• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
e_eek

About Blank

5 posts in this topic

Hi All,

 

It appears I was infected with a hijacker that first came up in browswer as "about Blank" and then loaded several files. It actually started explorer itself, I did not even have to open it. Our "IT" guy worked on it, but never totally fixed it. He did get it to stop opening the browser by itself though. I have to do web presentations in front of clients and am still getting pop ups and my computer is extremely low. It also prevents me from going to certain web sites or opens another browser window when it should not. Please help. Below I am pasting the Hijack this log.

 

Thanks

 

Eric

 

 

Logfile of HijackThis v1.97.7

Scan saved at 7:07:24 PM, on 7/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\Ati2evxx.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINNT\system32\WLANSTA.EXE

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~2\VPTray.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\WinZip\winzip32.exe

C:\Documents and Settings\ehager\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe

O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START

O4 - HKLM\..\Run: [VidiaDrivers] C:\Program Files\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O16 - DPF: PowerBuilder DW Control & JDBC - http://10.0.1.21:82/exponline/PSDWC70.CAB

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://12.223.248.216:81/kxhcm10.ocx

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/place/...quicksilver.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mfr.mlxchange.com/Control/MultiSelectComboBox.cab

O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange.com/Control/MLXClientUtils.cab

O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mfr.mlxchange.com/Control/IRCSharc.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://67.129.250.6/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37874.261712963

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - http://10.0.1.21:82/j2re-1_4_1_02-windows-i586.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

Share this post


Link to post
Share on other sites

Hello ,Welcome to SWI.

Print out these instructions so you can read them while you clean your system.

 

Move Hijack This to its own folder.Click My Computer, then C:\

In the menu bar, File->New->Folder.

That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Move hijack this there. Hijack this makes backups of everything you fix, these backups are saved in the same folder the program is.

 

 

Download VX2Finder

 

 

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

 

Copy and paste the contents of the log into your next reply here.

--------------------------------

 

Sign off and stay off the internet until the entire procedure is complete.

 

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

 

Then select the *Delete these files* button.

You will be left with notice about one to be deleted on reboot.

It will ask to reboot on deletion of the last file (Reboot)

 

-----------------

Once back in Windows

 

 

Open VX2Finder again and click on these buttons in the right pane:

 

user agent, Guardian.reg, restore policy

 

Exit and reboot.

 

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Post it here

 

Now close all open windows AND browsers and check these items for HJT to fix(a fair amount of these are likely to be gone because of CWShredder):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

 

Then continue with win tools:

Please reboot into safe mode - How do I boot into "Safe" mode?

 

Once in Safe Mode:

Click on the Start Button, Control Panel. Double-click on Administrative Tools then on Services.

Look for a service called Wintools for IE Service. double-click it to open, then click the Stop button and change the "Startup type" to Disabled.

(If the service is not there, no worries...all the better!)

 

Next, right-click on the Windows Taskbar and select Task Manager.

In the Processes tab, look for WToolsA.exe, WToolsS.exe and WSup.exe. If any or all of these exist, right-click on each one and select End Process Tree, and answer affirmatively to any confirmation questions.

 

At this point, you can check the Add/Remove Programs Control Panel. If there is an uninstaller for Wintools, try running it now. I would still recommend proceeding through the rest of this fix even if there is an uninstaller, however.

 

Now, please open a command prompt (Start button -> Run, type cmd and click "OK"). at the prompt, type

regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll" then <ENTER>.

Then type exit to close the command prompt window.

 

Now, we can proceed to delete these directories, located at:

 

C:\Program Files\Common Files\WinTools <-- Delete the BOLD directory.

C:\Program Files\Toolbar <-- Delete the BOLD directory.

 

The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.

* C:\Windows\Temp\

* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet

content including cookies. This is recommended and strongly suggested.

* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\

* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

* Empty your "Recycle Bin".

 

Then disable your system restore

 

1 Right-click My Computer, and then click Properties.

2 Click the System Restore tab.

3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.

4 Click Apply

5 this will delete all existing restore points. Click Yes to do this.

6 Click OK.

 

Reboot into normal mode enable System Restore and post a fresh log in this thread to give you further recommendations.

