• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
marshallk9

about: blank and "warning, you're in danger"

14 posts in this topic

I tried several times to remove the about:blank myself. I still am unable to do so. I locked my homepage with spybot and it seems to be working for a short while now. However, I know that its still lurking in there somewhere...

 

I also cannot get rid of the background on my desktop. It states " warning, you're in danger" at the bottom it says to click here for removal instructions. When I start up the computer, my normal picture background is there, but when the desktop loads up it switches to this nuisance.

 

As always any help is greatly appreciated. I have run CWS, Adaware, and spybot. My HJT log is as follows:

 

Logfile of HijackThis v1.97.7

Scan saved at 3:53:40 PM, on 6/5/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\System32\hphmon03.exe

C:\PROGRA~1\DAP\DAP.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\HPHipm09.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Handspring\HOTSYNC.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Marshall\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.yahoo.com

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe

O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: MoneySide (HKLM)

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7936.6543518519

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/ac4plus.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/M....cab?5,0,1730,0

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8A493747-DFDE-4638-9067-22B5FC4BAFCC}: NameServer = 151.201.0.39 151.201.0.38

 

Thanks for any help

Share this post


Link to post
Share on other sites

About:blank is back taking over my homepage, and now it won't let me get into internet options either. It says that This operation has been cancelled due to restrictions on your computer. Please contact your syste administrator. (I am my system administrator)

 

Please help me if you can!!!!!!!

Share this post


Link to post
Share on other sites

ran everything is safe mode and here is the new HJT log. I really hope that someone can help me

 

Logfile of HijackThis v1.97.7

Scan saved at 9:58:20 AM, on 6/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\System32\hphmon03.exe

C:\PROGRA~1\DAP\DAP.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Handspring\HOTSYNC.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\HPHipm09.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Marshall\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe

O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: MoneySide (HKLM)

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7936.6543518519

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/ac4plus.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/M....cab?5,0,1730,0

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8A493747-DFDE-4638-9067-22B5FC4BAFCC}: NameServer = 151.201.0.39 151.201.0.38

Share this post


Link to post
Share on other sites

In hijackthis fix checked:

 

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

*R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

*O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

*O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

*O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

 

Download and install 'Find-all.exe' from any of the links in

my signature!

Follow instructions, run 'Find-All.cmd' file, post the log here!

Share this post


Link to post
Share on other sites

I think that I did this correctly, but I am not sure. I downloaded, unzipped and ran the file. It appeared to be the DOS command prompt window running and then asked me to view the log when it was complete. That is what I am posting. Thanks so much for your help.

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--

 

 

Sun Jun 06 11:58:12 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "Local Disk" (5CA0:3EF2) - FS:NTFS clusters:4k

Total: 80 015 491 072 [75G] - Free: 67 399 028 736 [63G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q824145;Q330994;Q832894;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-18-2001 regedt32.exe

 

 

»»PC uptime:

11:58am up 0 days, 1:34

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error

\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

400 smss.exe

496 csrss.exe Title:

524 winlogon.exe Title: NetDDE Agent

584 services.exe Svcs: Eventlog,PlugPlay

596 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

788 svchost.exe Svcs: RpcSs

868 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,

elpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,SENS,S

aredAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmg

,W32Time,win

1004 svchost.exe Svcs: Dnscache

1044 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient

1160 CCSETMGR.EXE Svcs: ccSetMgr

1192 CCEVTMGR.EXE Svcs: ccEvtMgr

1348 spoolsv.exe Svcs: Spooler

1628 explorer.exe Title: Program Manager

1732 Directcd.exe Title: DirectCD

1752 hpztsb04.exe Title:

1760 hphmon03.exe Title: HP Photosmart Printer Series

1768 DAP.exe Title: Dialog

1780 CCAPP.EXE Title: Norton AntiVirus

1816 WkUFind.exe

1880 WinPatrol.exe Title: WinPatrol

1972 WkCalRem.exe Title: HOMESUITE:ADVSVR

1720 alg.exe Svcs: ALG

128 NAVAPSVC.EXE Svcs: navapsvc

144 nvsvc32.exe Svcs: NVSvc

344 SAVSCAN.EXE Svcs: SAVScan

536 svchost.exe Svcs: stisvc

2004 symlcsvc.exe Svcs: Symantec Core LC

2092 hphipm09.exe Svcs: Pml Driver

2516 iexplore.exe Title: SWI Forums -> about: blank and "warning, you're in danger" - Microsoft Internet Explorer

1492 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

4024 ntvdm.exe

1488 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access MARSHALL-OBEA46\Marshall

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access MARSHALL-OBEA46\Marshall

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Group/user settings:

 

 

User: [MARSHALL-OBEA46\Marshall], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group MARSHALL-OBEA46\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

