Jump to content


Photo

about: blank and "warning, you're in danger"


  • Please log in to reply
13 replies to this topic

#1 marshallk9

marshallk9

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 05 June 2004 - 02:59 PM

I tried several times to remove the about:blank myself. I still am unable to do so. I locked my homepage with spybot and it seems to be working for a short while now. However, I know that its still lurking in there somewhere...

I also cannot get rid of the background on my desktop. It states " warning, you're in danger" at the bottom it says to click here for removal instructions. When I start up the computer, my normal picture background is there, but when the desktop loads up it switches to this nuisance.

As always any help is greatly appreciated. I have run CWS, Adaware, and spybot. My HJT log is as follows:

Logfile of HijackThis v1.97.7
Scan saved at 3:53:40 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Marshall\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.yahoo.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7936.6543518519
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yaho...ail/ac4plus.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.co....cab?5,0,1730,0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A493747-DFDE-4638-9067-22B5FC4BAFCC}: NameServer = 151.201.0.39 151.201.0.38

Thanks for any help

#2 marshallk9

marshallk9

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 June 2004 - 07:27 AM

About:blank is back taking over my homepage, and now it won't let me get into internet options either. It says that This operation has been cancelled due to restrictions on your computer. Please contact your syste administrator. (I am my system administrator)

Please help me if you can!!!!!!!

#3 marshallk9

marshallk9

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 June 2004 - 09:03 AM

ran everything is safe mode and here is the new HJT log. I really hope that someone can help me

Logfile of HijackThis v1.97.7
Scan saved at 9:58:20 AM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Marshall\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7936.6543518519
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yaho...ail/ac4plus.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.co....cab?5,0,1730,0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A493747-DFDE-4638-9067-22B5FC4BAFCC}: NameServer = 151.201.0.39 151.201.0.38

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 06 June 2004 - 10:13 AM

In hijackthis fix checked:

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
*R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
*O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
*O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
*O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab

Download and install 'Find-all.exe' from any of the links in
my signature!
Follow instructions, run 'Find-All.cmd' file, post the log here!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 marshallk9

marshallk9

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 June 2004 - 11:02 AM

I think that I did this correctly, but I am not sure. I downloaded, unzipped and ran the file. It appeared to be the DOS command prompt window running and then asked me to view the log when it was complete. That is what I am posting. Thanks so much for your help.

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--


Sun Jun 06 11:58:12 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "Local Disk" (5CA0:3EF2) - FS:NTFS clusters:4k
Total: 80 015 491 072 [75G] - Free: 67 399 028 736 [63G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q824145;Q330994;Q832894;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-18-2001 regedt32.exe


»»PC uptime:
11:58am up 0 days, 1:34

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error
\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
400 smss.exe
496 csrss.exe Title:
524 winlogon.exe Title: NetDDE Agent
584 services.exe Svcs: Eventlog,PlugPlay
596 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
788 svchost.exe Svcs: RpcSs
868 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,SENS,S
aredAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmg
,W32Time,win
1004 svchost.exe Svcs: Dnscache
1044 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient
1160 CCSETMGR.EXE Svcs: ccSetMgr
1192 CCEVTMGR.EXE Svcs: ccEvtMgr
1348 spoolsv.exe Svcs: Spooler
1628 explorer.exe Title: Program Manager
1732 Directcd.exe Title: DirectCD
1752 hpztsb04.exe Title:
1760 hphmon03.exe Title: HP Photosmart Printer Series
1768 DAP.exe Title: Dialog
1780 CCAPP.EXE Title: Norton AntiVirus
1816 WkUFind.exe
1880 WinPatrol.exe Title: WinPatrol
1972 WkCalRem.exe Title: HOMESUITE:ADVSVR
1720 alg.exe Svcs: ALG
128 NAVAPSVC.EXE Svcs: navapsvc
144 nvsvc32.exe Svcs: NVSvc
344 SAVSCAN.EXE Svcs: SAVScan
536 svchost.exe Svcs: stisvc
2004 symlcsvc.exe Svcs: Symantec Core LC
2092 hphipm09.exe Svcs: Pml Driver
2516 iexplore.exe Title: SWI Forums -> about: blank and "warning, you're in danger" - Microsoft Internet Explorer
1492 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
4024 ntvdm.exe
1488 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access MARSHALL-OBEA46\Marshall
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access MARSHALL-OBEA46\Marshall




