• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
wineguy

about:blank

11 posts in this topic

Please help. I have been struggling with the about:blank hijack for about a month now. I found some good infomration at www.dslreports.com/forums that has improved my understanding of the bug but I just can't figure out the final steps to getting rid of the demon.

 

I have, in the past, dowloaded adaware, spybot, spysweeper (the webpage protect option helps to keep my homepage stable but I know the trojan is still there because of slower operating performance and the fact that adaware picks up countless bugs a day), cwshredder, etc. but just can't seem to kill the thing.

 

I understand that the trojan has planted a hidden file in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs that causes a new, variable .dll to appear in C:\\windows\system32 upon reboot.

 

I have tried using killbox to delete the hidden file (in my case called wdmf.dll) upon reboot but that doesn't seem to work. I can delete the appinit_dll value in registry editor but it just comes back. I have tried to delete the value in reglite but it will not delete. Any help would be greatly appreciated.

 

 

Here is my hijack this log:

 

Logfile of HijackThis v1.97.7

Scan saved at 7:04:54 PM, on 6/13/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TOSHIBA\Power Management\CePMTray.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\The Cleaner\tcm.exe

C:\Program Files\The Cleaner\tca.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Toshiba Controls\CpRmtKey.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\EzButton\CplBTQ00.EXE

C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Handspring\HOTSYNC.EXE

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\Microsoft ActiveSync\WCESMgr.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.baronesswines.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.baronesswines.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe

O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [workflo] D:\install\workflow.exe

O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE

O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Thanks again,

 

Nate

Share this post


Link to post
Share on other sites

Download and install: >>Beta-Fix.exe (2K/XP only!)<<

From the 'Find-All page' link in my signature.

 

Run the "LOG.BAT" file, post the results!

Share this post


Link to post
Share on other sites

Here you go:

 

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Locked or 'Suspect' file(s) found...

 

9:49pm up 0 days, 0:32

 

C:\WINDOWS\System32\WDMF.DLL +++ File read error

\\?\C:\WINDOWS\System32\WDMF.DLL +++ File read error

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

The type of the file system is NTFS.

C: is not dirty.

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group NOTEBOOK\None.

User is a member of group \Everyone.

User is a member of group NOTEBOOK\Debugger Users.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»Dir 'junkxxx' was created with the following permissions...

(NA=FAT32)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x NOTEBOOK\N8 and E

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: NOTEBOOK\N8 and E

 

Primary Group: NOTEBOOK\None

 

 

»»»»»»Backups created...»»»»»»

9:52pm up 0 days, 0:35

 

A C:\Beta-Fix\winBackup.hiv

--a-- - - - - - 8,192 06-14-2004 winbackup.hiv

A C:\Beta-Fix\keys\winkey.reg

--a-- - - - - - 632 06-14-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

AppInit_DLLsantiÀÿÿÿC

Windows

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

=pswapdisk

TransmissionRetryTimeout

USERProcessHandleQuota

AppInit

DLLsanti

 

**File C:\Beta-Fix\WIN.TXT

 

Thanks for your help!

Share this post


Link to post
Share on other sites

Sorry, been busy.

I've made some changes since

Delete the C:\Beta-Fix folder and file and download again.

Install the same way and post the log.

 

I'll check back tomorrow! :)

Share this post


Link to post
Share on other sites

It's ok. I really appreciate your help. Here's the log from the new version of beta-fix:

 

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

10:42pm up 0 days, 1:49

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\WDMF.DLL +++ File read error

\\?\C:\WINDOWS\System32\WDMF.DLL +++ File read error

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»Special 'locked' files scan in 'System32'........

**File C:\Beta-Fix\LIST.TXT

WDMF.DLL Can't Open!

