Jump to content


Photo

Browser Hijacked to About:blank


  • Please log in to reply
22 replies to this topic

#1 aaron_cabal_trainee

aaron_cabal_trainee

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 26 May 2004 - 03:52 AM

I've tried Hijack This, Spybot, Norton and followed the steps in the FAQ, but nothing seems to help.

my home page keeps getting set to about:blank, and spybot keeps letting me know that my home page is being reset.

Spybot is also letting me know that additional BHOs are being added to my comp everytime I connect.

I'd appreciate any help you can offer me!
Aaron

Here's my Hijackthis Log:

Logfile of HijackThis v1.97.7
Scan saved at 5:47:15 PM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Aaron\My Documents\From the Net\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\goinf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fhlifm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7890.2745023148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 aaron_cabal_trainee

aaron_cabal_trainee

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 26 May 2004 - 11:25 AM

*bump*


I've basically given up trying to use IE 6.0 and have gone over to Firefox. It's pretty good, BUT I've still got problems with something trying to install or edit BHOs, and then run a script on my comp whenever I do something even remotely related to MSFT and the internet.

Anyone able to help?
Thanks,
Aaron

#3 aaron_cabal_trainee

aaron_cabal_trainee

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 26 May 2004 - 04:16 PM

*Bump*

#4 aaron_cabal_trainee

aaron_cabal_trainee

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 27 May 2004 - 04:14 AM

*bump*

I am also wondering if my browser is just being sent to about:blank to generate hits, or is it logging everything I'm typing too? What is safe to do when I've got this crap on my machine?

Appreciate any help or advice you can give me.
Thanks,
Aaron

#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 May 2004 - 04:31 AM

Download, Find-All.zip:
http://freeatlast.10...om/Find-All.zip
*UNzip it to a normal path.

DoubleClick on the 'Find-All.cmd' file,
follow instructions and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 aaron_cabal_trainee

aaron_cabal_trainee

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 27 May 2004 - 08:21 AM

Hey thanks for the reply.

I downloaded the file, unzipped it and ran find-all.cmd

Here's the log that came up.

Let me know what to do next.

Thanks
Aaron

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--

»»System Info:

Microsoft Windows XP [Version 5.1.2600]


»»IE version and Service packs:

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q324929;Q810847;Q813951;Q813489;Q330994;Q818529;Q822925;Q828750;Q832894;Q83
009;Q831167;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"
A R C:\Program Files\google\GoogleToolbar1.dll

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:

»»M$Java version:


»»PC uptime:

»»Locked or 'Suspect' file(s) found...
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
'Xfind' is not recognized as an internal or external command,
operable program or batch file.


»»Tasks (services):
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{269E487C-3461-44E3-A97A-61DB2CE7620C}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{269E487C-3461-44E3-A97A-61DB2CE7620C}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


»»Group/user settings:


»»ACLs list:
'xcacls' is not recognized as an internal or external command,
operable program or batch file.
'xcacls' is not recognized as an internal or external command,
operable program or batch file.

»»Contents of file(s) in 'junk' folder:

»»Md5sums
------
»»Rehash:
A C:\Documents and Settings\Aaron\My Documents\From the Net\winBackup.hiv
A C:\Documents and Settings\Aaron\My Documents\From the Net\windows.txt
A C:\Documents and Settings\Aaron\My Documents\From the Net\winzip81.exe
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_CURRENT_USER\Control Panel\don't load



#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 May 2004 - 09:40 AM

Would you please ***Unzip***
The 'Find-All' folder and run it again?

'Xfind' is not recognized as an internal or external command,
operable program or batch file.

That means it's not unzipped, or running from the zipped archive.
Also try putting the folder in a shorter path, like in C:\

P.S@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@22

C:\Documents and Settings\Aaron\My Documents\From the Net\winBackup.hiv

^^^^^^^
That means you didn't keep all the parts together.
Delete what you downloaded, it's useless, download again,
Unzip and while keeping the Find-All folder(s)
intact, run the 'Find-All.cmd file again!

Edited by freeatlast, 27 May 2004 - 09:46 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 aaron_cabal_trainee

aaron_cabal_trainee

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 27 May 2004 - 12:59 PM

Ok, well I hope I followed the instructions right.