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Group/user settings:


User: [MARSHALL-OBEA46\Marshall], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group MARSHALL-OBEA46\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
MARSHALL-OBEA46\Marshall:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 0 04-11-2004 hosts
------
»»Rehash:

»Strings found:

Sun Jun 06 11:58:55 2004 -- ++Find-All backups:
c:\docume~1\marshall\desktop\unused~1\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-06-2004 winbackup.hiv
c:\docume~1\marshall\desktop\unused~1\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-06-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-06-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-06-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#6 marshallk9

marshallk9

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 June 2004 - 11:06 AM

Also, I am not sure how I did this, but I tried to erase the file that was causing the background to change. Now it is a white background that changes to that warning message only when my mouse pointer is over an icon. Thanks again

#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 06 June 2004 - 11:19 AM

You seem to have the 'classic' pest there!

-FIRST--
And before doing anything else, go to System
Restore, make sure it's active and create manual restore
point as safety procedure.

Next, follow these steps carefully:

Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

--Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

--RightClick on the Windows Subfolder,
And rename Windows as Windows1

--Locate "AppInit_DLLs" value on the right
pane, RightClick it and select -> 'delete'

--Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

--Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

--Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ HLP.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junkxxx folder.
(It was created during first 'Find-All' run)
'ok' it.

---Re-run 'Find-All.cmd' and post new log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 marshallk9

marshallk9

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 June 2004 - 11:38 AM

Did as advised (thank you so much again for your help), here is the new log:

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--


Sun Jun 06 12:36:49 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "Local Disk" (5CA0:3EF2) - FS:NTFS clusters:4k
Total: 80 015 491 072 [75G] - Free: 67 413 893 120 [63G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet

Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002

iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet

Settings
MinorVersion REG_SZ ;SP1;Q824145;Q330994;Q832894;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media

Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002

wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media

Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002

mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003

msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001

notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001

notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002

regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-18-2001

regedt32.exe


»»PC uptime:
12:36am up 0 days, 0:06

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\WDMOPL.DLL +++ File read error
\\?\C:\WINDOWS\System32\WDMOPL.DLL +++ File read error
* result\\?\C:\junkxxx\HLP.DLL


»»Tasks (services):
0 System Process
4 System
436 smss.exe
500 csrss.exe Title:
532 winlogon.exe Title: NetDDE Agent
580 services.exe Svcs: Eventlog,PlugPlay
592 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
752 svchost.exe Svcs: RpcSs
816 svchost.exe Svcs:

AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingComp

atibility,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Sch

edule,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,Te

rmService,Themes,TrkWks,uploadmgr,W32Time,win
964 svchost.exe Svcs: Dnscache
992 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient
1076 CCSETMGR.EXE Svcs: ccSetMgr
1096 CCEVTMGR.EXE Svcs: ccEvtMgr
1244 spoolsv.exe Svcs: Spooler
1344 alg.exe Svcs: ALG
1376 NAVAPSVC.EXE Svcs: navapsvc
1428 nvsvc32.exe Svcs: NVSvc
1468 SAVSCAN.EXE Svcs: SAVScan
1536 svchost.exe Svcs: stisvc
1556 symlcsvc.exe Svcs: Symantec Core LC
2000 explorer.exe Title: Program Manager
352 Directcd.exe Title: DirectCD
368 hpztsb04.exe Title:
376 hphmon03.exe Title: HP Photosmart Printer Series
400 DAP.exe Title: Dialog
408 CCAPP.EXE Title: Norton AntiVirus
1792 WkUFind.exe
2016 WinPatrol.exe Title: WinPatrol
2240 hphipm09.exe Svcs: Pml Driver
2312 WkCalRem.exe Title: HOMESUITE:ADVSVR
2992 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3020 ntvdm.exe
3044 msmsgs.exe Title:
3828 iexplore.exe Title: My Yahoo! - Microsoft Internet Explorer
648 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellSer

viceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4

and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access MARSHALL-OBEA46\Marshall
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access MARSHALL-OBEA46\Marshall




