam.org/CWShredder.exe

 

Just run CWShredder and click on the 'fix' button.

 

Run HJT again and have it fix the following:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ASSOCI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {CE3CC7E6-9C01-4C38-8EAE-A01ACA311127} - C:\WINNT\system32\panak.dll (file missing)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://adsresponse.webex.com/client/latest...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C27EB223-1023-4BD4-8D7A-FCB765679BED}: Domain = tuc.com

O18 - Filter: text/html - {DAC076E7-4B5C-42C6-9F73-7CC3A2C87456} - C:\WINNT\system32\panak.dll

O18 - Filter: text/plain - {DAC076E7-4B5C-42C6-9F73-7CC3A2C87456} - C:\WINNT\system32\panak.dll

 

If that still doesn't fix the problem, we'll have to try sometihng else.

Edited by guacamel

Share this post


Link to post
Share on other sites

you are all making this waaay too complicated...

for many of these spyware/malware/whateverware search engine things, the operator of the site provides the tool to remove it from your computer

sometimes they put a link in a tiny font in the bottom of the page that allows you to download the uninstall utility, but sometimes, like in this instance, they don't.

 

one way to find it is often to go to the main page of the search engine....delete everything past http://spywareserchenginescrewingyou.com/

you might find a remove link there.

 

In the case of this about: blank search thing, the site name is hidden from the address bar in IE.

how to get around this? right click on the page and click properties...it will give you the full address of the page...copy and paste that into the address bar on IE, deleting everything past the .com/

 

By now you may have figured out that about: blank has the right click menu disabled on its page.

Lucky you have me....I found the actual website by following a random link on that crappy, annoying search page and then right-clicking on the page that came up...

 

after deleteing everything past .com/....or actually .tv/ in this case, we find the website is: http://oz.msie.tv

 

go there...click the link for the uninstall and run what it downloads. DONE.

Share this post


Link to post
Share on other sites

Good finding mike822, I hadn't noticed it myself, but don't you think that it's very dangerous to use that file. I've downloaded it but I will not use it untill I know for sure that it's safe.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0