• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
aaron_cabal_trainee

Browser Hijacked to About:blank

23 posts in this topic

I've tried Hijack This, Spybot, Norton and followed the steps in the FAQ, but nothing seems to help.

 

my home page keeps getting set to about:blank, and spybot keeps letting me know that my home page is being reset.

 

Spybot is also letting me know that additional BHOs are being added to my comp everytime I connect.

 

I'd appreciate any help you can offer me!

Aaron

 

Here's my Hijackthis Log:

 

Logfile of HijackThis v1.97.7

Scan saved at 5:47:15 PM, on 5/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\AccessDirect\dadapp.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\NCLAUNCH.EXe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Kazaa Lite K++\KazaaLite.kpp

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Documents and Settings\Aaron\My Documents\From the Net\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\goinf.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fhlifm.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F} - (no file)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7890.2745023148

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

*bump*

 

 

I've basically given up trying to use IE 6.0 and have gone over to Firefox. It's pretty good, BUT I've still got problems with something trying to install or edit BHOs, and then run a script on my comp whenever I do something even remotely related to MSFT and the internet.

 

Anyone able to help?

Thanks,

Aaron

Share this post


Link to post
Share on other sites

*bump*

 

I am also wondering if my browser is just being sent to about:blank to generate hits, or is it logging everything I'm typing too? What is safe to do when I've got this crap on my machine?

 

Appreciate any help or advice you can give me.

Thanks,

Aaron

Share this post


Link to post
Share on other sites

Hey thanks for the reply.

 

I downloaded the file, unzipped it and ran find-all.cmd

 

Here's the log that came up.

 

Let me know what to do next.

 

Thanks

Aaron

 

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--

 

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

 

 

»»IE version and Service packs:

 

! REG.EXE VERSION 3.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q324929;Q810847;Q813951;Q813489;Q330994;Q818529;Q822925;Q828750;Q832894;Q83

009;Q831167;

 

»»Google Toolbar version and Attributes:

Defaults: "A" ;"R"

A R C:\Program Files\google\GoogleToolbar1.dll

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

 

»»M$Java version:

 

 

»»PC uptime:

 

»»Locked or 'Suspect' file(s) found...

'Xfind' is not recognized as an internal or external command,

operable program or batch file.

'Xfind' is not recognized as an internal or external command,

operable program or batch file.

'Xfind' is not recognized as an internal or external command,

operable program or batch file.

 

 

»»Tasks (services):

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{269E487C-3461-44E3-A97A-61DB2CE7620C}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{269E487C-3461-44E3-A97A-61DB2CE7620C}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

»»Group/user settings:

 

 

»»ACLs list:

'xcacls' is not recognized as an internal or external command,

operable program or batch file.

'xcacls' is not recognized as an internal or external command,

operable program or batch file.

 

»»Contents of file(s) in 'junk' folder:

 

»»Md5sums

------

»»Rehash:

A C:\Documents and Settings\Aaron\My Documents\From the Net\winBackup.hiv

A C:\Documents and Settings\Aaron\My Documents\From the Net\windows.txt

A C:\Documents and Settings\Aaron\My Documents\From the Net\winzip81.exe

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 3.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_CURRENT_USER\Control Panel\don't load

 

Share this post


Link to post
Share on other sites

Would you please ***Unzip***

The 'Find-All' folder and run it again?

 

'Xfind' is not recognized as an internal or external command,

operable program or batch file.

 

That means it's not unzipped, or running from the zipped archive.

Also try putting the folder in a shorter path, like in C:\

 

P.S@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@22

C:\Documents and Settings\Aaron\My Documents\From the Net\winBackup.hiv

^^^^^^^

That means you didn't keep all the parts together.

Delete what you downloaded, it's useless, download again,

Unzip and while keeping the Find-All folder(s)

intact, run the 'Find-All.cmd file again!

Edited by freeatlast

Share this post


Link to post
Share on other sites

Ok, well I hope I followed the instructions right.