Here's the output.txt file that was created:

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--


Fri May 28 02:56:16 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (50D2:8808) - FS:NTFS clusters:4k
Total: 29 964 693 504 [28G] - Free: 1 340 456 960 [1.2G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q324929;Q810847;Q813951;Q813489;Q330994;Q818529;Q822925;Q828750;Q832894;Q83
009;Q831167;

»»Google Toolbar version and Attributes:
2.0.111.0 C:\Program Files\google\googletoolbar1.dll
Defaults: "A" ;"R"
A R C:\Program Files\google\GoogleToolbar1.dll

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


»»PC uptime:
2:56am up 1 day, 5:35

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\COMEBM.DLL +++ File read error
\\?\C:\WINDOWS\System32\COMEBM.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
636 SMSS.EXE
700 CSRSS.EXE Title:
728 WINLOGON.EXE Title: NetDDE Agent
780 SERVICES.EXE Svcs: Eventlog,PlugPlay
792 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
960 SVCHOST.EXE Svcs: RpcSs
1008 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi
ity,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,
eclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upload
gr,w32time,w
1176 SVCHOST.EXE Svcs: Dnscache
1216 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1456 SPOOLSV.EXE Svcs: Spooler
1564 ati2evxx.exe Svcs: Ati HotKey Poller
1608 Navapsvc.exe Svcs: navapsvc
1804 SVCHOST.EXE Svcs: stisvc
1864 WLTRYSVC.EXE Svcs: WLTRYSVC
1956 BCMWLTRY.EXE Title: BCMWLTRY Windows Application
536 explorer.exe Title: Program Manager
576 CTFMON.EXE Title:
1260 Apoint.exe Title:
1276 atiptaxx.exe Title: ATI Tray Icon Application
1284 DadApp.exe Title: Dell AccessDirect App
1300 Navapw32.exe Title: Norton AntiVirus
1348 jusched.exe Title: OleMainThreadWndName
1644 NCLAUNCH.EXe Title: Northern Codeworks File Launcher
1728 TeaTimer.exe Title: Spybot-S&D Resident
444 EM_EXEC.EXE Title: Logitech GetMessage Hook
1356 ApntEx.exe Title: Elara
552 wisptis.exe Title:
3044 mm_director.exe Title: OleMainThreadWndName
288 firefox.exe Title: SWI Forums -> Browser Hijacked to About:blank - Mozilla Firefox
3884 urlmap.exe Title: OleMainThreadWndName
756 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
3640 NTVDM.EXE
3004 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{269E487C-3461-44E3-A97A-61DB2CE7620C}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{269E487C-3461-44E3-A97A-61DB2CE7620C}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Group/user settings:


User: [PIMPTACULAR\Aaron], is a member of:

BUILTIN\Administrators
\Everyone
PIMPTACULAR\None

User is a member of group PIMPTACULAR\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
PIMPTACULAR\Aaron:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)

GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Fri May 28 02:56:38 2004 -- ++Find-All 'Windows'.hiv .reg list:
A C:\Find-All\winBackup.hiv
A C:\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows


Let me know what I should do next.
Thanks for the help,
Aaron



#9 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 May 2004 - 11:46 PM

That's better ;)

Next,
Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

-RightClick on the Windows Subfolder,
And rename Windows as Windows1

-Locate "AppInit_DLLs" value on the right
pane, RightClick it and select 'delete'

-Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

-Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

-Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ COMEBM.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junkxxx folder.
(It was created during first 'Find-All' run)
'ok' it.

Re-run 'Find-All.cmd' and post new log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#10 aaron_cabal_trainee

aaron_cabal_trainee

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 28 May 2004 - 03:20 PM

Hi there,

Ok, here's the find-all log I got after deleting the appinit_dll and moving the comebm.dll

Let me know what I should do next.

Thanks again!
Aaron

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--


Sat May 29 00:29:36 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (50D2:8808) - FS:NTFS clusters:4k
Total: 29 964 693 504 [28G] - Free: 860 950 528 [821M]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q324929;Q810847;Q813951;Q813489;Q330994;Q818529;Q822925;Q828750;Q832894;Q83
009;Q831167;

»»Google Toolbar version and Attributes:
2.0.111.0 C:\Program Files\google\googletoolbar1.dll
Defaults: "A" ;"R"
A R C:\Program Files\google\GoogleToolbar1.dll

