Jump to content


Photo

About:Blank - Can't Restore to Normal - CWS


  • This topic is locked This topic is locked
15 replies to this topic

#1 CAVU

CAVU

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 12 June 2004 - 04:50 PM

Short Version:

1. My IE start page was changed to some CWS type site, I normally use the blank page.

2. I removed the virus/whatever the best I could using Ad-Aware, Spybot S&D, HijackThis, CWShredder (said it fixed the CWS.Jksearch variety) and reading the FAQ posted here as well as other info.

3. It hasn't taken over my start page again, but I won't be surprised if it does again.

4. If I set my start page to About:Blank using the "Use Blank" button in the IE settings and I run Ad-Aware, it indicates that my About:Blank page is still the hijacked version from CWS, as follows:

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

How do I restore the About:Blank page to the normal as well remove the new text/plain html protocol filter that got installed (If I still have it) and whatever else these evil programmers did to my system?

What I found/fixed:

1. \WINNT\System32\Services\wmplayer.exe
2. Removed hmfoc.dll and two others that were 0 bytes.
3. Removed a BHO (that wasn't listed in the archive, btw), bunches of obfuscated stuff, and search page changes.
4. References to the above in the registry.


My HijackThis Log:

Logfile of HijackThis v1.97.7
Scan saved at 5:24:58 PM, on 6/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\system32\TCAUDIAG.exe
C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\AboutTime\AboutTime.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
D:\Program Files\Palm\HOTSYNC.EXE
C:\WINNT\system32\wuauclt.exe
D:\download\Spyware\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [PLXSTART] C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE
O4 - HKLM\..\Run: [PLXTASK] C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?37729.5603125
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...365/mcfscan.cab

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 13 June 2004 - 01:03 AM

Try the following procedure - Let me know how it goes and then we can deal with any outstanding issues...
  • Download the dllfix.exe program from here or from here and save it in a place you like.
  • Double-Click or Open the self-extracting file. It will ask for installation and change location. Please Keep it in the BOOT drive (Typically Drive-C) and not in any place else. In the "Destination Folder" location, just type in c:\dllfix and click on "Install".
  • Navigate to the folder with the contents of the file (c:\dllfix if you used the suggestion previously mentioned). You will see there are two more folders inside and four .BAT files.
  • Double-Click on "Start.bat" and you should get a command prompt open with a menu listing 4 choices:
    • 1. Run Find-All
    • 2. Run Fix
    • 3. View Readme
    • E. Exit
    Type in 1 and press "Enter". This should start up a report screen (Just press "OK" when a pop up box prompts you). Wait until the report has completed as this may take a few minutes. Once the search is complete, a dialog box will pop up saying "Hit 'OK' to view log." Press "OK" and notepad will open with a file named "Output.txt". There should be a random named .dll file listed.
    Option #1
  • Run the start.bat again after the "dll" is found or if you have not found it.. Run option 2 and choose correct option in submenu. The sub-menu should contain:
    • 1. Enter Dll name Manually <= If you found the dll name that is locked or in the appinit key, you type it in under this option.
    • 2. Run Fix without Dll Name It will be searched for Later. <= This is for if you can't find the dll name.
    • E. Exit
    Option #2
  • Post the contents of the "Output.txt" file into this message for further review.
  • Reboot. There will be the scan for the " dll " on-boot screen, which will search and fix it. There will just be a md5 scan if the filename was entered manually. (option 2,1 in start.bat)
  • Reboot and Download Ad-aware. Check for updates. Then Run the update Ad-aware.
  • Reboot. Run HijackThis and save the fresh log.


#3 CAVU

CAVU

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 13 June 2004 - 06:32 PM

I've seen you and others talk about the DLLFIX program, so I tried it before you replied. It didn't correct the problem. It did remove the entry that my video driver installed (NVDESK32.DLL) but so far I havenít seen any functionality loss, so I'm not too sure what it was doing anyway.

My About:Blank page still seems to have been overwritten but I haven't experienced any problems as of yet (I'm actually starting up to a blank page as I like and the wmplayer.exe hasn't reappeared). In fact, the only indication of a problem is that Ad-Aware says there's a possible browser hijack attempt as I listed in my first post.

Does anyone know were the About:Blank page is stored? The file name? How to restore it?

Thank you for everyone's help.


Output.txt:
--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Sat 06/12/2004
6:24p

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (989B:21A0) - FS:NTFS clusters:4k
Total: 10 733 989 888 [10G] - Free: 4 708 880 384 [4.4G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.0.2140.1 C:\WINNT\system32\notepad.exe
5.0.2140.1 C:\WINNT\notepad.exe
*Media Player version :
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;



Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.