 

Here's the output.txt file that was created:

 

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--

 

 

Fri May 28 02:56:16 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (50D2:8808) - FS:NTFS clusters:4k

Total: 29 964 693 504 [28G] - Free: 1 340 456 960 [1.2G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q324929;Q810847;Q813951;Q813489;Q330994;Q818529;Q822925;Q828750;Q832894;Q83

009;Q831167;

 

»»Google Toolbar version and Attributes:

2.0.111.0 C:\Program Files\google\googletoolbar1.dll

Defaults: "A" ;"R"

A R C:\Program Files\google\GoogleToolbar1.dll

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

»»PC uptime:

2:56am up 1 day, 5:35

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\COMEBM.DLL +++ File read error

\\?\C:\WINDOWS\System32\COMEBM.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

636 SMSS.EXE

700 CSRSS.EXE Title:

728 WINLOGON.EXE Title: NetDDE Agent

780 SERVICES.EXE Svcs: Eventlog,PlugPlay

792 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

960 SVCHOST.EXE Svcs: RpcSs

1008 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi

ity,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,

eclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upload

gr,w32time,w

1176 SVCHOST.EXE Svcs: Dnscache

1216 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient

1456 SPOOLSV.EXE Svcs: Spooler

1564 ati2evxx.exe Svcs: Ati HotKey Poller

1608 Navapsvc.exe Svcs: navapsvc

1804 SVCHOST.EXE Svcs: stisvc

1864 WLTRYSVC.EXE Svcs: WLTRYSVC

1956 BCMWLTRY.EXE Title: BCMWLTRY Windows Application

536 explorer.exe Title: Program Manager

576 CTFMON.EXE Title:

1260 Apoint.exe Title:

1276 atiptaxx.exe Title: ATI Tray Icon Application

1284 DadApp.exe Title: Dell AccessDirect App

1300 Navapw32.exe Title: Norton AntiVirus

1348 jusched.exe Title: OleMainThreadWndName

1644 NCLAUNCH.EXe Title: Northern Codeworks File Launcher

1728 TeaTimer.exe Title: Spybot-S&D Resident

444 EM_EXEC.EXE Title: Logitech GetMessage Hook

1356 ApntEx.exe Title: Elara

552 wisptis.exe Title:

3044 mm_director.exe Title: OleMainThreadWndName

288 firefox.exe Title: SWI Forums -> Browser Hijacked to About:blank - Mozilla Firefox

3884 urlmap.exe Title: OleMainThreadWndName

756 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe

3640 NTVDM.EXE

3004 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{269E487C-3461-44E3-A97A-61DB2CE7620C}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{269E487C-3461-44E3-A97A-61DB2CE7620C}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

»»Group/user settings:

 

 

User: [PIMPTACULAR\Aaron], is a member of:

 

BUILTIN\Administrators

\Everyone

PIMPTACULAR\None

 

User is a member of group PIMPTACULAR\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:F

BUILTIN\Administrators:(OI)(CI)(IO)F

NT AUTHORITY\SYSTEM:F

NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F

PIMPTACULAR\Aaron:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:R

BUILTIN\Users:(OI)(CI)(IO)(special access:)

 

GENERIC_READ

GENERIC_EXECUTE

 

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

 

»»Contents of file(s) in 'junk' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

 

Fri May 28 02:56:38 2004 -- ++Find-All 'Windows'.hiv .reg list:

A C:\Find-All\winBackup.hiv

A C:\Find-All\windows.txt

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

 

Let me know what I should do next.

Thanks for the help,

Aaron

 

Share this post


Link to post
Share on other sites

That's better ;)

 

Next,

Your Windows registry is set to open this key directly:

*My Computer\HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

 

Go to Start/run/type:

regedit

The registry should open with the Windows Subfolder

hilited.

(*compare and be sure the path on the status

bar is same as indicated above!)

 

-RightClick on the Windows Subfolder,

And rename Windows as Windows1

 

-Locate "AppInit_DLLs" value on the right

pane, RightClick it and select 'delete'

 

-Select the Windows1 on the left pane

again and rename it back to it's

original name, Windows

 

-Use top regedit's menu view->refresh once

and be sure the "AppInit_DLLs"

value is 'officially' gone from the right pane.

 

-Close regedit, *restart computer!

 

--Navigate to System32 folder, Search

for System32\ COMEBM.DLL file, hilite

and use the folder's top menu

option : "Edit-> Move to folder..."

Browse to and select: C:\junkxxx folder.