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


»»PC uptime:
0:29am up 0 days, 0:14

»»Locked or 'Suspect' file(s) found...
* result\\?\C:\junkxxx\COMEBM.DLL


»»Tasks (services):
0 System Process
4 System
340 SMSS.EXE
456 CSRSS.EXE Title:
732 WINLOGON.EXE Title: NetDDE Agent
776 SERVICES.EXE Svcs: Eventlog,PlugPlay
788 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
940 SVCHOST.EXE Svcs: RpcSs
984 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclo
on,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,w
2time,winmgm
1180 SVCHOST.EXE Svcs: Dnscache
1204 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1420 SPOOLSV.EXE Svcs: Spooler
1520 ati2evxx.exe Svcs: Ati HotKey Poller
1556 Navapsvc.exe Svcs: navapsvc
1692 SVCHOST.EXE Svcs: stisvc
1720 WLTRYSVC.EXE Svcs: WLTRYSVC
1764 BCMWLTRY.EXE Title: BCMWLTRY Windows Application
1540 explorer.exe Title: Program Manager
1816 CTFMON.EXE Title:
2008 Apoint.exe Title:
2016 atiptaxx.exe Title: ATI Tray Icon Application
2024 DadApp.exe Title: Dell AccessDirect App
2032 Navapw32.exe Title: Norton AntiVirus
160 jusched.exe Title: OleMainThreadWndName
216 NCLAUNCH.EXe Title: Northern Codeworks File Launcher
364 TeaTimer.exe Title: Spybot-S&D Resident
488 EM_EXEC.EXE Title: Logitech GetMessage Hook
504 ApntEx.exe Title: C:\Program Files\Apoint\Apntex.exe
1252 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
124 NTVDM.EXE
260 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{269E487C-3461-44E3-A97A-61DB2CE7620C}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{269E487C-3461-44E3-A97A-61DB2CE7620C}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access PIMPTACULAR\Aaron
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access PIMPTACULAR\Aaron



»»Group/user settings:


User: [PIMPTACULAR\Aaron], is a member of:

BUILTIN\Administrators
\Everyone
PIMPTACULAR\None

User is a member of group PIMPTACULAR\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
PIMPTACULAR\Aaron:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)

GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


C:\junkxxx\comebm.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
PIMPTACULAR\Aaron:F
BUILTIN\Users:R


»»Contents of file(s) in 'junk' folder:
comebm.dll

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

c185b36f9969d3a6d2122ba7cbc02249 comebm.dll

57344 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:
File: <C:\junkxxx\comebm.dll>

CRC-32 : D5C9FB2E

GOST-Hash : 82A402D7 23ADEDC6 AB139C7E F70F4B77 1DB148B9 64596488

E89EDB26 3B623462

HAVAL-5-256 : D4B2FD10 ED750CA8 9094D67F C6885548 E5E25527 7E25E595

AAEF452A 3CD2FAB3

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

SHA-512 : 54ACD2EE 31007EAB 3DCB7655 5B804798 B765D5F7 7C6B7436

199BF16C 2ADD7C05 1DF1F36A 7CF786F7 1716A7C3 91BB6135

C8BECB6F 2DB242DA 5945C134 A7E3D9B9




Sat May 29 00:29:44 2004 -- ++Find-All 'Windows'.hiv .reg list:
A C:\Find-All\winBackup.hiv
A C:\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#11 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 May 2004 - 07:02 AM

;) Well done!

Lastly,

Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults
*Reset permissions on the junk\*.dll moved file
*Create zipped copy in the same folder: "junkxxx.zip"
*Open your email client with given addressese for submission!

--Drag the 'junkxxx.zip' and submit the
attachment to the specified addresses, ! , thanks ;)

When done, Delete the "junkxxx.zip"
as well as the "junkxxx" folder in C:\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To fix all other, related/non related problems,
Run these tools, have them fix all problems:
*Ad-Aware6:
http://www.lavasoftu...ftware/adaware/

*Updates:
http://www.lavasofts...showtopic=28310

How To: Perform a "Full Scan" With Ad-aware 6 Build 181

*http://www.spywarein.../CWShredder.exe

Feel free to post follow up hijackthis log when done!
Good luck ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#12 aaron_cabal_trainee

aaron_cabal_trainee

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 29 May 2004 - 09:10 AM

Hi,

Ok, I ran the ZipZap.bat file. I also ran the new updated Adaware and then emailed you the zip file.

Everything seems to be running a lot better!

Here's my HJT log below.

Let me know if there are other steps I need to follow!
Thanks again
Aaron

Logfile of HijackThis v1.97.7
Scan saved at 11:02:34 PM, on 5/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Aaron\My Documents\From the Net\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7890.2745023148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#13 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 May 2004 - 09:34 AM

Great on all counts!