 

***This list may contain legitimate files!***

»»»LIST OF ALL FILES IN SYSTEM32 WITH 'R;H;S' Attributes:»»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\WINDOWS\SYSTEM32\

ctl3dv2.dll Thu Aug 29 2002 5:00:00a A...R 27,200 26.56 K

hlp95en.dll Thu Jun 20 2002 3:22:42a A...R 31,744 31.00 K

hpzidr12.dll Sun Mar 9 2003 1:31:00p A...R 233,528 228.05 K

hpzipr12.dll Sun Mar 9 2003 1:31:02p A...R 167,936 164.00 K

hpzipt12.dll Sun Mar 9 2003 1:31:02p A...R 94,208 92.00 K

hpzisn12.dll Sun Mar 9 2003 1:31:02p A...R 57,344 56.00 K

lfbmp11n.dll Fri Jun 7 2002 3:02:00a A...R 36,864 36.00 K

lfcmp11n.dll Fri Jun 7 2002 3:02:00a A...R 285,184 278.50 K

lfeps11n.dll Fri Jun 7 2002 3:02:00a A...R 31,232 30.50 K

lffax11n.dll Fri Jun 7 2002 3:02:00a A...R 81,408 79.50 K

lfgif11n.dll Fri Jun 7 2002 3:02:00a A...R 41,472 40.50 K

lfpcd11n.dll Fri Jun 7 2002 3:02:00a A...R 26,112 25.50 K

lfpcx11n.dll Fri Jun 7 2002 3:02:00a A...R 33,280 32.50 K

lfpng11n.dll Fri Jun 7 2002 3:02:00a A...R 172,032 168.00 K

lfpsd11n.dll Fri Jun 7 2002 3:02:00a A...R 56,320 55.00 K

lftga11n.dll Fri Jun 7 2002 3:02:00a A...R 27,648 27.00 K

lftif11n.dll Fri Jun 7 2002 3:02:00a A...R 152,064 148.50 K

lfwmf11n.dll Fri Jun 7 2002 3:02:00a A...R 59,392 58.00 K

ltdis11n.dll Fri Jun 7 2002 3:02:00a A...R 262,656 256.50 K

ltfil11n.dll Fri Jun 7 2002 3:02:00a A...R 118,784 116.00 K

ltimg11n.dll Fri Jun 7 2002 3:02:02a A...R 127,488 124.50 K

ltkrn11n.dll Fri Jun 7 2002 3:02:02a A...R 392,192 383.00 K

ltwvc11n.dll Fri Jun 7 2002 3:02:02a A...R 716,288 699.50 K

msls2.dll Thu Jun 20 2002 3:19:12a A...R 91,136 89.00 K

ochlp30e.dll Thu Jun 20 2002 3:19:18a A...R 37,888 37.00 K

pcdlib32.dll Fri Jun 7 2002 3:02:02a A...R 212,480 207.50 K

wdmf.dll Sat May 1 2004 4:13:36p ....R 57,344 56.00 K

 

27 items found: 27 files, 0 directories.

Total of file sizes: 3,631,224 bytes 3.46 M

 

No matches found.

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\CTL3DV2.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HLP95EN.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HPZIDR12.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HPZIPR12.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HPZIPT12.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HPZISN12.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFBMP11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFCMP11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFEPS11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFFAX11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFGIF11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFPCD11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFPCX11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFPNG11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFPSD11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFTGA11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFTIF11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFWMF11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LTDIS11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LTFIL11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LTIMG11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LTKRN11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LTWVC11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\MSLS2.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\OCHLP30E.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\PCDLIB32.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\WDMF.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\HEWLET~1\HPZSCR07.DLL

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group NOTEBOOK\None.

User is a member of group \Everyone.

User is a member of group NOTEBOOK\Debugger Users.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x NOTEBOOK\N8 and E

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: NOTEBOOK\N8 and E

 

Primary Group: NOTEBOOK\None

 

 

 

»»»»»»Backups created...»»»»»»

