• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
CAVU

About:Blank - Can't Restore to Normal - CWS

16 posts in this topic

Short Version:

 

1. My IE start page was changed to some CWS type site, I normally use the blank page.

 

2. I removed the virus/whatever the best I could using Ad-Aware, Spybot S&D, HijackThis, CWShredder (said it fixed the CWS.Jksearch variety) and reading the FAQ posted here as well as other info.

 

3. It hasn't taken over my start page again, but I won't be surprised if it does again.

 

4. If I set my start page to About:Blank using the "Use Blank" button in the IE settings and I run Ad-Aware, it indicates that my About:Blank page is still the hijacked version from CWS, as follows:

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "about:blank"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

How do I restore the About:Blank page to the normal as well remove the new text/plain html protocol filter that got installed (If I still have it) and whatever else these evil programmers did to my system?

 

What I found/fixed:

 

1. \WINNT\System32\Services\wmplayer.exe

2. Removed hmfoc.dll and two others that were 0 bytes.

3. Removed a BHO (that wasn't listed in the archive, btw), bunches of obfuscated stuff, and search page changes.

4. References to the above in the registry.

 

 

My HijackThis Log:

 

Logfile of HijackThis v1.97.7

Scan saved at 5:24:58 PM, on 6/12/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\CTsvcCDA.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\PGPsdkServ.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\WINNT\system32\TCAUDIAG.exe

C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE

C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINNT\System32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\AboutTime\AboutTime.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

D:\Program Files\Palm\HOTSYNC.EXE

C:\WINNT\system32\wuauclt.exe

D:\download\Spyware\HijackThis\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on

O4 - HKLM\..\Run: [PLXSTART] C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE

O4 - HKLM\..\Run: [PLXTASK] C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE

O4 - HKLM\..\Run: [sideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Startup: HotSync Manager.lnk = D:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PGPtray.lnk = D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe

O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...B?37729.5603125

O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...365/mcfscan.cab

Share this post


Link to post
Share on other sites

Try the following procedure - Let me know how it goes and then we can deal with any outstanding issues...

  1. Download the dllfix.exe program from here or from here and save it in a place you like.
  2. Double-Click or Open the self-extracting file. It will ask for installation and change location. Please Keep it in the BOOT drive (Typically Drive-C) and not in any place else. In the "Destination Folder" location, just type in c:\dllfix and click on "Install".
  3. Navigate to the folder with the contents of the file (c:\dllfix if you used the suggestion previously mentioned). You will see there are two more folders inside and four .BAT files.
  4. Double-Click on "Start.bat" and you should get a command prompt open with a menu listing 4 choices:
    • 1. Run Find-All
    • 2. Run Fix
    • 3. View Readme
    • E. Exit

Type in 1 and press "Enter". This should start up a report screen (Just press "OK" when a pop up box prompts you). Wait until the report has completed as this may take a few minutes. Once the search is complete, a dialog box will pop up saying "Hit 'OK' to view log." Press "OK" and notepad will open with a file named "Output.txt". There should be a random named .dll file listed.

Option #1

[*]Run the start.bat again after the "dll" is found or if you have not found it.. Run option 2 and choose correct option in submenu. The sub-menu should contain:

  • 1. Enter Dll name Manually <= If you found the dll name that is locked or in the appinit key, you type it in under this option.
  • 2. Run Fix without Dll Name It will be searched for Later. <= This is for if you can't find the dll name.
  • E. Exit

Option #2

[*]Post the contents of the "Output.txt" file into this message for further review.

[*]Reboot. There will be the scan for the " dll " on-boot screen, which will search and fix it. There will just be a md5 scan if the filename was entered manually. (option 2,1 in start.bat)

[*]Reboot and Download Ad-aware. Check for updates. Then Run the update Ad-aware.

[*]Reboot. Run HijackThis and save the fresh log.

Share this post


Link to post
Share on other sites

I've seen you and others talk about the DLLFIX program, so I tried it before you replied. It didn't correct the problem. It did remove the entry that my video driver installed (NVDESK32.DLL) but so far I haven’t seen any functionality loss, so I'm not too sure what it was doing anyway.