(It was created during first 'Find-All' run)

'ok' it.

 

Re-run 'Find-All.cmd' and post new log!

Share this post


Link to post
Share on other sites

Hi there,

 

Ok, here's the find-all log I got after deleting the appinit_dll and moving the comebm.dll

 

Let me know what I should do next.

 

Thanks again!

Aaron

 

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--

 

 

Sat May 29 00:29:36 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (50D2:8808) - FS:NTFS clusters:4k

Total: 29 964 693 504 [28G] - Free: 860 950 528 [821M]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q324929;Q810847;Q813951;Q813489;Q330994;Q818529;Q822925;Q828750;Q832894;Q83

009;Q831167;

 

»»Google Toolbar version and Attributes:

2.0.111.0 C:\Program Files\google\googletoolbar1.dll

Defaults: "A" ;"R"

A R C:\Program Files\google\GoogleToolbar1.dll

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

»»PC uptime:

0:29am up 0 days, 0:14

 

»»Locked or 'Suspect' file(s) found...

* result\\?\C:\junkxxx\COMEBM.DLL

 

 

»»Tasks (services):

0 System Process

4 System

340 SMSS.EXE

456 CSRSS.EXE Title:

732 WINLOGON.EXE Title: NetDDE Agent

776 SERVICES.EXE Svcs: Eventlog,PlugPlay

788 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

940 SVCHOST.EXE Svcs: RpcSs

984 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,

elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclo

on,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,w

2time,winmgm

1180 SVCHOST.EXE Svcs: Dnscache

1204 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient

1420 SPOOLSV.EXE Svcs: Spooler

1520 ati2evxx.exe Svcs: Ati HotKey Poller

1556 Navapsvc.exe Svcs: navapsvc

1692 SVCHOST.EXE Svcs: stisvc

1720 WLTRYSVC.EXE Svcs: WLTRYSVC

1764 BCMWLTRY.EXE Title: BCMWLTRY Windows Application

1540 explorer.exe Title: Program Manager

1816 CTFMON.EXE Title:

2008 Apoint.exe Title:

2016 atiptaxx.exe Title: ATI Tray Icon Application

2024 DadApp.exe Title: Dell AccessDirect App

2032 Navapw32.exe Title: Norton AntiVirus

160 jusched.exe Title: OleMainThreadWndName

216 NCLAUNCH.EXe Title: Northern Codeworks File Launcher

364 TeaTimer.exe Title: Spybot-S&D Resident

488 EM_EXEC.EXE Title: Logitech GetMessage Hook

504 ApntEx.exe Title: C:\Program Files\Apoint\Apntex.exe

1252 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe

124 NTVDM.EXE

260 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{269E487C-3461-44E3-A97A-61DB2CE7620C}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{269E487C-3461-44E3-A97A-61DB2CE7620C}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access PIMPTACULAR\Aaron

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access PIMPTACULAR\Aaron

 

 

 

»»Group/user settings:

 

 

User: [PIMPTACULAR\Aaron], is a member of:

 

BUILTIN\Administrators

\Everyone

PIMPTACULAR\None

 

User is a member of group PIMPTACULAR\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:F

BUILTIN\Administrators:(OI)(CI)(IO)F

NT AUTHORITY\SYSTEM:F

NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F

PIMPTACULAR\Aaron:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:R

BUILTIN\Users:(OI)(CI)(IO)(special access:)

 

GENERIC_READ

GENERIC_EXECUTE

 

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

C:\junkxxx\comebm.dll BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

PIMPTACULAR\Aaron:F

BUILTIN\Users:R

 

 

»»Contents of file(s) in 'junk' folder:

comebm.dll

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

c185b36f9969d3a6d2122ba7cbc02249 comebm.dll

 

57344 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

File: <C:\junkxxx\comebm.dll>

 

CRC-32 : D5C9FB2E

 

GOST-Hash : 82A402D7 23ADEDC6 AB139C7E F70F4B77 1DB148B9 64596488

 

E89EDB26 3B623462

 

HAVAL-5-256 : D4B2FD10 ED750CA8 9094D67F C6885548 E5E25527 7E25E595

 

AAEF452A 3CD2FAB3

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

SHA-512 : 54ACD2EE 31007EAB 3DCB7655 5B804798 B765D5F7 7C6B7436

 

199BF16C 2ADD7C05 1DF1F36A 7CF786F7 1716A7C3 91BB6135

 

C8BECB6F 2DB242DA 5945C134 A7E3D9B9

 

 

 

 

Sat May 29 00:29:44 2004 -- ++Find-All 'Windows'.hiv .reg list:

A C:\Find-All\winBackup.hiv

A C:\Find-All\windows.txt

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

;) Well done!