10:45pm up 0 days, 1:52

 

A C:\Beta-Fix\winBackup.hiv

--a-- - - - - - 8,192 06-16-2004 winbackup.hiv

A C:\Beta-Fix\keys1\winkey.reg

--a-- - - - - - 632 06-16-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

AppInit_DLLsantiÀÿÿÿC

Windows

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

=pswapdisk

TransmissionRetryTimeout

USERProcessHandleQuota

AppInit

DLLsanti

 

**File C:\Beta-Fix\WIN.TXT

**File C:\Beta-Fix\WIN.TXT

ÿÿÿÿÐÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 @ ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ?¸| àÿÿÿvk X °ºSpooler2ðÿÿÿy e s Èn àÿÿÿvk € =pswapdisk ° ø 8 h   Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' R USERProcessHandleQuota\ àÿÿÿ° ø 8 h   Ð Øÿÿÿvk : H AppInit_DLLsantiÀÿÿÿC : \ W I N D O W S \ S y s t e

Share this post


Link to post
Share on other sites

Ok..

Open the Beta-Fix\Keys1< Subfolder.

RightClick on the "MOVEit.bat" file, select>edit.

Copy and paste this line into the blank file:

 

move %WinDir%\System32\WDMF.DLL %SystemDrive%\junkxxx\WDMF.DLL

 

Save the file and close.

 

Get ready to restart!

In the same folder, DoubleClick on the -->"FIX.BAT" file.

You will get an alert of~20 secs before reboot.

Allow it to reboot!

 

On restart, Open the Beta-Fix main folder and

DoubleClick on the ->"RESTORE.BAT" file!

It should run and generate new log!

Post it here! :)

Edited by freeatlast

Share this post


Link to post
Share on other sites

Hello, I have the same problem, like winguey the page about:blank in my internet explorer....also I tryed evrything to get it out of my computer...hijack this, cwshredder, ad-aware and so on...

I read this from freeatlast and also downloaded allready the beta-fix programm and now this is the result:

 

Microsoft Windows 2000 [Version 5.00.2195]

Der Typ des Dateisystems ist NTFS.

C: ist nicht fehlerhaft.

 

11:42am up 0 days, 0:35

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Locked or 'Suspect' file(s) found...

 

 

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»Special 'locked' files scan in 'System32'........

**File C:\Beta-Fix\LIST.TXT

 

***This list may contain legitimate files!***

»»»LIST OF ALL FILES IN SYSTEM32 WITH 'R;H;S' Attributes:»»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\WINNT\SYSTEM32\

a3d.dll Wed 14 Jul 1999 3:20:00 A...R 28.672 28,00 K

ctl3dv2.dll Tue 8 May 2001 14:00:00 A...R 27.200 26,56 K

mfc42d.dll Mon 3 Nov 1997 19:43:54 ....R 1.390.080 1,32 M

mfcd42d.dll Wed 19 Jun 1996 9:02:44 ....R 258.560 252,50 K

mfcn42d.dll Wed 19 Jun 1996 9:02:50 ....R 31.232 30,50 K

mfco42d.dll Wed 19 Jun 1996 9:02:32 ....R 777.728 759,50 K

msvcirtd.dll Fri 14 Jun 1996 20:37:26 ....R 90.624 88,50 K

msvcr40d.dll Mon 19 Feb 1996 17:05:22 ....R 444.928 434,50 K

msvcrtd.dll Wed 17 Jun 1998 18:25:00 ....R 385.100 376,07 K

synsoacc.dll Sun 2 Jun 2002 16:29:48 A...R 73.216 71,50 K

 

10 items found: 10 files, 0 directories.

Total of file sizes: 3.507.340 bytes 3,34 M

 

No matches found.