 

My About:Blank page still seems to have been overwritten but I haven't experienced any problems as of yet (I'm actually starting up to a blank page as I like and the wmplayer.exe hasn't reappeared). In fact, the only indication of a problem is that Ad-Aware says there's a possible browser hijack attempt as I listed in my first post.

 

Does anyone know were the About:Blank page is stored? The file name? How to restore it?

 

Thank you for everyone's help.

 

 

Output.txt:

--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--

--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

 

Sat 06/12/2004

6:24p

 

System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "" (989B:21A0) - FS:NTFS clusters:4k

Total: 10 733 989 888 [10G] - Free: 4 708 880 384 [4.4G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

*Notepad version :

5.0.2140.1 C:\WINNT\system32\notepad.exe

5.0.2140.1 C:\WINNT\notepad.exe

*Media Player version :

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;

 

 

 

Locked or 'Suspect' file(s) found...

These may be other files that Dllfix doesnt target.

 

 

Scanning for main Hijacker:

 

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="NVDESK32.DLL"

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{A9748C87-6617-40E8-9B3C-7167C6BA3356}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ NVDESK32.DLL

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

Current HijackThis Log:

Logfile of HijackThis v1.97.7

Scan saved at 7:14:52 PM, on 6/13/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\CTsvcCDA.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\PGPsdkServ.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\WINNT\system32\TCAUDIAG.exe

C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE

C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINNT\System32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\AboutTime\AboutTime.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

D:\Program Files\Palm\HOTSYNC.EXE

C:\WINNT\system32\wuauclt.exe

D:\download\Spyware\HijackThis\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on

O4 - HKLM\..\Run: [PLXSTART] C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE

O4 - HKLM\..\Run: [PLXTASK] C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE

O4 - HKLM\..\Run: [sideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Startup: HotSync Manager.lnk = D:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PGPtray.lnk = D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe

O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...B?37729.5603125

O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...365/mcfscan.cab

Share this post


Link to post
Share on other sites

I am not sure what you are asking about the about:blank page and where it is stored? I start my IE to a blank page but I have a shortcut that I run ...

"C:\Program Files\Internet Explorer\iexplore.exe" -nohome

 

Also - Your log looks to be clean.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Share this post


Link to post
Share on other sites

I'm referring to the CWS Chronicles @ http://www.spywareinfo.com/~merijn/cwschronicles.html that Merjin has published.

 

Quote from CWS.Searchx section:

 

"The about:blank page is modified by creating two new protocol filters for text/html and text/plain which allows the DLL to control most of the content flowing through the IE browser as web pages."

 

I'm not exactly sure which varient I had, but I beleive it was some form of CWS.Searchx (CWShredder said it was CWS.JKsearch, but that's not listed by Merjin). Since it says that "The about:blank page is modified" that is what I'm trying to figure out/fix. How was it "Modified" and how do I un-modify it?

 

*Something* is still there because Ad-Aware is still finding it; it just doesn't seem to be alble to fix it and as you said, everything looks clean.

 

All Ad-Aware gives me is this:

Vendor:Possible Browser Hijack attempt

Category:Data Miner

Object Type:RegData

Size:-

Location:Software\Microsoft\Internet Explorer\Main "Start Page" ("about:blank")

Last Activity:6-13-2004

Risk LevelMedium

Comment:Possible browser hijack attempt

Description:Possible attempt to control\redirect the browser. This object referrs to a "blacklisted" site.

 

Again, Thank you...

Share this post


Link to post
Share on other sites

Can you reset IE back to the defaults as listed below and tell me if that resolves it ...

 

Please open notepad, copy the contents of the quote box into notepad and save it as iefix.reg. Double click on the iefix.reg file and when prompted, just respond "Yes". This will reset all your IE settings back to their defaults.

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]

"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"

"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"

"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]

"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]

"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]

""="http://home.microsoft.com/access/autosearch.asp?p=%s"

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]

"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

"Search Bar"="http://search.msn.com/spbasic.htm"

"Use Custom Search URL"= dword:00000000

 

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

 

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]

@="http://"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]

"ftp"="ftp://"

"gopher"="gopher://"

"home"="http://"

"mosaic"="http://"

"www"="http://"

Share this post


Link to post
Share on other sites

Let's see if you have a rootkit Hijacker installed ...

