• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
NotATechy

About:Blank in IE window

6 posts in this topic

Have read through some of the threads concerning the About:Blank issue and unwanted pop-ups. Have ran SpyBot, CWShredder and HJT. Removed Winad Client through Add/Remove. Downloaded Reglite and ran, but no listing for APPInitDLL's under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\APPInit_DLLs. Tried running hiving bat file, but confirmed no APPInitDLL's. Tried deleting the R0's. R1's and BHO (not associated w/ Adobe)thru HJT, and rebooting, but About:Blank still comes back. Not sure what else to try to get my highjacked IE back. Below is a printout from HJT and below that is the printout from GetService batch file. Your help will be greatly appreciated.

 

HJT

 

Logfile of HijackThis v1.97.7

Scan saved at 4:01:46 PM, on 9/7/2004

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\WINNT\system32\sdksh32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\SYSTEM32\EMPIRUM\Setupsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\System32\Empirum\PBackup.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\WINNT\system32\EMPIRUM\xftpd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\system32\atlxb.exe

C:\unzipped\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\khdis.dll/sp.html#29126

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\khdis.dll/sp.html#29126

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\khdis.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\khdis.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\khdis.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\khdis.dll/sp.html#29126

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\khdis.dll/sp.html#29126

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {3086A6FD-849C-F546-AA1C-CFF0DA518FF5} - C:\WINNT\atles32.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"

O4 - HKLM\..\Run: [_UserEnv] C:\WINNT\system32\EMPIRUM\env.exe

O4 - HKLM\..\Run: [RunSWDepot1] C:\WINNT\system32\EMPIRUM\SWDEPOT.EXE \\Hou-Apps03\Configurator$\User\SwDepot.dds /I /S /F

O4 - HKLM\..\Run: [atlxb.exe] C:\WINNT\system32\atlxb.exe

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O15 - Trusted Zone: *.05p.com

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.scoobidoo.com

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.slotch.com

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

GetService

 

 

PsService v1.1 - local and remote services viewer/controller

Copyright © 2001-2003 Mark Russinovich

Sysinternals - www.sysinternals.com

 

SERVICE_NAME: Alerter

Notifies selected users and computers of administrative alerts.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\services.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Alerter

DEPENDENCIES : LanmanWorkstation

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: AlertManager

(null)

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : "C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : McAfee Alert Manager

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: AppMgmt

Provides software installation services such as Assign, Publish, and Remove.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\services.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Application Management

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: BITS

Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k BITSgroup

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Background Intelligent Transfer Service

DEPENDENCIES : LanmanWorkstation

: Rpcss

: SENS

: Wmi

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Browser

Maintains an up-to-date list of computers on your network and supplies the list to programs that request it.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\services.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Computer Browser

DEPENDENCIES : LanmanWorkstation

: LanmanServer

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: cisvc

(null)

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\cisvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Indexing Service

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: ClipSrv

Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\clipsrv.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : ClipBook

DEPENDENCIES : NetDDE

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Dhcp

Manages network configuration by registering and updating IP addresses and DNS names.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\services.exe

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DHCP Client

DEPENDENCIES : Tcpip

: Afd

: NetBT

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: dmadmin

Administrative service for disk management requests

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\dmadmin.exe /com

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Logical Disk Manager Administrative Service

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: dmserver

Logical Disk Manager Watchdog Service

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\services.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Logical Disk Manager

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Dnscache

Resolves and caches Domain Name System (DNS) names.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\services.exe

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DNS Client

DEPENDENCIES : Tcpip

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Eventlog

Logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\services.exe

LOAD_ORDER_GROUP : Event log

TAG : 0

DISPLAY_NAME : Event Log

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: EventSystem

Provides automatic distribution of events to subscribing COM components.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : Network

TAG : 0

DISPLAY_NAME : COM+ Event System

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Fax

Helps you send and receive faxes

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\faxsvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Fax Service

DEPENDENCIES : TapiSrv

: RpcSs

: PlugPlay

: Spooler

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: lanmanserver

Provides RPC support and file, print, and named pipe sharing.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\services.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Server

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: lanmanworkstation

Provides network connections and communications.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\services.exe

LOAD_ORDER_GROUP : NetworkProvider

TAG : 0

DISPLAY_NAME : Workstation

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: LmHosts

Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\services.exe

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : TCP/IP NetBIOS Helper Service

DEPENDENCIES : NetBT

: Afd

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Lotus Notes Single Logon

(null)