 

Lastly,

 

Open the 'Find-All'\Tools Subfolder.

DoubleClick once on: "ZIPZAP.bat" file!

 

It will quickly/Silently do this:

*Restore your key &Security

back to defaults

*Reset permissions on the junk\*.dll moved file

*Create zipped copy in the same folder: "junkxxx.zip"

*Open your email client with given addressese for submission!

 

--Drag the 'junkxxx.zip' and submit the

attachment to the specified addresses, ! , thanks ;)

 

When done, Delete the "junkxxx.zip"

as well as the "junkxxx" folder in C:\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To fix all other, related/non related problems,

Run these tools, have them fix all problems:

*Ad-Aware6:

http://www.lavasoftusa.com/software/adaware/

 

*Updates:

http://www.lavasoftsupport.com/index.php?showtopic=28310

 

How To: Perform a "Full Scan" With Ad-aware 6 Build 181

 

*http://www.spywareinfo.com/~merijn/files/CWShredder.exe

 

Feel free to post follow up hijackthis log when done!

Good luck ;)

Share this post


Link to post
Share on other sites

Hi,

 

Ok, I ran the ZipZap.bat file. I also ran the new updated Adaware and then emailed you the zip file.

 

Everything seems to be running a lot better!

 

Here's my HJT log below.

 

Let me know if there are other steps I need to follow!

Thanks again

Aaron

 

Logfile of HijackThis v1.97.7

Scan saved at 11:02:34 PM, on 5/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\AccessDirect\dadapp.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\System32\DSentry.exe

C:\WINDOWS\NCLAUNCH.EXe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Documents and Settings\Aaron\My Documents\From the Net\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F} - (no file)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7890.2745023148

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Great on all counts!

 

In hijackthis fix checked these trails:

 

*O2 - BHO: (no name) - {7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F} - (no file)

*O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe

 

Recommended to Uninstall "Red Swoosh EDN Client (remove only)", unless , of course

it was " only installed after the end user's explicit agreement

to a software use license........Red Swoosh does not provide

end-user support for the EDN Client software.

Please contact the web site where you originally installed

this software for more information

on the uses of this technology"."Note that sites market this technology under several names including 'TurboShare' or 'Sharing Network'

even though it does operate transparently.........

 

Keep your WinXP 'home edition' out of trouble! ;)

Share this post


Link to post
Share on other sites

Hi,

 

I uninstalled red swoosh so things are running a lot faster now, but I'm still having a couple of problems.

 

The first is that O2 - BHO: (no name) - {7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F} - (no file) keeps coming back even if I delete it.

 

Second, when I start up spybot keeps asking me if certain changes I made are ok, and whether I want to deny them or not. Several of these I recognize from when I had my browser hijacked and so I'm a bit worried that the problem isn't completely fixed.

 

Also, when I run spybot, it finds a lot of problems, but two that always show up are DSOexploit and speeddelivery. I'm also getting a lot (7) of instances of something called hitbot.

 

I delete all of these, but it says that speeddelivery is in use or in memory so I can't delete it and if I restart they come right back.

 

My HJT log is below.

 

Please let me know what other steps I need to take.

Thanks again for all your help!

Aaron

 

Logfile of HijackThis v1.97.7

Scan saved at 12:02:55 PM, on 5/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\AccessDirect\dadapp.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\System32\DSentry.exe

C:\WINDOWS\NCLAUNCH.EXe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Documents and Settings\Aaron\My Documents\From the Net\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F} - (no file)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7890.2745023148

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Well done!

Most of the problems left are not really problems.

DSoExploit is part of IE defaults zone settings and can be ignored.

hitbot are tracking cookies, so naturally they'll be back.

The other-speeddelivery-could be remnant of something removed, previously.

