• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
showhost

Yikes! Me too! HJT Log attached

11 posts in this topic

Hi learned friends...

 

I somehow at least am able to get my browser to open to my designated Google Home Page okay (although for a while I couldn't) but now I definitely am getting lots of infected "backdoor" .dll files are constantly cropping up on my real-time virus scanner. Am running Outpost Firewall, Pest Patrol, and F-Prot AV programs but about:blank is on my HJT log and CWS Shredder isn't showing anything on a normal scan.

 

Logfile of HijackThis v1.97.7

Scan saved at 4:18:31 PM, on 5/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\FSI\F-Prot\F-Sched.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Day-Timer Organizer SHARP Edition\xserv2k.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\FSI\F-Prot\F-StopW.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Wisdom-soft ScreenHunter\ScreenHunter.exe

C:\unzipped\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE

O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: ExpressServices 2000.lnk = C:\Program Files\Day-Timer Organizer SHARP Edition\xserv2k.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: Trashcan (HKCU)

O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.nuker.com/products/swn2004/inst...erInstaller.exe

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29eedb00577aea...ip/RdxIE601.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

Edited by showhost

Share this post


Link to post
Share on other sites

Hi,

"backdoor" .dll files are constantly cropping up on my real-time virus scanner

Where? (what location) look in the F-Prot log.

 

Your log is fairly clean except for the "about:blank" issue ...

 

Start by uninstalling "SpywareNuker" (it's bogus)

 

Close all open windows, except for HijackThis place a check in each

of the following, then click "Fix checked".

 

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.nuker.com/products/swn2004/inst...erInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29eedb00577aea...ip/RdxIE601.cab

 

Reboot and then we'll deal with CWS ...

 

Tools and Downloads required:

 

Download: "Find-All.zip"

http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

Unzip but do not do anything yet, it will be needed later.

 

Download: "SALAMAND.zip"

http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

Unzip but do not do anything yet, it will be needed later.

 

Download and install: (freeware)

Registrar Lite: http://www.resplendence.com/reglite

 

Download: CWShredder

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip, but do not run it yet, it will be needed later.

 

Download: Ad-Aware

http://www.lavasoft.de/software/adaware/

Install, but do not run it yet, it will be needed later.

 

Download: SpyBot-Search & Destroy 1.3

http://majorgeeks.com/download2471.html

 

[step 1]

 

Hint: you may want to print this out to avoid mistakes.

 

Open Reglite, copy and paste the below into the address bar, hit "Go" button:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

Double-click the "AppInit_Dlls" entry (right pane)

Copy and paste in your next post the following fields:

-Size

-Value

Close Reglite

 

 

Next: Locate and double-click the (included in Find-All.zip) "Find-All.bat"

When completed, generates "output.txt"

Copy and Paste the entire contents of "output.txt" into your next post.

Share this post


Link to post
Share on other sites

Hi WinHelp2002, thanks so much for your response.

 

The F-Prot alerts have been pinpointing the infected .dll files largely in the System Volume Information folder. I tried turning off and on System Restore and these specific (VIF Folder) alerts seemed to have slowed considerably.

 

I queried PestPatrol Support about this and another infected Zip file that turned up in my PP logs folder and this is what they said:

 

"Somehow or another you have files that are in that folder that shouldnt be. The file in question, the .zip file, should actually be in your quarantine folder, this is were your quarantined files are and that is why the virus protection is seeing a backdoor in it. As well as the .txt file that is associated with it.Also the screenshot shows you have the wise uninstaller in that folder also. That should not be in the logs folder either. Somehow lots of your pestpatrol files got moved around and are now in the wrong folders. Please follow the instructiomns below to uninstall\reinstall the software."

 

So it appears I have another issue to handle. Shall I uninstall PP first before continuing with your further recommendations on about:blank and SpywareNuker?

 

Before I received your response above (we live on different sides of the planet I think), I ran RegistrarLite and found the value in the AppInit_Dlls key to be: res.dll. I then ran a program called Dllfix.exe and it seemed to help on one account. Here is the log on that:

 

CWSDLL Appinit Fix By Shadowwar

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Tue 05/25/2004

12:14 AM

 

Backing up Registry Hive

 

The operation completed successfully

 

Deleting Windows Key

 

The operation completed successfully

 

Adding Test Windows Key

 

The operation completed successfully

 

Restoring temp Values Key

 

The operation completed successfully

 

Deleting Bad Appinit Value

 

The operation completed successfully

 

 

Backup of Modified Hiv

 

The operation completed successfully

 

Deleting test Windows key

 

The operation completed successfully

 

Adding Back Windows Key

 

The operation completed successfully

 

Restoring Registry Hive

 

The operation completed successfully

 

 

Restoring Cleaned Appinit Value

 

The operation completed successfully

 

Deleting Filter text/plain

Deleting Filter text/html

Running from C:\Documents and Settings\Owner\Desktop\dllfix

 

Processing File Manually

C:\WINDOWS\system32\res.dll

Md5 Check of C:\WINDOWS\system32\res.dll

 

Md5 tested As C185B36F9969D3A6D2122BA7CBC02249

Md5 matched known baddies.