Edited by mmxx66

Share this post


Link to post
Share on other sites

Thanks much for the quick reply. I have ran the vx2 as described. Here is the log.

 

Thanks again,

 

Eric

 

Log for VX2.BetterInternet File Finder

 

Files Found---

C:\WINNT\system32\abaamon.dll

C:\WINNT\system32\acaamon.dll

C:\WINNT\system32\adaamon.dll

C:\WINNT\system32\aeaamon.dll

C:\WINNT\system32\afaamon.dll

C:\WINNT\system32\afledit.dll

C:\WINNT\system32\agaamon.dll

C:\WINNT\system32\ahaamon.dll

C:\WINNT\system32\aictres.dll

C:\WINNT\system32\ailui.dll

C:\WINNT\system32\aimparse.dll

C:\WINNT\system32\aismib.dll

C:\WINNT\system32\ajsnds.dll

C:\WINNT\system32\alaamon.dll

C:\WINNT\system32\amaamon.dll

C:\WINNT\system32\amledit.dll

C:\WINNT\system32\anaamon.dll

C:\WINNT\system32\anledit.dll

C:\WINNT\system32\aoaamon.dll

C:\WINNT\system32\apaamon.dll

C:\WINNT\system32\aqledit.dll

C:\WINNT\system32\aqsldp.dll

C:\WINNT\system32\araamon.dll

C:\WINNT\system32\artxprxy.dll

C:\WINNT\system32\ataamon.dll

C:\WINNT\system32\auaamon.dll

C:\WINNT\system32\aului.dll

C:\WINNT\system32\ausmib.dll

C:\WINNT\system32\avaamon.dll

C:\WINNT\system32\awaamon.dll

C:\WINNT\system32\axctres.dll

C:\WINNT\system32\axmparse.dll

C:\WINNT\system32\ayaamon.dll

C:\WINNT\system32\azaamon.dll

C:\WINNT\system32\azsmib.dll

C:\WINNT\system32\aztxprxy.dll

 

 

Guardian Key--- is called:

 

User Agent String---

{613DF497-F2A0-4EC2-B85C-AE44F75676BA}

Share this post


Link to post
Share on other sites

Hello again,

 

Here is the 2nd vx2 log as requested.

 

 

Eric

 

 

 

Files Found---

C:\WINNT\system32\abaamon.dll

C:\WINNT\system32\acaamon.dll

C:\WINNT\system32\adaamon.dll

C:\WINNT\system32\aeaamon.dll

C:\WINNT\system32\afaamon.dll

C:\WINNT\system32\afledit.dll

C:\WINNT\system32\agaamon.dll

C:\WINNT\system32\ahaamon.dll

C:\WINNT\system32\aictres.dll

C:\WINNT\system32\ailui.dll

C:\WINNT\system32\aimparse.dll

C:\WINNT\system32\aismib.dll

C:\WINNT\system32\ajsnds.dll

C:\WINNT\system32\alaamon.dll

C:\WINNT\system32\amaamon.dll

C:\WINNT\system32\amledit.dll

C:\WINNT\system32\anaamon.dll

C:\WINNT\system32\anledit.dll

C:\WINNT\system32\aoaamon.dll

C:\WINNT\system32\apaamon.dll

C:\WINNT\system32\aqledit.dll

C:\WINNT\system32\aqsldp.dll

C:\WINNT\system32\araamon.dll

C:\WINNT\system32\artxprxy.dll

C:\WINNT\system32\ataamon.dll

C:\WINNT\system32\auaamon.dll

C:\WINNT\system32\aului.dll

C:\WINNT\system32\ausmib.dll

C:\WINNT\system32\avaamon.dll

C:\WINNT\system32\awaamon.dll

C:\WINNT\system32\axctres.dll

C:\WINNT\system32\axmparse.dll

C:\WINNT\system32\ayaamon.dll

C:\WINNT\system32\azaamon.dll

C:\WINNT\system32\azsmib.dll

C:\WINNT\system32\aztxprxy.dll

 

 

Guardian Key--- is called:

 

User Agent String---

{613DF497-F2A0-4EC2-B85C-AE44F75676BA}

Share this post


Link to post
Share on other sites

Good job!

Go ahead with the next steps as requested before.

thanks

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0