MARSHALL-OBEA46\Marshall:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

R C:\WINDOWS\System32\Drivers\etc\hosts

-r--- - - - - - 0 04-11-2004 hosts

------

»»Rehash:

 

»Strings found:

 

Sun Jun 06 11:58:55 2004 -- ++Find-All backups:

c:\docume~1\marshall\desktop\unused~1\find-all\find-all\winBackup.hiv

--a-- - - - - - 8,192 06-06-2004 winbackup.hiv

c:\docume~1\marshall\desktop\unused~1\find-all\find-all\windows.txt

--a-- - - - - - 8,192 06-06-2004 windows.txt

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-06-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-06-2004 findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Also, I am not sure how I did this, but I tried to erase the file that was causing the background to change. Now it is a white background that changes to that warning message only when my mouse pointer is over an icon. Thanks again

Share this post


Link to post
Share on other sites

You seem to have the 'classic' pest there!

 

-FIRST--

And before doing anything else, go to System

Restore, make sure it's active and create manual restore

point as safety procedure.

 

Next, follow these steps carefully:

 

Your Windows registry is set to open this key directly:

*My Computer\HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

 

--Go to Start/run/type:

regedit

The registry should open with the Windows Subfolder

hilited.

(*compare and be sure the path on the status

bar is same as indicated above!)

 

--RightClick on the Windows Subfolder,

And rename Windows as Windows1

 

--Locate "AppInit_DLLs" value on the right

pane, RightClick it and select -> 'delete'

 

--Select the Windows1 on the left pane

again and rename it back to it's

original name, Windows

 

--Use top regedit's menu view->refresh once

and be sure the "AppInit_DLLs"

value is 'officially' gone from the right pane.

 

--Close regedit, *restart computer!

 

--Navigate to System32 folder, Search

for System32\ HLP.DLL file, hilite

and use the folder's top menu

option : "Edit-> Move to folder..."

Browse to and select: C:\junkxxx folder.

(It was created during first 'Find-All' run)

'ok' it.

 

---Re-run 'Find-All.cmd' and post new log!

Share this post


Link to post
Share on other sites

Did as advised (thank you so much again for your help), here is the new log:

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--

 

 

Sun Jun 06 12:36:49 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "Local Disk" (5CA0:3EF2) - FS:NTFS clusters:4k

Total: 80 015 491 072 [75G] - Free: 67 413 893 120 [63G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet

 

Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002

 

iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet

 

Settings

MinorVersion REG_SZ ;SP1;Q824145;Q330994;Q832894;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

 

Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media

 

Player\wmplayer.exe

--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002

 

wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media

 

Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002

 

mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003

 

msjava.dll

 

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001

 

notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001

 

notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002

 

regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-18-2001

 

regedt32.exe

 

 

»»PC uptime:

12:36am up 0 days, 0:06

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\WDMOPL.DLL +++ File read error

\\?\C:\WINDOWS\System32\WDMOPL.DLL +++ File read error

* result\\?\C:\junkxxx\HLP.DLL

 

 

»»Tasks (services):

0 System Process

4 System

436 smss.exe

500 csrss.exe Title:

532 winlogon.exe Title: NetDDE Agent

580 services.exe Svcs: Eventlog,PlugPlay

592 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

752 svchost.exe Svcs: RpcSs

816 svchost.exe Svcs:

 

AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingComp

 

atibility,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Sch

 

edule,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,Te

 

rmService,Themes,TrkWks,uploadmgr,W32Time,win

964 svchost.exe Svcs: Dnscache

992 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient

1076 CCSETMGR.EXE Svcs: ccSetMgr

1096 CCEVTMGR.EXE Svcs: ccEvtMgr

1244 spoolsv.exe Svcs: Spooler

1344 alg.exe Svcs: ALG

1376 NAVAPSVC.EXE Svcs: navapsvc

1428 nvsvc32.exe Svcs: NVSvc

1468 SAVSCAN.EXE Svcs: SAVScan

1536 svchost.exe Svcs: stisvc

1556 symlcsvc.exe Svcs: Symantec Core LC

2000 explorer.exe Title: Program Manager

352 Directcd.exe Title: DirectCD

368 hpztsb04.exe Title:

376 hphmon03.exe Title: HP Photosmart Printer Series

400 DAP.exe Title: Dialog

408 CCAPP.EXE Title: Norton AntiVirus

1792 WkUFind.exe

2016 WinPatrol.exe Title: WinPatrol

2240 hphipm09.exe Svcs: Pml Driver

2312 WkCalRem.exe Title: HOMESUITE:ADVSVR

2992 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

3020 ntvdm.exe

3044 msmsgs.exe Title:

3828 iexplore.exe Title: My Yahoo! - Microsoft Internet Explorer

648 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

 

NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

 

\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

 

\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

 