Processing and Deleting File.

Processing ACL of: <\\?\C:\WINDOWS\system32\res.dll>

 

SetACL finished successfully.

 

File was successfully Deleted.

Please Run Hijackthis or Cwshredder to finish cleanup.

 

 

I haven't done anything beyond this.

 

After your reply was posted, I did some research on this SpywareNuker program you mentioned and wow, I really made a mistake on this one! Seems people are having a heck of a time "uninstalling" this program as the installer.exe file apparently renames itself somehow and "hides" only to appear again. According to many, even when you do, it leaves behind lots of random misc adware files. Are you recommending that we can rid my system of SpywareNuker with HijackThis alone?

 

Lastly, since I am running Outpost Firewall, F-Prot and especially Pest Patrol, can I still install and run other similar programs like Spybot S&D and Adaware? Won't these programs conflict?

 

Awaiting your generous help...

 

showhost

Edited by showhost

Share this post


Link to post
Share on other sites

Hi,

I then ran a program called Dllfix.exe and it seemed to help on one account.

It seems to have been successful, so run CWShredder, then Ad-Aware and post a fresh log. Yes you can install AWW with PP installed.

 

As for your System Restore issue, hmm ... sounds like the "System Volume Information" folder has become corrupt.

 

How to Gain Access to the System Volume Information Folder

http://support.microsoft.com/?kbid=309531

 

 

Shall I uninstall PP first

Yes you might as well uninstall PP, get you system back in shape then reinstall.

Share this post


Link to post
Share on other sites

WinHelp...

 

Uninstalled PestPatrol then ran CWS Shredder -- turned up with nothing. I downloaded Adaware and read instructions and ran initial scan. Here is applicable part of log from that:

 

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

SpywareNuker Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{15589FA1-C456-11CE-BF01-00AA0055595A}

 

 

WhenU Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUCSync

 

 

CoolWebSearch Object recognized!

Type : RegValue

Data :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Internet Explorer\Main

Value : HOMEOldSP

 

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 3

Objects found so far: 3

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "about:blank"

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

 

Deep registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 1

Objects found so far: 4

 

 

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Tracking Cookie Object recognized!

Type : File

Data : owner@adrevolver[2].txt

Object : C:\Documents and Settings\Owner\Cookies\

 

Created on : 5/25/2004 7:01:17 AM

Last accessed : 5/25/2004 7:23:37 PM

Last modified : 5/25/2004 7:01:17 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : owner@atdmt[1].txt

Object : C:\Documents and Settings\Owner\Cookies\

 

Created on : 5/25/2004 6:57:22 PM

Last accessed : 5/25/2004 6:57:22 PM

Last modified : 5/25/2004 6:57:22 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : owner@counter.hitslink[2].txt

Object : C:\Documents and Settings\Owner\Cookies\

 

Created on : 5/25/2004 8:54:04 AM

Last accessed : 5/25/2004 7:23:37 PM

Last modified : 5/25/2004 8:55:20 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : owner@doubleclick[1].txt

Object : C:\Documents and Settings\Owner\Cookies\

 

Created on : 5/25/2004 6:56:57 PM

Last accessed : 5/25/2004 6:56:57 PM

Last modified : 5/25/2004 6:56:57 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : owner@tribalfusion[1].txt

Object : C:\Documents and Settings\Owner\Cookies\

 

Created on : 5/25/2004 6:56:46 PM

Last accessed : 5/25/2004 6:56:46 PM

Last modified : 5/25/2004 6:56:46 PM

 

 

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

 

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Possible Browser Hijack attempt Object recognized!

Type : File

Data : looksmart - colonoscopy.url

Object : C:\Documents and Settings\Owner\Favorites\HEALTH-RELATED\Miscellaneous Health Stuff\

 

Created on : 3/24/2004 7:48:06 AM

Last accessed : 5/25/2004 7:23:55 PM

Last modified : 3/24/2004 7:48:06 AM

 

 

 

Possible Browser Hijack attempt Object recognized!

Type : File

Data : cdnow _ login.url

Object : C:\Documents and Settings\Owner\Favorites\STOREFRONTS AND SHOPPING\Books, Music, DVDs\

 

Created on : 3/24/2004 7:48:06 AM

Last accessed : 5/25/2004 7:23:55 PM

Last modified : 3/24/2004 7:48:06 AM

 

 

 

 

Performing conditional scans..