Can you post Spybot results?

You can RightClick and copy directly from the scan results.

It'll be easier to see which keys/files are detected.

The tracking cookies and DSOexploit are N/A.

As for the changes alerts, have no idea what they

are unless you specify.

 

As for hijackthis and the bho, hijackthis is having trouble finding it..

It's an orphaned entry.

 

Download this registry search tool:

http://freeatlast.100free.com/Regsrch.zip

Unzip, run the RegSrch.vbs file and copy and paste:

{7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F}

As the string to search.

It will run for a while and generate report. copy and post it here.

Edited by freeatlast

Share this post


Link to post
Share on other sites

i am so glad i found this topic... i also have the about:blank hijacker on my computer at the moment and it is a right pain... im a novice so this all looks a bit much for me, but i will follow the same instructions and might need a bit of help myself. would it be better for me to open my own topic on this subject or should i post here?

Share this post


Link to post
Share on other sites

Hi again,

 

Ok, I ran spybot and here's the results of the scan. I'll post the results of the regsrch.vbs file in my next post.

 

Thanks again for your help!

Aaron

 

MediaPlex: Tracking cookie (Firebird: default) (Cookie, nothing done)

 

 

MediaPlex: Tracking cookie (Firebird: default) (Cookie, nothing done)

 

 

Avenue A, Inc.: Tracking cookie (Firebird: default) (Cookie, nothing done)

 

 

BFast: Tracking cookie (Firebird: default) (Cookie, nothing done)

 

 

DoubleClick: Tracking cookie (Firebird: default) (Cookie, nothing done)

 

 

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-21-1741198633-3416526499-740602149-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)

 

 

HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)

 

 

HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)

 

 

SpeedDelivery: Library (File, nothing done)

C:\WINDOWS\Downloaded Program Files\vxpspeeddelivery.dll

 

 

--- Spybot - Search && Destroy version: 1.3 ---

2004-05-12 Includes\Cookies.sbi

2004-05-12 Includes\Dialer.sbi

2004-05-12 Includes\Hijackers.sbi

2004-05-12 Includes\Keyloggers.sbi

2004-05-12 Includes\LSP.sbi

2004-05-12 Includes\Malware.sbi

2004-05-12 Includes\Revision.sbi

2004-05-12 Includes\Security.sbi

2004-05-12 Includes\Spybots.sbi

2004-05-12 Includes\Tracks.uti

2004-05-12 Includes\Trojans.sbi

Share this post


Link to post
Share on other sites

Ok, I ran the regsrch.vbs and here is the result of the scan for 7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F

 

I'm going to restart my machine and post the spybot alerts that come up.

 

Thanks for your help,

Aaron

 

REGEDIT4

; RegSrch.vbs © Bill James

 

; Registry search results for string "7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F" 6/2/2004 1:16:40 AM

 

; NOTE: This file will be deleted when you close WordPad.

; You must manually save this file to a new location if you want to refer to it again later.

; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F}]

 

 

Please note that when I tried to run this, my Norton Anti-virus stopped me and claimed regsrch was a malicious script, but i let it run the whole script once.

Share this post


Link to post
Share on other sites

Welcome back! ;)

 

As noted, most spybot results you posted are safe to ignore.

DSO exloits and tracking cookies.

Cookies come and go as you surf, Don't you realize that?

 

And DSO exploits, oh well, anything that has to do

with IE Zones, I let the good ol' hands of M$ to

manage, nothing else!

 

Incidentally, all my scan results are the same...

 

This:

C:\WINDOWS\Downloaded Program Files\

vxpspeeddelivery.dll

 

Try to Delete manually, it's from this Site:

http://www.gigex.com/

http://www.pestpatrol.com/PestInfo/g/gigex_speeddelivery.asp

 

And really not much to worry about!

 

If it bothers you that much, you can

use the registry search too, enter:

vxpspeeddelivery.dll

As the seach string and post as well.

Share this post


Link to post
Share on other sites

#2:

 

Go to/start/run/regedit

 

Go back up to 'root' /My Computer.

 

Expand these folders:

HKEY_LOCAL_MACHINE\

SOFTWARE\

Microsoft\

Windows\

CurrentVersion\

Explorer\

Browser Helper Objects

Expand, and find this Subfolder:

{7D1A50E4-E3E5-40AA-ACF2-ACAEA59D6C8F}< RightClick, delete!