\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

 

\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

 

\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellSer

 

viceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4

 

and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows

 

NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access MARSHALL-OBEA46\Marshall

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows

 

NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access MARSHALL-OBEA46\Marshall

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows

 

NT\CurrentVersion\Windows: 398

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

 

NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows

 

NT\CurrentVersion\Windows : AppInit_DLLs

 

»»Group/user settings:

 

 

User: [MARSHALL-OBEA46\Marshall], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group MARSHALL-OBEA46\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

MARSHALL-OBEA46\Marshall:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

C:\junkxxx\hlp.dll BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

MARSHALL-OBEA46\Marshall:F

BUILTIN\Users:R

 

 

»»File(s) in 'junkxxx' folder:

-ra-- W32i - - - - 57,344 04-20-2004 hlp.dll

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

c185b36f9969d3a6d2122ba7cbc02249 hlp.dll

 

57344 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

R C:\WINDOWS\System32\Drivers\etc\hosts

-r--- - - - - - 0 04-11-2004 hosts

------

»»Rehash:

File: <C:\junkxxx\hlp.dll>CRC-32 : D5C9FB2EMD5 :

 

C185B36F 9969D3A6 D2122BA7 CBC02249SHA-512 : 54ACD2EE 31007EAB

 

3DCB7655 5B804798 B765D5F7 7C6B7436 199BF16C 2ADD7C05

 

1DF1F36A 7CF786F7 1716A7C3 91BB6135 C8BECB6F 2DB242DA

 

5945C134 A7E3D9B9

»Strings found:

C:\junkxxx\hlp.dll: InstallStreamingDevice

C:\junkxxx\hlp.dll: StreamingDeviceSetup

C:\junkxxx\hlp.dll: StreamingDeviceSetup2

 

Sun Jun 06 12:37:01 2004 -- ++Find-All backups:

 

 

c:\docume~1\marshall\desktop\unused~1\find-all\find-all\winBackup.hiv

--a-- - - - - - 8,192 06-06-2004

 

winbackup.hiv

 

 

c:\docume~1\marshall\desktop\unused~1\find-all\find-all\windows.txt

--a-- - - - - - 8,192 06-06-2004

 

windows.txt

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-06-2004

 

findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-06-2004

 

findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Re

 

gedit

LastKey REG_SZ My

 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

 

NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

So far so good, but there is a strange enigma on your current log:

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\WDMOPL.DLL +++ File read error

\\?\C:\WINDOWS\System32\WDMOPL.DLL +++ File read error

* result\\?\C:\junkxxx\HLP.DLL

 

The 'hlp.dll' you moved has potive identification.

I'm not sure about the other pest there!

 

Run a search on your drive for this file:

WINDOWS\System32\WDMOPL.DLL<

And see if it is found anywhere!

 

If found, move it to the same 'junkxxx' folder.

If not, ignore it for now!

 

For now just restart your computer again,

and follow up on these steps:

--Open the 'Find-All'\Tools Subfolder.

DoubleClick once on: "ZIPZAP.bat" file!

 

It will quickly/Silently do this:

*Restore your key &Security

back to defaults

*Reset permissions on the junkxxx\*.dll moved file

*Create zipped copy in the same folder: "junkxxx.zip"

*Open your email client with given addresses for submission!

 

--Drag the 'junkxxx.zip' and submit the

attachment to the specified addresses, ! , thanks

 

When done, Delete the "junkxxx.zip" in the 'Find-All folder!

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next, you need to clear all the elements the hijacker

downloaded!

Run these tools (whether used before or not!), as

they should work properly now.

have them fix all problems:

*Ad-Aware 6 Build 181:

http://www.lavasoftusa.com/software/adaware/

 

*Latest reference file :

http://www.lavasoftsupport.com/index.php?showtopic=28310

 

How To: Perform a "Full Scan" With Ad-aware 6 Build 181

http://www.lavahelp.com/howto/fullscan/index.html

 

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

 

When done with the above, post

another hijackthis log and another

Find-All log!

Share this post


Link to post
Share on other sites

thanks. Sorry about the delay, I had a graduation I had to go to. Here are the new logs after following the above directions:

 

Logfile of HijackThis v1.97.7

Scan saved at 6:46:33 PM, on 6/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\System32\hphmon03.exe

C:\PROGRA~1\DAP\DAP.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Microsoft Shared\Works

 

Shared\WkUFind.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\Program Files\Common Files\Microsoft Shared\Works

 

Shared\wkcalrem.exe

C:\WINDOWS\System32\HPHipm09.exe

C:\Documents and Settings\Marshall\Local Settings\Temp\Temporary

 

Directory 9 for hijackthis.zip\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

 

C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

 

C:\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

 

C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -

 

C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Norton AntiVirus -

 

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

 

AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD

 

Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program

 

Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

 

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe

O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE

 

/STARTUP

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

 

Shared\ccApp.exe"

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft

 

Money\System\Activation.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

 

C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft

 

Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program

 

Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [WinPatrol]

 

"C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program

 

Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

 

Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

 

Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: MoneySide (HKLM)

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -

 

http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

 

http://v4.windowsupdate.microsoft.com/CAB/...iuctl.CAB?37936.