 

Please download RKDetectorv0.62.zip. To keep things simple extract the files into D:\download\Spyware\HijackThis\. Click on "Start" => "Run" and type in CMD to bring up a command prompt. From the command prompt type in d: and press enter to change into your D-Drive. Type in cd D:\download\Spyware\HijackThis\. Then type in rkdetector.exe > rkdetector.txt and press enter

The command window will go blank for a minute or so, when the prompt comes back type in notepad rkdetector.txt. This will open the file in notepad. Please click on "Edit" => "Select All" => "Edit" => "Copy" and then paste the contents back her for further review.

Share this post


Link to post
Share on other sites

. .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .

Rootkit Detector Profesional 2004

Programmed by Andres Tarasco Acuna

Copyright © 2004 - 3wdesign Security

Url: http://www.3wdesign.es

 

 

-Gathering Service list Information... ( Found: 247 services )

-Gathering process List Information... ( Found: 42 process )

-Searching for Hidden process Handles. ( Found: 0 Hidden Process )

-Checking Visible Process.............

c:\winnt\system32\smss.exe

c:\winnt\system32\csrss.exe

c:\winnt\system32\winlogon.exe

c:\winnt\system32\services.exe

c:\winnt\system32\lsass.exe

c:\winnt\system32\svchost.exe

c:\winnt\system32\spoolsv.exe

c:\winnt\system32\ctsvccda.exe

c:\winnt\system32\svchost.exe

c:\winnt\system32\hidserv.exe

c:\program files\common files\microsoft shared\vs7debug\mdm.exe

c:\winnt\system32\nvsvc32.exe

c:\winnt\system32\cmd.exe

c:\winnt\system32\pgpsdkserv.exe

c:\winnt\system32\regsvc.exe

c:\winnt\system32\mstask.exe

c:\winnt\system32\stisvc.exe

c:\program files\microsoft hardware\keyboard\type32.exe

c:\winnt\system32\zonelabs\vsmon.exe

c:\winnt\system32\wbem\winmgmt.exe

c:\winnt\system32\mspmspsv.exe

c:\winnt\system32\svchost.exe

c:\program files\microsoft hardware\mouse\point32.exe

c:\winnt\explorer.exe

c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

c:\winnt\system32\spool\drivers\w32x86\3\hpztsb05.exe

c:\program files\internet explorer\iexplore.exe

c:\progra~1\micros~2\gameco~1\common\swtrayv4.exe

c:\progra~1\plexto~1\plxtask.exe

c:\winnt\system32\tcaudiag.exe

d:\program files\microsoft office\office10\outlook.exe

c:\winnt\system32\hphmon04.exe

c:\winnt\system32\ctfmon.exe

c:\program files\abouttime\abouttime.exe

c:\program files\hewlett-packard\hp share-to-web\hpgs2wnf.exe

d:\program files\pgp corporation\pgp for windows 2000\pgptray.exe

c:\program files\zone labs\zonealarm\zapro.exe

d:\program files\palm\hotsync.exe

c:\winnt\system32\wuauclt.exe

d:\download\spyware\hijackthis\rkdetector.exe

d:\program files\microsoft office\office10\winword.exe

-Searching again for Hidden Services..

-Gathering Service list Information... ( Found: 0 Hidden Services)

-Searching for wrong Service Paths.... ( Found: 0 wrong Services )

-Searching for Rootkit Modules........ ( Found: 0 Suspicious modules )

-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)

-Searching for hxdef hooks............ ( Found: 0 running rootkits)

-Searching for other rootkits......... ( Found: 0 running rootkits)

Share this post


Link to post
Share on other sites

Do you have a file c:\filter.log? If so, delete it. Can you please reboot and then post back a fresh HijackThis Log. Also, from the HijackThis screen, click on "Config" in the bottom right corner, then click on the "Misc. Tools" tab at the top and finally on "Generate Startup List" which will appear below it. When prompted, say yes and a log will open in notepad - Copy and paste those contents here as well.

Share this post


Link to post
Share on other sites

No .log file.

 

Again, thanks for your help, it's appriciated.