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINNT\SYSTEM32\A3D.DLL

Sniffed -> C:\WINNT\SYSTEM32\CTL3DV2.DLL

Sniffed -> C:\WINNT\SYSTEM32\MFC42D.DLL

Sniffed -> C:\WINNT\SYSTEM32\MFCD42D.DLL

Sniffed -> C:\WINNT\SYSTEM32\MFCN42D.DLL

Sniffed -> C:\WINNT\SYSTEM32\MFCO42D.DLL

Sniffed -> C:\WINNT\SYSTEM32\MSVCIRTD.DLL

Sniffed -> C:\WINNT\SYSTEM32\MSVCR40D.DLL

Sniffed -> C:\WINNT\SYSTEM32\MSVCRTD.DLL

Sniffed -> C:\WINNT\SYSTEM32\SYNSOACC.DLL

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read VORDEFINIERT\Benutzer

(IO) ALLOW Read VORDEFINIERT\Benutzer

(NI) ALLOW Read VORDEFINIERT\Hauptbenutzer

(IO) ALLOW Read VORDEFINIERT\Hauptbenutzer

(NI) ALLOW Full access VORDEFINIERT\Administratoren

(IO) ALLOW Full access VORDEFINIERT\Administratoren

(NI) ALLOW Full access NT-AUTORITŽT\SYSTEM

(IO) ALLOW Full access NT-AUTORITŽT\SYSTEM

(NI) ALLOW Full access VORDEFINIERT\Administratoren

(IO) ALLOW Full access ERSTELLER-BESITZER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Full access VORDEFINIERT\Benutzer

Full access VORDEFINIERT\Hauptbenutzer

Full access VORDEFINIERT\Administratoren

Full access NT-AUTORITŽT\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group CAD\Kein.

User is a member of group \Jeder.

User is a member of group VORDEFINIERT\Administratoren.

User is a member of group VORDEFINIERT\Benutzer.

User is a member of group \LOKAL.

User is a member of group NT-AUTORITÄT\INTERAKTIV.

User is a member of group NT-AUTORITÄT\Authentifizierte Benutzer.

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Jeder

 

Owner: VORDEFINIERT\Administratoren

 

Primary Group: CAD\Kein

 

 

 

»»»»»»Backups created...»»»»»»

11:44am up 0 days, 0:37

 

A C:\Beta-Fix\winBackup.hiv

--a-- - - - - - 8,192 06-17-2004 winbackup.hiv

A C:\Beta-Fix\keys1\winkey.reg

--a-- - - - - - 287 06-17-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

AppInit_DLLs

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

Windows

AppInit

DeviceNotSelectedTimeout

GDIProcessHandleQuota

Spooler

swapdisk

TransmissionRetryTimeout

USERProcessHandleQuota

 

**File C:\Beta-Fix\WIN.TXT

**File C:\Beta-Fix\WIN.TXT

àÿÿÿÐ ø @ p   À Øÿÿÿvk € AppInit_DLLs Ðÿÿÿvk ( DeviceNotSelectedTimeoutèÿÿÿ1 5 hõ °õ èõ Ðÿÿÿvk €' GDIProcessHandleQuota àÿÿÿvk ? Spooler ðÿÿÿy e s àÿÿÿvk € swapdiskÐÿÿÿvk ð TransmissionRetryTimeoutðÿÿÿ9 0 `ø Ðÿÿÿvk €' USERProcessHandleQuota Ð ÿÿÿÿ

 

How to go on now??Please help me!

 

Sorry my english...I´m german, but the problems may all the same....

Edited by quattromax

Share this post


Link to post
Share on other sites

Thanks again for your help!

 

Here is the log from restore.bat:

 

 

8:56pm up 0 days, 0:01

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

*Locked files...

* result\\?\C:\junkxxx\WDMF.DLL

 

»»»LIST OF ALL FILES IN SYSTEM32 WITH 'R;H;S' Attributes:»»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\WINDOWS\SYSTEM32\