 

Next...

Share this post


Link to post
Share on other sites

Whenever I boot my machine up, Spybot pops up these warnings that all basically say:

 

Spybot has detected an important registry entry that has been changed.

 

Category: System Startup user entry

Change: value deleted

Entry: Red Swoosh EDN client

Old Data: c:\programfiles\rsnet\rsednclient.exe

 

 

Category: system start up global entry

Change: value deleted

Entry: moneystartup10.0

Old Data: c:\program files\microsoft money\system\ (I cant read this part because I can't extend the window box)

 

 

Category: system start up global entry

Change: value deleted

Entry: adaptecdirectCD

Old Data: c:\program files\roxio\easy cd creator 5\ (gets cut off by the window)

 

 

Category: system start up global entry

Change: value deleted

Entry: dwlclient

Old Data: c:\program files\common files\dell\eusw\(gets cut off by the window)

 

Category: system start up global entry

Change: value deleted

Entry: tkbelleexe

Old Data: c:\program files\common files\real\updat(gets cut off by the window)

 

 

Category: system start up global entry

Change: value deleted

Entry: mmtask

Old Data: c:\program files\musicmatch\musicmatc(gets cut off by the window)

 

Category: system start up global entry

Change: value deleted

Entry: SpybotSnD

Old data: c:\program files\spybot- search _destroy\(gets cut off by the window)

 

and then it starts returning these "important registry entry that has been changed"

 

Category: browser page

Change: value deleted

entry: search page

Old data: res://%43%3a%5c%57%49%4e%44%4f%57%53(gets cut off by the window)

 

Category: browser page

Change: value deleted

entry: search bar

Old data: res://%43%3a%5c%57%49%4e%44%4f%57%53(gets cut off by the window)

 

Category: browser page

Change: value deleted

entry: start page

Old data: http://www.dellnet.com/

new data: http://www.microsoft.com/isapi/redir.dll?prd=(gets cut off by the window)

 

 

Category: browser page

Change: value deleted

entry: search page

Old data: res://%43%3a%5c%57%49%4e%44%4f%57%53(gets cut off by the window)

 

Category: browser page

Change: value deleted

entry: search bar

Old data: res://%43%3a%5c%57%49%4e%44%4f%57%53(gets cut off by the window)

 

Category: browser page

Change: value deleted

entry: start page

Old data: about:blank

new data: http://www,msn.com/

 

Category: browser page

Change: value deleted

entry: HomeOldSP

old data: about:blank

 

I don't know why these keep coming up, or how to stop them from recurring. I also don't know how to get the full info that gets cut off by the browser window being too small because I can't expand it.

 

If you have any ideas, please let me know.

 

Thanks again

Aaron

Share this post


Link to post
Share on other sites

#3:

Please note that when I tried to run this,

my Norton Anti-virus stopped me and claimed regsrch

was a *malicious script, but i let it run the whole script once.

Infamous and rather useless 7~engines Norton Bloatware!

That's a vb script registry search tool, and all legitimate!

. Since you have Norton

script blocking installed, it will alert you on

legitimate and harmless scripts, but for some

vague and unknown reason it can never

defend against the real pests!

 

I hope #4 gets better ;)

Share this post


Link to post
Share on other sites

#4:

 

I don't know why these keep

coming up, or how to stop them from recurring.

I also don't know how to get the full info that

gets cut off by the browser window being too

small because I can't expand it.

Is that the latest version of SpyBot?

 

Check this folder, and delete since you uninstalled it:

c:\programfiles\rsnet<

 

I have to say that running SpyBot or

ad aware on monthly basis is suffice.

All these alerts and filters are causing

nothing but confusion.

 

DISABLE all filters from running on startup,

run CWShredder again and have it clean all it finds,

and that's it.

 

I don't see anything coming back, just alerts from

running filter startup.

Those are known to cause trouble and interfere

with your own settings.

Clean your temp folders and temp internet files.

 

 

Check in a few days if anything comes back.

If it does, it would be a BHO on your hijackthis log.

That's what is causing search entry changes!

In that case post another hijackthis log.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0