Scanning for main Hijacker:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="NVDESK32.DLL"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{A9748C87-6617-40E8-9B3C-7167C6BA3356}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ NVDESK32.DLL

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




Current HijackThis Log:
Logfile of HijackThis v1.97.7
Scan saved at 7:14:52 PM, on 6/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\system32\TCAUDIAG.exe
C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\AboutTime\AboutTime.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
D:\Program Files\Palm\HOTSYNC.EXE
C:\WINNT\system32\wuauclt.exe
D:\download\Spyware\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [PLXSTART] C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE
O4 - HKLM\..\Run: [PLXTASK] C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?37729.5603125
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...365/mcfscan.cab

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 13 June 2004 - 06:57 PM

I am not sure what you are asking about the about:blank page and where it is stored? I start my IE to a blank page but I have a shortcut that I run ...
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome

Also - Your log looks to be clean.
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

#5 CAVU

CAVU

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 13 June 2004 - 08:05 PM

I'm referring to the CWS Chronicles @ http://www.spywarein...chronicles.html that Merjin has published.

Quote from CWS.Searchx section:

"The about:blank page is modified by creating two new protocol filters for text/html and text/plain which allows the DLL to control most of the content flowing through the IE browser as web pages."

I'm not exactly sure which varient I had, but I beleive it was some form of CWS.Searchx (CWShredder said it was CWS.JKsearch, but that's not listed by Merjin). Since it says that "The about:blank page is modified" that is what I'm trying to figure out/fix. How was it "Modified" and how do I un-modify it?

*Something* is still there because Ad-Aware is still finding it; it just doesn't seem to be alble to fix it and as you said, everything looks clean.

All Ad-Aware gives me is this:
Vendor:Possible Browser Hijack attempt
Category:Data Miner
Object Type:RegData
Size:-
Location:Software\Microsoft\Internet Explorer\Main "Start Page" ("about:blank")
Last Activity:6-13-2004
Risk LevelMedium
Comment:Possible browser hijack attempt
Description:Possible attempt to control\redirect the browser. This object referrs to a "blacklisted" site.

Again, Thank you...

#6 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 13 June 2004 - 11:35 PM

Can you reset IE back to the defaults as listed below and tell me if that resolves it ...

Please open notepad, copy the contents of the quote box into notepad and save it as iefix.reg. Double click on the iefix.reg file and when prompted, just respond "Yes". This will reset all your IE settings back to their defaults.

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn...t/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn...t/srchcust.htm"
"Default_Search_URL"="http://www.microsoft...ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft...ie&ar=iesearch"
"Search Page"="http://www.microsoft...ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft...ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.co...n-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsof...earch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft...ie&ar=iesearch"
"Search Bar"="http://search.msn.co...om/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"



#7 CAVU

CAVU

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 June 2004 - 12:32 AM

Sorry, that didn't work.

#8 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 14 June 2004 - 09:45 AM

Let's see if you have a rootkit Hijacker installed ...

Please download RKDetectorv0.62.zip. To keep things simple extract the files into D:\download\Spyware\HijackThis\. Click on "Start" => "Run" and type in CMD to bring up a command prompt. From the command prompt type in d: and press enter to change into your D-Drive. Type in cd D:\download\Spyware\HijackThis\. Then type in rkdetector.exe > rkdetector.txt and press enter
The command window will go blank for a minute or so, when the prompt comes back type in notepad rkdetector.txt. This will open the file in notepad. Please click on "Edit" => "Select All" => "Edit" => "Copy" and then paste the contents back her for further review.

#9 CAVU

CAVU

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 June 2004 - 11:09 AM

. .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .
Rootkit Detector Profesional 2004
Programmed by Andres Tarasco Acuna
Copyright © 2004 - 3wdesign Security
Url: http://www.3wdesign.es


-Gathering Service list Information... ( Found: 247 services )
-Gathering process List Information... ( Found: 42 process )
-Searching for Hidden process Handles. ( Found: 0 Hidden Process )
-Checking Visible Process.............
c:\winnt\system32\smss.exe
c:\winnt\system32\csrss.exe
c:\winnt\system32\winlogon.exe
c:\winnt\system32\services.exe
c:\winnt\system32\lsass.exe
c:\winnt\system32\svchost.exe
c:\winnt\system32\spoolsv.exe
c:\winnt\system32\ctsvccda.exe
c:\winnt\system32\svchost.exe
c:\winnt\system32\hidserv.exe
c:\program files\common files\microsoft shared\vs7debug\mdm.exe
c:\winnt\system32\nvsvc32.exe
c:\winnt\system32\cmd.exe
c:\winnt\system32\pgpsdkserv.exe
c:\winnt\system32\regsvc.exe
c:\winnt\system32\mstask.exe
c:\winnt\system32\stisvc.exe
c:\program files\microsoft hardware\keyboard\type32.exe
c:\winnt\system32\zonelabs\vsmon.exe
c:\winnt\system32\wbem\winmgmt.exe
c:\winnt\system32\mspmspsv.exe
c:\winnt\system32\svchost.exe
c:\program files\microsoft hardware\mouse\point32.exe
c:\winnt\explorer.exe
c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
c:\winnt\system32\spool\drivers\w32x86\3\hpztsb05.exe
c:\program files\internet explorer\iexplore.exe
c:\progra~1\micros~2\gameco~1\common\swtrayv4.exe
c:\progra~1\plexto~1\plxtask.exe
c:\winnt\system32\tcaudiag.exe
d:\program files\microsoft office\office10\outlook.exe
c:\winnt\system32\hphmon04.exe
c:\winnt\system32\ctfmon.exe
c:\program files\abouttime\abouttime.exe
c:\program files\hewlett-packard\hp share-to-web\hpgs2wnf.exe
d:\program files\pgp corporation\pgp for windows 2000\pgptray.exe
c:\program files\zone labs\zonealarm\zapro.exe
d:\program files\palm\hotsync.exe
c:\winnt\system32\wuauclt.exe
d:\download\spyware\hijackthis\rkdetector.exe
d:\program files\microsoft office\office10\winword.exe
-Searching again for Hidden Services..
-Gathering Service list Information... ( Found: 0 Hidden Services)
-Searching for wrong Service Paths.... ( Found: 0 wrong Services )
-Searching for Rootkit Modules........ ( Found: 0 Suspicious modules )
-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)