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINNT\system32\nslsvice.exe

LOAD_ORDER_GROUP : Base

TAG : 0

DISPLAY_NAME : Lotus Notes Single Logon

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: McAfeeFramework

Shared component framework for McAfee products

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : McAfee Framework Service

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: McShield

(null)

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : "C:\Program Files\Network Associates\VirusScan\mcshield.exe"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network Associates McShield

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: McTaskManager

(null)

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : "C:\Program Files\Network Associates\VirusScan\vstskmgr.exe"

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network Associates Task Manager

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Messenger

Sends and receives messages transmitted by administrators or by the Alerter service.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\services.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Messenger

DEPENDENCIES : LanmanWorkstation

: NetBIOS

: RpcSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: mnmsrvc

Allows authorized people to remotely access your Windows desktop using NetMeeting.

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\mnmsrvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : NetMeeting Remote Desktop Sharing

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: MSDTC

Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers.

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\msdtc.exe

LOAD_ORDER_GROUP : MS Transactions

TAG : 0

DISPLAY_NAME : Distributed Transaction Coordinator

DEPENDENCIES : RPCSS

: SamSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: MSIServer

Installs, repairs and removes software according to instructions contained in .MSI files.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\MsiExec.exe /V

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Installer

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NetDDE

Provides network transport and security for dynamic data exchange (DDE).

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\netdde.exe

LOAD_ORDER_GROUP : NetDDEGroup

TAG : 0

DISPLAY_NAME : Network DDE

DEPENDENCIES : NetDDEDSDM

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NetDDEdsdm

Manages shared dynamic data exchange and is used by Network DDE

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\netdde.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network DDE DSDM

DEPENDENCIES :

: EGrLocalSystem

: Network DDE DSDM

: etwork DDE

: ted Transaction Coordinator

: Manager

: ee Framework Service

: y

: `

:

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Netlogon

Supports pass-through authentication of account logon events for computers in a domain.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe

LOAD_ORDER_GROUP : RemoteValidation

TAG : 0

DISPLAY_NAME : Net Logon

DEPENDENCIES : LanmanWorkstation

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Netman

Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network Connections

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NtLmSsp

Provides security to remote procedure call (RPC) programs that use transports other than named pipes.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : NT LM Security Support Provider

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: NtmsSvc

Manages removable media, drives, and libraries.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Removable Storage

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: O?’ŽrtñåȲ$Ó

(null)

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINNT\system32\sdksh32.exe /s

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network Security Service (NSS)

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: PlugPlay

Manages device installation and configuration and notifies programs of device changes.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\services.exe

LOAD_ORDER_GROUP : PlugPlay

TAG : 0

DISPLAY_NAME : Plug and Play

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: PolicyAgent

Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\lsass.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : IPSEC Policy Agent

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: ProtectedStorage

Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\services.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Protected Storage

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: PSEXESVC

(null)

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\PSEXESVC.EXE

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : PSEXESVC

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RasAuto

Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Access Auto Connection Manager

DEPENDENCIES : RasMan

: Tapisrv

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RasMan

Creates a network connection.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Access Connection Manager

DEPENDENCIES : Tapisrv

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RemoteAccess

Offers routing services to businesses in local area and wide area network environments.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 4 DISABLED

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Routing and Remote Access

DEPENDENCIES : RpcSS

: +NetBIOSGroup

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RemoteRegistry

Allows remote registry manipulation.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\regsvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Registry Service

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 0 seconds

FAILURE_ACTIONS : Restart DELAY: 1000 seconds

 

SERVICE_NAME: RpcLocator

Manages the RPC name service database.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\locator.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Procedure Call (RPC) Locator

DEPENDENCIES : LanmanWorkstation

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RpcSs

Provides the endpoint mapper and other miscellaneous RPC services.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\svchost -k rpcss

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Remote Procedure Call (RPC)

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: RSVP

Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\rsvp.exe -s

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : QoS RSVP

DEPENDENCIES : TcpIp

: Afd

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SamSs

Stores security information for local user accounts.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\lsass.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Security Accounts Manager

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SCardDrv

Provides support for legacy smart card readers attached to the computer.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINNT\System32\SCardSvr.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Smart Card Helper

DEPENDENCIES : +Smart Card Reader

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SCardSvr

Manages and controls access to a smart card inserted into a smart card reader attached to the computer.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINNT\System32\SCardSvr.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Smart Card

DEPENDENCIES : PlugPlay

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Schedule

Enables a program to run at a designated time.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\MSTask.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Task Scheduler

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: seclogon

Enables starting processes under alternate credentials

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINNT\system32\services.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : RunAs Service

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SENS

Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : Network

TAG : 0

DISPLAY_NAME : System Event Notification

DEPENDENCIES : EventSystem

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SetupService

(null)

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\SYSTEM32\EMPIRUM\Setupsvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Empirum-Agent

DEPENDENCIES : EventLog

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SharedAccess

Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Internet Connection Sharing

DEPENDENCIES : RasMan

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Spooler

Loads files to memory for later printing.