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows

NT\CurrentVersion\Windows: 398

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows

NT\CurrentVersion\Windows : AppInit_DLLs

»»Group/user settings:


User: [MARSHALL-OBEA46\Marshall], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group MARSHALL-OBEA46\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
MARSHALL-OBEA46\Marshall:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


C:\junkxxx\hlp.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
MARSHALL-OBEA46\Marshall:F
BUILTIN\Users:R


»»File(s) in 'junkxxx' folder:
-ra-- W32i - - - - 57,344 04-20-2004 hlp.dll

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

c185b36f9969d3a6d2122ba7cbc02249 hlp.dll

57344 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 0 04-11-2004 hosts
------
»»Rehash:
File: <C:\junkxxx\hlp.dll>CRC-32 : D5C9FB2EMD5 :

C185B36F 9969D3A6 D2122BA7 CBC02249SHA-512 : 54ACD2EE 31007EAB

3DCB7655 5B804798 B765D5F7 7C6B7436 199BF16C 2ADD7C05

1DF1F36A 7CF786F7 1716A7C3 91BB6135 C8BECB6F 2DB242DA

5945C134 A7E3D9B9
»Strings found:
C:\junkxxx\hlp.dll: InstallStreamingDevice
C:\junkxxx\hlp.dll: StreamingDeviceSetup
C:\junkxxx\hlp.dll: StreamingDeviceSetup2

Sun Jun 06 12:37:01 2004 -- ++Find-All backups:


c:\docume~1\marshall\desktop\unused~1\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-06-2004

winbackup.hiv


c:\docume~1\marshall\desktop\unused~1\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-06-2004

windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-06-2004

findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-06-2004

findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Re

gedit
LastKey REG_SZ My

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Windows



#9 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 06 June 2004 - 11:51 AM

So far so good, but there is a strange enigma on your current log:

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\WDMOPL.DLL +++ File read error
\\?\C:\WINDOWS\System32\WDMOPL.DLL +++ File read error
* result\\?\C:\junkxxx\HLP.DLL

The 'hlp.dll' you moved has potive identification.
I'm not sure about the other pest there!

Run a search on your drive for this file:
WINDOWS\System32\WDMOPL.DLL<
And see if it is found anywhere!

If found, move it to the same 'junkxxx' folder.
If not, ignore it for now!

For now just restart your computer again,
and follow up on these steps:

--Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults
*Reset permissions on the junkxxx\*.dll moved file
*Create zipped copy in the same folder: "junkxxx.zip"
*Open your email client with given addresses for submission!

--Drag the 'junkxxx.zip' and submit the
attachment to the specified addresses, ! , thanks

When done, Delete the "junkxxx.zip" in the 'Find-All folder!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, you need to clear all the elements the hijacker
downloaded!
Run these tools (whether used before or not!), as
they should work properly now.
have them fix all problems:
*Ad-Aware 6 Build 181:
http://www.lavasoftu...ftware/adaware/

*Latest reference file :
http://www.lavasofts...showtopic=28310

How To: Perform a "Full Scan" With Ad-aware 6 Build 181
http://www.lavahelp....scan/index.html

http://www.spywarein.../CWShredder.exe


When done with the above, post
another hijackthis log and another
Find-All log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 06 June 2004 - 12:51 PM

In addition,

Download:
http://downloads.sub...g/VX2Finder.exe

Scan, save the results and post them here! :scratchhead:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 marshallk9

marshallk9

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 June 2004 - 05:54 PM

thanks. Sorry about the delay, I had a graduation I had to go to. Here are the new logs after following the above directions:

Logfile of HijackThis v1.97.7
Scan saved at 6:46:33 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works

Shared\WkUFind.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Common Files\Microsoft Shared\Works

Shared\wkcalrem.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Documents and Settings\Marshall\Local Settings\Temp\Temporary

Directory 9 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -

C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD

Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program

Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE

/STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft

Money\System\Activation.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft

Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinPatrol]

"C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -

http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupd...iuctl.CAB?37936.