 

6543518519

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class)

 

- http://download.yahoo.com/dl/mail/ymmapi.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -

 

http://download.yahoo.com/dl/mail/ac4plus.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload

 

Tool) -

 

http://photos.msn.com/r/neutral/controls/M....cab?5,0,1730,0

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

 

Object) -

 

http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 -

 

HKLM\System\CCS\Services\Tcpip\..\{8A493747-DFDE-4638-9067-22B5FC4BAFC

 

C}: NameServer = 151.201.0.39 151.201.0.38

 

The VX2 is next and is as follows (first tiem using it so I hope it is the right one):

 

Log for VX2.BetterInternet File Finder

 

Files Found---

 

 

Guardian Key--- is called:

 

User Agent String---

 

Last is the Find-all log:

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--

 

 

Sun Jun 06 18:54:23 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "Local Disk" (5CA0:3EF2) - FS:NTFS clusters:4k

Total: 80 015 491 072 [75G] - Free: 67 416 432 640 [63G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q824145;Q330994;Q832894;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-18-2001 regedt32.exe

 

 

»»PC uptime:

6:54pm up 0 days, 0:38

 

»»Locked or 'Suspect' file(s) found...

 

 

»»Tasks (services):

0 System Process

4 System

392 smss.exe

496 csrss.exe Title:

540 winlogon.exe Title: NetDDE Agent

584 services.exe Svcs: Eventlog,PlugPlay

596 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

756 svchost.exe Svcs: RpcSs

808 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,

elpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,SENS,S

aredAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmg

,W32Time,win

952 svchost.exe Svcs: Dnscache

984 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient

1080 CCSETMGR.EXE Svcs: ccSetMgr

1100 CCEVTMGR.EXE Svcs: ccEvtMgr

1248 spoolsv.exe Svcs: Spooler

1348 alg.exe Svcs: ALG

1380 NAVAPSVC.EXE Svcs: navapsvc

1416 nvsvc32.exe Svcs: NVSvc

1476 SAVSCAN.EXE Svcs: SAVScan

1544 svchost.exe Svcs: stisvc

1560 symlcsvc.exe Svcs: Symantec Core LC

252 explorer.exe Title: Program Manager

108 Directcd.exe Title: DirectCD

708 hpztsb04.exe Title:

784 hphmon03.exe Title: HP Photosmart Printer Series

796 DAP.exe Title: Dialog

804 CCAPP.EXE Title: Norton AntiVirus

892 WkUFind.exe

904 WinPatrol.exe Title: WinPatrol

1912 WkCalRem.exe Title: HOMESUITE:ADVSVR

1652 hphipm09.exe Svcs: Pml Driver

2524 HijackThis.exe Title: HijackThis

336 NOTEPAD.EXE Title: 6-6-04HJT log 6-45pm - Notepad

2188 iexplore.exe Title: SWI Forums -> about: blank and "warning, you're in danger" - Microsoft Internet Explorer

3680 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

3704 ntvdm.exe

3888 msmsgs.exe Title:

3652 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access MARSHALL-OBEA46\Marshall

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access MARSHALL-OBEA46\Marshall

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Group/user settings:

 

 

User: [MARSHALL-OBEA46\Marshall], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group MARSHALL-OBEA46\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

MARSHALL-OBEA46\Marshall:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

R C:\WINDOWS\System32\Drivers\etc\hosts

-r--- - - - - - 0 04-11-2004 hosts

------

»»Rehash:

 

»Strings found:

 

Sun Jun 06 18:54:47 2004 -- ++Find-All backups:

c:\docume~1\marshall\desktop\unused~1\find-all\find-all\winBackup.hiv

--a-- - - - - - 8,192 06-06-2004 winbackup.hiv

c:\docume~1\marshall\desktop\unused~1\find-all\find-all\windows.txt

--a-- - - - - - 8,192 06-06-2004 windows.txt

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-06-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-06-2004 findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

It seems that my about blank problem is gone... thanks so much. Do you have any idea on how to help me with the background. I do not have the warning sign any longer, but I now just have a white background. When I rt clik it shows under properties: file://C:\WINDOWS\Web\desktop.html

When I go all the way to the very top edge of the screen I can rt click and get the menu for changing the background, etc, but it doesn't change the appearance of the desktop.

 

Thanks again for all of your help with the nasty about:blank thing. It is a real pain in a@$

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0