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\spoolsv.exe

LOAD_ORDER_GROUP : SpoolerGroup

TAG : 0

DISPLAY_NAME : Print Spooler

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: SysmonLog

Configures performance logs and alerts.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\smlogsvc.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Performance Logs and Alerts

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: TapiSrv

Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.

TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Telephony

DEPENDENCIES : PlugPlay

: RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: TlntSvr

Allows a remote user to log on to the system and run console programs using the command line.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\tlntsvr.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Telnet

DEPENDENCIES : RpcSs

: TcpIp

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: TrkWks

Sends notifications of files moving between NTFS volumes in a network domain.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\services.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Distributed Link Tracking Client

DEPENDENCIES : RpcSs

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: UPS

Manages an uninterruptible power supply (UPS) connected to the computer.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\ups.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Uninterruptible Power Supply

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: UtilMan

Starts and configures accessibility tools from one window

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\UtilMan.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Utility Manager

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: W32Time

Sets the computer clock.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\services.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Time

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: WinMgmt

Provides system management information.

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\WINNT\System32\WBEM\WinMgmt.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Management Instrumentation

DEPENDENCIES : RPCSS

SERVICE_START_NAME: LocalSystem

FAIL_RESET_PERIOD : 86400 seconds

FAILURE_ACTIONS : Restart DELAY: 60000 seconds

: Restart DELAY: 60000 seconds

 

SERVICE_NAME: WMDM PMSP Service

(null)

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\System32\mspmspsv.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : WMDM PMSP Service

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: Wmi

Provides systems management information to and from drivers.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\Services.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Windows Management Instrumentation Driver Extensions

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: wuauserv

Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\svchost.exe -k wugroup

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Automatic Updates

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

 

SERVICE_NAME: MATRIXFTPD

(null)

TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINNT\system32\EMPIRUM\xftpd.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Empirum-FTP Server

DEPENDENCIES :

SERVICE_START_NAME: LocalSystem

Share this post


Link to post
Share on other sites

Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process. With that in mind, read through the instructions and download all necessary files ahead of time. Opening IE may cause the fix to fail

 

1. Download AboutBuster. Unzip it to c:\aboutbuster but don't run it yet we'll do that later on down in this list in SAFE MODE.

2. Reboot to Safe Mode => How do I boot into safe mode?

3. Make sure your PC is configured to show hidden files. Open Windows Explorer & Go to "Tools" => "Folder Options". Click on the "View" tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types". Now click "Apply to all folders". Click "Apply" then "OK"

 

4. Next, go to Start => Run and type "Services.msc" (without quotes) then hit Ok. Scroll down and find the service called

Network Security Service

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

5. Press control-alt-delete to get into the task manager and end the follow processes if they exist:

sdksh32.exe

 

6. Now close all open windows AND browsers, run HijackThis and put checks next to all the following, then click "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\khdis.dll/sp.html#29126

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\khdis.dll/sp.html#29126

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\khdis.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\khdis.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\khdis.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\khdis.dll/sp.html#29126

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\khdis.dll/sp.html#29126

O2 - BHO: (no name) - {3086A6FD-849C-F546-AA1C-CFF0DA518FF5} - C:\WINNT\atles32.dll

O4 - HKLM\..\Run: [atlxb.exe] C:\WINNT\system32\atlxb.exe

O15 - Trusted Zone: *.05p.com

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.scoobidoo.com

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.slotch.com

 

7. Delete the following files if present (If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.):

 

C:\WINNT\khdis.dll

C:\WINNT\atles32.dll

C:\WINNT\system32\sdksh32.exe

C:\WINNT\system32\atlxb.exe

 

 

 

 

8.Next, we will remove the offending service. Go to Start->Run and type Regedit then click Ok.

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

and highlight Services in the left pane. In the right pane, look for any these entries named as:

 

O?’ŽrtñåȲ$Ó

 

If any are listed, right-click that entry in the right pane and choose Delete.