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

CoolWebSearch Object recognized!

Type : RegValue

Data :

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

Value : ITBarLayout

 

 

Conditional scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 1

Objects found so far: 12

 

 

12:23:56 PM Scan complete

 

Summary of this scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Total scanning time :00:01:02:219

Objects scanned :43704

Objects identified :12

Objects ignored :0

New objects :12

 

 

 

I quarantined all 12 of these (copies, I guess) in a folder (although I don't know where that folder is!) and then deleted all of them.

 

I rebooted and ran HJT again and here is the new log:

 

Logfile of HijackThis v1.97.7

Scan saved at 12:48:17 PM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\Program Files\FSI\F-Prot\F-StopW.EXE

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\FSI\F-Prot\F-Sched.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Day-Timer Organizer SHARP Edition\xserv2k.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\unzipped\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE

O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: ExpressServices 2000.lnk = C:\Program Files\Day-Timer Organizer SHARP Edition\xserv2k.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: Trashcan (HKCU)

O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29eedb00577aea...ip/RdxIE601.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

 

 

 

WinHelp, essentially the difference between this and previous HJT scan are the following items deleted:

 

Running processes:

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Qualcomm\Eudora\Eudora.exe

 

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.nuker.com/products/swn2004/inst...erInstaller.exe

 

Why does it show the .exe files for IE and Eudora not there?? Is this a mistake?? Or is this just because maybe they weren't running when I did the HJT scan and they were before (caution: I'm new at this!)

And it seems to not have done anything with the about:blank. Did we expect it to or does that have to be done with HijackThis or some other program?

 

Looks like the nuker.com entry is gone but this one is still there:

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29eedb00577aea...ip/RdxIE601.cab

 

What next do you think?

 

showhost

Edited by showhost

Share this post


Link to post
Share on other sites

Hi,

CoolWebSearch Object recognized!

Type : RegValue

Data :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Internet Explorer\Main

Value : HOMEOldSP

I rebooted and ran HJT again and here is the new log

AWW should have fixed that entry, but it's still there?

 

Try this: Start | Run (type) regedit

Navigate to:

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

 

Highlight: HomeOldSP (right pane)

Right-click and select: Delete, Ok the prompt, and close Regedit.

 

Have HijackThis "fix" the following:

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29eedb00577aea...ip/RdxIE601.cab

 

Then reboot, rescan with HijackThis and see if it returns:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

If not then you should be fine ...

Share this post


Link to post
Share on other sites

Hi WinHelp...

You seemed so confident that AWWe should have deleted that "about:blank" entry that I ran it a second time and it deleted it this time. I even went into regedit as you described and it's not there.

 

Can you take a look at the following HijackThis log and see if it looks good to you now:

 

Logfile of HijackThis v1.97.7

Scan saved at 9:24:23 PM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\Program Files\FSI\F-Prot\F-StopW.EXE

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\FSI\F-Prot\F-Sched.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Day-Timer Organizer SHARP Edition\xserv2k.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Qualcomm\Eudora\Eudora.exe

C:\Documents and Settings\Owner\Desktop\Virus and Adware Tools\hijackthis\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE

O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: ExpressServices 2000.lnk = C:\Program Files\Day-Timer Organizer SHARP Edition\xserv2k.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: Trashcan (HKCU)

O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

 

 

Do you know what these two entries might be?:

 

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

 

They're not PestPatrol as I uninstalled that program.

 

Thanks for your help...

 

showhost

Edited by showhost

Share this post


Link to post
Share on other sites

Hi,

Your log looks clean now ...

 

Do you know what these two entries might be?

Either from an online scan from PP or from an earlier install. You can remove those if you like or leave them ... up to you.

Share this post


Link to post
Share on other sites

WinHelp...

 

Thanks again for your help! Curious, are all you helper/moderators just volunteers? A bit baffled by the how this whole thing works. I can't see where this site is a profit-making venture that pays all of you.

 

You sure provide a valuable service to your fellow man.

 

showhost

 

P.S. When you say to remove the items below:

 

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

 

 

Do you mean via HijackThis or Add?Remove programs? Not clear how the two are different or the same.

Share this post


Link to post
Share on other sites

Hi,

Curious, are all you helper/moderators just volunteers

Yup ...

I can't see where this site is a profit-making venture that pays all of you

This site or the many other similar "Forums" are mostly staffed by volunteers that donate their time and efforts. I'm sure SWI would welcome a contribution, see link at the top of the page.

 

Do you mean via HijackThis or Add?Remove programs

With HijackThis ... as the "objects" listed in the "Downloaded Programs Files" folder do not show up in Add Remove.

 

They do show up via IE | General [tab] | Settings [button] | View Objects [button]

Right-click on the desired item, in your case select: Remove (and reboot)

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0