#10 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 14 June 2004 - 11:35 AM

Do you have a file c:\filter.log? If so, delete it. Can you please reboot and then post back a fresh HijackThis Log. Also, from the HijackThis screen, click on "Config" in the bottom right corner, then click on the "Misc. Tools" tab at the top and finally on "Generate Startup List" which will appear below it. When prompted, say yes and a log will open in notepad - Copy and paste those contents here as well.

#11 CAVU

CAVU

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 June 2004 - 08:02 PM

No .log file.

Again, thanks for your help, it's appriciated.

HijackThis Log:

Logfile of HijackThis v1.97.7
Scan saved at 8:52:27 PM, on 6/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\system32\TCAUDIAG.exe
C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\AboutTime\AboutTime.exe
D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
D:\Program Files\Palm\HOTSYNC.EXE
D:\download\Spyware\HijackThis\HijackThis.exe
C:\WINNT\System32\svchost.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [PLXSTART] C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE
O4 - HKLM\..\Run: [PLXTASK] C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?37729.5603125
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...365/mcfscan.cab

Startup:

StartupList report, 6/14/2004, 8:54:02 PM
StartupList version: 1.52
Started from : D:\download\Spyware\HijackThis\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\system32\TCAUDIAG.exe
C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\AboutTime\AboutTime.exe
D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
D:\Program Files\Palm\HOTSYNC.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\NOTEPAD.EXE
D:\download\Spyware\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\timh\Start Menu\Programs\Startup]
HotSync Manager.lnk = D:\Program Files\Palm\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
PGPtray.lnk = D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
POINTER = point32.exe
IntelliType = "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
TCASUTIEXE = TCAUDIAG.exe -on
PLXSTART = C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE
PLXTASK = C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
SideWinderTrayV4 = C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...ector/swdir.cab

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINNT\DOWNLO~1\yacscom.dll
CODEBASE = http://us.chat1.yimg...v45/yacscom.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akama...meInstaller.exe

[EARTPatchX Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\EARTPX.dll
CODEBASE = http://simcity.ea.co...date/EARTPX.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...B?37729.5603125

[MaxisSimCity4PatcherX Control]
InProcServer32 = C:\WINNT\DOWNLO~1\MAXISS~1.OCX
CODEBASE = http://simcity.ea.co...ty4PatcherX.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[McFreeScan Class]
InProcServer32 = C:\WINNT\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcaf...365/mcfscan.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 6,413 bytes
Report generated in 0.020 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#12 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 14 June 2004 - 09:06 PM

I am wondering if the ad-aware message may just be informational? I do not see any signs of infection anywhere. Is there any specific problem that you are still having in terms of pop-ups, redirects etc?

You can delete:
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
With HijackThis as the file is missing. Laso, a suggestion, remove all the O16 entries as they will simplyt get downloaded again the next time you connect to the relevant site.

#13 CAVU

CAVU

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 June 2004 - 09:30 PM

Well, I haven't gotten my start page hijacked again and wmplayer.exe hasn't been recreated so the bad stuff seems to be gone. Whatever is left over from the infection that Ad-Aware is finding seems to be benign, but that still ticks me off! :grrr:

Unless you or anyone else has any other ideas, I'll reinstall at some point. I'm also going to start using some of the preventative programs you and others recommend. I really despise the people who do this! I hope they all go bankrupt and grow-up soon.

Thanks for all of your help!

#14 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 14 June 2004 - 09:40 PM

Please, do use the programs that I have suggested. I connect to pretty much all sites that people have problems with and I have yet to get any real bad infection. My HOSTS redirects., IE-Spyad etc have prevented my from having any issues. I have even tried to infect myself but my setup protects me pretty good.

#15 CAVU

CAVU

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 16 June 2004 - 01:37 PM

OK, I figured it out.

Ad-Aware is now giving that message to anyone that has thier start page set for 'Blank'.

Anyone who is interested can read about it here:
http://www.lavahelp....04/05/1801.html

It had me confused because I never received that message until after I got infected. I have a multi-boot system and I booted into my test Win2K partition and tried it there and I didn't get that 'warning'. After reading that support page at Lavasoft, I then tried a third system and I am getting it there; that system was never infected. So it looks like I'm OK.

#16 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 16 June 2004 - 02:42 PM

Glad to hear that everything is working like a charm :)

It has been our pleasure to help you :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button