 

HijackThis Log:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:52:27 PM, on 6/14/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\CTsvcCDA.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\PGPsdkServ.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\WINNT\system32\TCAUDIAG.exe

C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE

C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINNT\System32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\AboutTime\AboutTime.exe

D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

D:\Program Files\Palm\HOTSYNC.EXE

D:\download\Spyware\HijackThis\HijackThis.exe

C:\WINNT\System32\svchost.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on

O4 - HKLM\..\Run: [PLXSTART] C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE

O4 - HKLM\..\Run: [PLXTASK] C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE

O4 - HKLM\..\Run: [sideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Startup: HotSync Manager.lnk = D:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PGPtray.lnk = D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe

O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...B?37729.5603125

O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...365/mcfscan.cab

 

Startup:

 

StartupList report, 6/14/2004, 8:54:02 PM

StartupList version: 1.52

Started from : D:\download\Spyware\HijackThis\HijackThis.EXE

Detected: Windows 2000 SP4 (WinNT 5.00.2195)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\CTsvcCDA.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\PGPsdkServ.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\WINNT\system32\TCAUDIAG.exe

C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE

C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINNT\System32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\AboutTime\AboutTime.exe

D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

D:\Program Files\Palm\HOTSYNC.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\NOTEPAD.EXE

D:\download\Spyware\HijackThis\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\timh\Start Menu\Programs\Startup]

HotSync Manager.lnk = D:\Program Files\Palm\HOTSYNC.EXE

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe

Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE

PGPtray.lnk = D:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe

ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

Synchronization Manager = mobsync.exe /logon

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

POINTER = point32.exe

IntelliType = "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

TCASUTIEXE = TCAUDIAG.exe -on

PLXSTART = C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE

PLXTASK = C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE

SideWinderTrayV4 = C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

ctfmon.exe = ctfmon.exe

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINNT\system32\logon.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...ector/swdir.cab

 

[Yahoo! Audio Conferencing]

InProcServer32 = C:\WINNT\DOWNLO~1\yacscom.dll

CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

 

[EARTPatchX Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\EARTPX.dll

CODEBASE = http://simcity.ea.com/update/EARTPX.cab

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...B?37729.5603125

 

[MaxisSimCity4PatcherX Control]

InProcServer32 = C:\WINNT\DOWNLO~1\MAXISS~1.OCX

CODEBASE = http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[McFreeScan Class]

InProcServer32 = C:\WINNT\McAfee.com\FreeScan\mcfscan.dll

CODEBASE = http://download.mcafee.com/molbin/iss-loc/...365/mcfscan.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\system32\webcheck.dll

SysTray: stobject.dll

 

--------------------------------------------------

End of report, 6,413 bytes

Report generated in 0.020 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

I am wondering if the ad-aware message may just be informational? I do not see any signs of infection anywhere. Is there any specific problem that you are still having in terms of pop-ups, redirects etc?

 

You can delete:

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)

With HijackThis as the file is missing. Laso, a suggestion, remove all the O16 entries as they will simplyt get downloaded again the next time you connect to the relevant site.

Share this post


Link to post
Share on other sites

Well, I haven't gotten my start page hijacked again and wmplayer.exe hasn't been recreated so the bad stuff seems to be gone. Whatever is left over from the infection that Ad-Aware is finding seems to be benign, but that still ticks me off! :grrr:

 

Unless you or anyone else has any other ideas, I'll reinstall at some point. I'm also going to start using some of the preventative programs you and others recommend. I really despise the people who do this! I hope they all go bankrupt and grow-up soon.

 

Thanks for all of your help!

Share this post


Link to post
Share on other sites

Please, do use the programs that I have suggested. I connect to pretty much all sites that people have problems with and I have yet to get any real bad infection. My HOSTS redirects., IE-Spyad etc have prevented my from having any issues. I have even tried to infect myself but my setup protects me pretty good.

Share this post


Link to post
Share on other sites

OK, I figured it out.

 

Ad-Aware is now giving that message to anyone that has thier start page set for 'Blank'.

 

Anyone who is interested can read about it here:

http://www.lavahelp.com/articles/v6/04/05/1801.html

 

It had me confused because I never received that message until after I got infected. I have a multi-boot system and I booted into my test Win2K partition and tried it there and I didn't get that 'warning'. After reading that support page at Lavasoft, I then tried a third system and I am getting it there; that system was never infected. So it looks like I'm OK.

Share this post


Link to post
Share on other sites

Glad to hear that everything is working like a charm :)

 

It has been our pleasure to help you :)

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0