In hijackthis fix checked these trails:

*O2 - BHO: (no name) - {7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F} - (no file)
*O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe

Recommended to Uninstall "Red Swoosh EDN Client (remove only)", unless , of course
it was " only installed after the end user's explicit agreement
to a software use license........Red Swoosh does not provide
end-user support for the EDN Client software.
Please contact the web site where you originally installed
this software for more information
on the uses of this technology"."Note that sites market this technology under several names including 'TurboShare' or 'Sharing Network'
even though it does operate transparently.........


Keep your WinXP 'home edition' out of trouble! ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#14 aaron_cabal_trainee

aaron_cabal_trainee

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 29 May 2004 - 10:06 PM

Hi,

I uninstalled red swoosh so things are running a lot faster now, but I'm still having a couple of problems.

The first is that O2 - BHO: (no name) - {7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F} - (no file) keeps coming back even if I delete it.

Second, when I start up spybot keeps asking me if certain changes I made are ok, and whether I want to deny them or not. Several of these I recognize from when I had my browser hijacked and so I'm a bit worried that the problem isn't completely fixed.

Also, when I run spybot, it finds a lot of problems, but two that always show up are DSOexploit and speeddelivery. I'm also getting a lot (7) of instances of something called hitbot.

I delete all of these, but it says that speeddelivery is in use or in memory so I can't delete it and if I restart they come right back.

My HJT log is below.

Please let me know what other steps I need to take.
Thanks again for all your help!
Aaron

Logfile of HijackThis v1.97.7
Scan saved at 12:02:55 PM, on 5/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Aaron\My Documents\From the Net\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7890.2745023148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#15 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 04:24 AM

Well done!
Most of the problems left are not really problems.
DSoExploit is part of IE defaults zone settings and can be ignored.
hitbot are tracking cookies, so naturally they'll be back.
The other-speeddelivery-could be remnant of something removed, previously.
Can you post Spybot results?
You can RightClick and copy directly from the scan results.
It'll be easier to see which keys/files are detected.
The tracking cookies and DSOexploit are N/A.
As for the changes alerts, have no idea what they
are unless you specify.

As for hijackthis and the bho, hijackthis is having trouble finding it..
It's an orphaned entry.

Download this registry search tool:
http://freeatlast.10...com/Regsrch.zip
Unzip, run the RegSrch.vbs file and copy and paste:
{7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F}
As the string to search.
It will run for a while and generate report. copy and post it here.

Edited by freeatlast, 30 May 2004 - 04:27 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#16 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 04:42 AM

i am so glad i found this topic... i also have the about:blank hijacker on my computer at the moment and it is a right pain... im a novice so this all looks a bit much for me, but i will follow the same instructions and might need a bit of help myself. would it be better for me to open my own topic on this subject or should i post here?

#17 aaron_cabal_trainee

aaron_cabal_trainee

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 01 June 2004 - 11:03 AM

Hi again,

Ok, I ran spybot and here's the results of the scan. I'll post the results of the regsrch.vbs file in my next post.

Thanks again for your help!
Aaron

MediaPlex: Tracking cookie (Firebird: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firebird: default) (Cookie, nothing done)


Avenue A, Inc.: Tracking cookie (Firebird: default) (Cookie, nothing done)


BFast: Tracking cookie (Firebird: default) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firebird: default) (Cookie, nothing done)


DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1741198633-3416526499-740602149-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)


SpeedDelivery: Library (File, nothing done)
C:\WINDOWS\Downloaded Program Files\vxpspeeddelivery.dll


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

#18 aaron_cabal_trainee

aaron_cabal_trainee

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 01 June 2004 - 11:19 AM

Ok, I ran the regsrch.vbs and here is the result of the scan for 7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F

I'm going to restart my machine and post the spybot alerts that come up.

Thanks for your help,
Aaron

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F" 6/2/2004 1:16:40 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F}]


Please note that when I tried to run this, my Norton Anti-virus stopped me and claimed regsrch was a malicious script, but i let it run the whole script once.

#19 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 June 2004 - 11:31 AM

Welcome back! ;)

As noted, most spybot results you posted are safe to ignore.
DSO exloits and tracking cookies.
Cookies come and go as you surf, Don't you realize that?

And DSO exploits, oh well, anything that has to do
with IE Zones, I let the good ol' hands of M$ to
manage, nothing else!

Incidentally, all my scan results are the same...

This:
C:\WINDOWS\Downloaded Program Files\
vxpspeeddelivery.dll

Try to Delete manually, it's from this Site:
http://www.gigex.com/
http://www.pestpatro...eeddelivery.asp

And really not much to worry about!