6543518519
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class)

- http://download.yaho...mail/ymmapi.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -

http://download.yaho...ail/ac4plus.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload

Tool) -

http://photos.msn.co....cab?5,0,1730,0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

Object) -

http://download.macr...ash/swflash.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{8A493747-DFDE-4638-9067-22B5FC4BAFC

C}: NameServer = 151.201.0.39 151.201.0.38

The VX2 is next and is as follows (first tiem using it so I hope it is the right one):

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---

Last is the Find-all log:

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--


Sun Jun 06 18:54:23 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "Local Disk" (5CA0:3EF2) - FS:NTFS clusters:4k
Total: 80 015 491 072 [75G] - Free: 67 416 432 640 [63G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q824145;Q330994;Q832894;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-18-2001 regedt32.exe


»»PC uptime:
6:54pm up 0 days, 0:38

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
4 System
392 smss.exe
496 csrss.exe Title:
540 winlogon.exe Title: NetDDE Agent
584 services.exe Svcs: Eventlog,PlugPlay
596 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
756 svchost.exe Svcs: RpcSs
808 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,SENS,S
aredAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmg
,W32Time,win
952 svchost.exe Svcs: Dnscache
984 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient
1080 CCSETMGR.EXE Svcs: ccSetMgr
1100 CCEVTMGR.EXE Svcs: ccEvtMgr
1248 spoolsv.exe Svcs: Spooler
1348 alg.exe Svcs: ALG
1380 NAVAPSVC.EXE Svcs: navapsvc
1416 nvsvc32.exe Svcs: NVSvc
1476 SAVSCAN.EXE Svcs: SAVScan
1544 svchost.exe Svcs: stisvc
1560 symlcsvc.exe Svcs: Symantec Core LC
252 explorer.exe Title: Program Manager
108 Directcd.exe Title: DirectCD
708 hpztsb04.exe Title:
784 hphmon03.exe Title: HP Photosmart Printer Series
796 DAP.exe Title: Dialog
804 CCAPP.EXE Title: Norton AntiVirus
892 WkUFind.exe
904 WinPatrol.exe Title: WinPatrol
1912 WkCalRem.exe Title: HOMESUITE:ADVSVR
1652 hphipm09.exe Svcs: Pml Driver
2524 HijackThis.exe Title: HijackThis
336 NOTEPAD.EXE Title: 6-6-04HJT log 6-45pm - Notepad
2188 iexplore.exe Title: SWI Forums -> about: blank and "warning, you're in danger" - Microsoft Internet Explorer
3680 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3704 ntvdm.exe
3888 msmsgs.exe Title:
3652 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access MARSHALL-OBEA46\Marshall
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access MARSHALL-OBEA46\Marshall




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Group/user settings:


User: [MARSHALL-OBEA46\Marshall], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group MARSHALL-OBEA46\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
MARSHALL-OBEA46\Marshall:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 0 04-11-2004 hosts
------
»»Rehash:

»Strings found:

Sun Jun 06 18:54:47 2004 -- ++Find-All backups:
c:\docume~1\marshall\desktop\unused~1\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-06-2004 winbackup.hiv
c:\docume~1\marshall\desktop\unused~1\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-06-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-06-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-06-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#12 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 06 June 2004 - 06:09 PM

All last logs look ok!
Well done! :D
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#13 marshallk9

marshallk9

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 June 2004 - 06:23 PM

It seems that my about blank problem is gone... thanks so much. Do you have any idea on how to help me with the background. I do not have the warning sign any longer, but I now just have a white background. When I rt clik it shows under properties: file://C:\WINDOWS\Web\desktop.html
When I go all the way to the very top edge of the screen I can rt click and get the menu for changing the background, etc, but it doesn't change the appearance of the desktop.

Thanks again for all of your help with the nasty about:blank thing. It is a real pain in a@$

#14 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 06 June 2004 - 07:53 PM

Display properties>web> uncheck 'show web content...'
Disable active desktop.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button