 

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for any entries like this:

 

LEGACY O?’ŽrtñåȲ$Ó

 

If you find it, right-click it in the right-pane and choose delete.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

 

9. Browse to c:\aboutbuster and double click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.

10. Copy the contents of the Quote Box to Notepad. Name the file as fix.reg. Change the Save as Type to All Files. Save this file on the desktop

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

 

 

Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

 

11. Run Ad-Aware with the latest update.

  1. Download the latest version of Ad-Aware (Ad-Aware SE Build 1.03).
  2. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
  3. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
  4. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
  5. Once the definitions have been updated:
  6. Reconfigure Ad-Aware for Full Scan as per the following instructions:
    • Launch the program, and click on the Gear at the top of the start screen.
    • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • "Automatically save logfile"
      • Automatically quarrantine objects prior to removal"
      • Safe Mode (always request confirmation)
      • Prompt to update outdated confirmation) - Change to 7 days.

[*]Click the "Scanning" button (On the left side).

[*]Under Drives & Folders, select "Scan within Archives"

[*]Click "Click here to select Drives + folders" and select your installed hard drives.

[*]Under Memory & Registry, select all options.

[*]Click the "Advanced" button (On the left hand side).

[*]Under "Shell Integration", select "Move deleted files to Recycle Bin".

[*]Under "Log-file detail", select all options.

[*]Click on the "Defaults" button on the left.

[*]Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.

[*]Click the "Tweak" button (Again, on the left hand side).

[*]Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:

  • "Unload recognized processes during scanning."
  • "Obtain command line of scanned processes"
  • "Scan registry for all users instead of current user only"

[*]Under "Cleaning Engine", select the following:

  • "Always try to unload modules before deletion."
  • "During removal, unload explorer and IE if necessary"
  • "Let Windows remove files in use at next reboot."
  • "Delete quarrantined objects after restoring"

[*]Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"

[*]Click on "Proceed" to save these Preferences.

[*]Click on the "Scan Now" button on the left.

[*]Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".

[*]Close all programs except ad-aware.

[*]Click on "Next" in the bottom right corner to start the scan.

[*]Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.

[*]After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

12. Clean out temporary and temporary Internet files. Go to "Start" => "Run" and type in the box: "cleanmgr". Let it scan your system for files to remove. Make sure these 3 are checked and then press "ok" to remove:

Temporary Files

Temporary Internet Files

Recycle Bin

13. Reboot to normal mode.

14. Replace Deleted Files

It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

 

Go here and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

 

Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'

Exit Program.

 

If you have Spybot S&D installed you may also need to replace one file.

Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

 

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the

second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

 

15.Do an online scan at TrendMicro's site. Let it remove any infected files found.

16. Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review.

Share this post


Link to post
Share on other sites

Attached are the logfiles from aboutbuster and HJT. Everything appears to be back to normal. Thank you very much for your assistance. Please confirm that all looks well from the below logs. Tried to download control.exe, but appears the site is down currently. I will try later. Once again, thanks.

 

AboutBuster

 

Scanned at: 10:43:19 AM on: 9/8/2004

 

 

-- Scan 1 ---------------------------

About:Buster Version 3.0

Reference List : 15

 

No ADS found on system

Deleted 1 Service Keys Successfully!

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 ---------------------------

About:Buster Version 3.0

Reference List : 15

 

No ADS found on system

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

 

HJT

 

Logfile of HijackThis v1.97.7

Scan saved at 11:30:55 AM, on 9/8/2004

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\SYSTEM32\EMPIRUM\Setupsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\Empirum\PBackup.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\WINNT\system32\EMPIRUM\xftpd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\unzipped\hijackthis\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"

O4 - HKLM\..\Run: [_UserEnv] C:\WINNT\system32\EMPIRUM\env.exe

O4 - HKLM\..\Run: [RunSWDepot1] C:\WINNT\system32\EMPIRUM\SWDEPOT.EXE \\Hou-Apps03\Configurator$\User\SwDepot.dds /I /S /F

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

close all open windows AND browsers, run HijackThis and put checks next to all the following, then click "Fix Checked":

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

These items are considered to be resource hogs that are not needed and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them:

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

What is this Empirum program?

Did you install it?

Share this post


Link to post
Share on other sites

I went ahead and "fixed" the three listings you mentioned with HJT.

 

The Empirum program is a Global Desktop Management System. I did not install it, but was installed by someone else and it needs to stay in the listing, as it is a needed executable.

 

Appears everything is working properly now, so thanks again for your assistance.

Share this post


Link to post
Share on other sites

Your welcome

Glad we could help.

 

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

 

And also see TonyKlein's good advice

So how did I get infected in the first place?

 

Good luck :D

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0