If it bothers you that much, you can
use the registry search too, enter:
vxpspeeddelivery.dll
As the seach string and post as well.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#20 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 June 2004 - 11:35 AM

#2:

Go to/start/run/regedit

Go back up to 'root' /My Computer.

Expand these folders:
HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
Explorer\
Browser Helper Objects
Expand, and find this Subfolder:
{7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F}< RightClick, delete!

Next...
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#21 aaron_cabal_trainee

aaron_cabal_trainee

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 01 June 2004 - 11:38 AM

Whenever I boot my machine up, Spybot pops up these warnings that all basically say:

Spybot has detected an important registry entry that has been changed.

Category: System Startup user entry
Change: value deleted
Entry: Red Swoosh EDN client
Old Data: c:\programfiles\rsnet\rsednclient.exe


Category: system start up global entry
Change: value deleted
Entry: moneystartup10.0
Old Data: c:\program files\microsoft money\system\ (I cant read this part because I can't extend the window box)


Category: system start up global entry
Change: value deleted
Entry: adaptecdirectCD
Old Data: c:\program files\roxio\easy cd creator 5\ (gets cut off by the window)


Category: system start up global entry
Change: value deleted
Entry: dwlclient
Old Data: c:\program files\common files\dell\eusw\(gets cut off by the window)

Category: system start up global entry
Change: value deleted
Entry: tkbelleexe
Old Data: c:\program files\common files\real\updat(gets cut off by the window)


Category: system start up global entry
Change: value deleted
Entry: mmtask
Old Data: c:\program files\musicmatch\musicmatc(gets cut off by the window)

Category: system start up global entry
Change: value deleted
Entry: SpybotSnD
Old data: c:\program files\spybot- search _destroy\(gets cut off by the window)

and then it starts returning these "important registry entry that has been changed"

Category: browser page
Change: value deleted
entry: search page
Old data: res://%43%3a%5c%57%49%4e%44%4f%57%53(gets cut off by the window)

Category: browser page
Change: value deleted
entry: search bar
Old data: res://%43%3a%5c%57%49%4e%44%4f%57%53(gets cut off by the window)

Category: browser page
Change: value deleted
entry: start page
Old data: http://www.dellnet.com/
new data: http://www.microsoft...r.dll?prd=(gets cut off by the window)


Category: browser page
Change: value deleted
entry: search page
Old data: res://%43%3a%5c%57%49%4e%44%4f%57%53(gets cut off by the window)

Category: browser page
Change: value deleted
entry: search bar
Old data: res://%43%3a%5c%57%49%4e%44%4f%57%53(gets cut off by the window)

Category: browser page
Change: value deleted
entry: start page
Old data: about:blank
new data: http://www,msn.com/

Category: browser page
Change: value deleted
entry: HomeOldSP
old data: about:blank

I don't know why these keep coming up, or how to stop them from recurring. I also don't know how to get the full info that gets cut off by the browser window being too small because I can't expand it.

If you have any ideas, please let me know.

Thanks again
Aaron

#22 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 June 2004 - 11:39 AM

#3:

Please note that when I tried to run this,
my Norton Anti-virus stopped me and claimed regsrch
was a *malicious script, but i let it run the whole script once.

Infamous and rather useless 7~engines Norton Bloatware!
That's a vb script registry search tool, and all legitimate!
. Since you have Norton
script blocking installed, it will alert you on
legitimate and harmless scripts, but for some
vague and unknown reason it can never
defend against the real pests!

I hope #4 gets better ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#23 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 June 2004 - 11:52 AM

#4:

I don't know why these keep
coming up, or how to stop them from recurring.
I also don't know how to get the full info that
gets cut off by the browser window being too
small because I can't expand it.

Is that the latest version of SpyBot?

Check this folder, and delete since you uninstalled it:
c:\programfiles\rsnet<

I have to say that running SpyBot or
ad aware on monthly basis is suffice.
All these alerts and filters are causing
nothing but confusion.

DISABLE all filters from running on startup,
run CWShredder again and have it clean all it finds,
and that's it.

I don't see anything coming back, just alerts from
running filter startup.
Those are known to cause trouble and interfere
with your own settings.
Clean your temp folders and temp internet files.


Check in a few days if anything comes back.
If it does, it would be a BHO on your hijackthis log.
That's what is causing search entry changes!
In that case post another hijackthis log.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button