ctl3dv2.dll Thu Aug 29 2002 5:00:00a A...R 27,200 26.56 K

hlp95en.dll Thu Jun 20 2002 3:22:42a A...R 31,744 31.00 K

hpzidr12.dll Sun Mar 9 2003 1:31:00p A...R 233,528 228.05 K

hpzipr12.dll Sun Mar 9 2003 1:31:02p A...R 167,936 164.00 K

hpzipt12.dll Sun Mar 9 2003 1:31:02p A...R 94,208 92.00 K

hpzisn12.dll Sun Mar 9 2003 1:31:02p A...R 57,344 56.00 K

lfbmp11n.dll Fri Jun 7 2002 3:02:00a A...R 36,864 36.00 K

lfcmp11n.dll Fri Jun 7 2002 3:02:00a A...R 285,184 278.50 K

lfeps11n.dll Fri Jun 7 2002 3:02:00a A...R 31,232 30.50 K

lffax11n.dll Fri Jun 7 2002 3:02:00a A...R 81,408 79.50 K

lfgif11n.dll Fri Jun 7 2002 3:02:00a A...R 41,472 40.50 K

lfpcd11n.dll Fri Jun 7 2002 3:02:00a A...R 26,112 25.50 K

lfpcx11n.dll Fri Jun 7 2002 3:02:00a A...R 33,280 32.50 K

lfpng11n.dll Fri Jun 7 2002 3:02:00a A...R 172,032 168.00 K

lfpsd11n.dll Fri Jun 7 2002 3:02:00a A...R 56,320 55.00 K

lftga11n.dll Fri Jun 7 2002 3:02:00a A...R 27,648 27.00 K

lftif11n.dll Fri Jun 7 2002 3:02:00a A...R 152,064 148.50 K

lfwmf11n.dll Fri Jun 7 2002 3:02:00a A...R 59,392 58.00 K

ltdis11n.dll Fri Jun 7 2002 3:02:00a A...R 262,656 256.50 K

ltfil11n.dll Fri Jun 7 2002 3:02:00a A...R 118,784 116.00 K

ltimg11n.dll Fri Jun 7 2002 3:02:02a A...R 127,488 124.50 K

ltkrn11n.dll Fri Jun 7 2002 3:02:02a A...R 392,192 383.00 K

ltwvc11n.dll Fri Jun 7 2002 3:02:02a A...R 716,288 699.50 K

msls2.dll Thu Jun 20 2002 3:19:12a A...R 91,136 89.00 K

ochlp30e.dll Thu Jun 20 2002 3:19:18a A...R 37,888 37.00 K

pcdlib32.dll Fri Jun 7 2002 3:02:02a A...R 212,480 207.50 K

 

26 items found: 26 files, 0 directories.

Total of file sizes: 3,573,880 bytes 3.41 M

 

No matches found.

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»» Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\JUNKXXX\WDMF.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\CTL3DV2.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HLP95EN.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HPZIDR12.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HPZIPR12.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HPZIPT12.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HPZISN12.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFBMP11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFCMP11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFEPS11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFFAX11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFGIF11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFPCD11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFPCX11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFPNG11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFPSD11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFTGA11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFTIF11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LFWMF11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LTDIS11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LTFIL11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LTIMG11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LTKRN11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\LTWVC11N.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\MSLS2.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\OCHLP30E.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\PCDLIB32.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\HEWLET~1\HPZSCR07.DLL

 

 

Search text: ÝSTREAMINGDEVICESETUP2Þ ®CASE Insensitive Match

Searching ==>C:\JUNKXXX\WDMF.DLL

Run Time(sec) 0

**File C:\JUNKXXX\WDMF.DLL

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

move %WinDir%\System32\WDMF.DLL %SystemDrive%\junkxxx\WDMF.DLL-ra-- W32i - - - - 57,344 05-01-2004 wdmf.dll

A R C:\junkxxx\WDMF.DLL

File: <C:\junkxxx\WDMF.DLL>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

 

 

C:\JUNKXXX\

wdmf.dll Sat May 1 2004 4:13:36p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

C:\junkxxx\WDMF.DLL Everyone:(special access:)

 

SYNCHRONIZE

FILE_EXECUTE

 

BUILTIN\Administrators:F

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Permissions:

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x NOTEBOOK\N8 and E

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: NOTEBOOK\N8 and E

 

Primary Group: NOTEBOOK\None

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: NT AUTHORITY\SYSTEM

 

File "C:\junkxxx\WDMF.DLL"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

 

Owner: NOTEBOOK\N8 and E

 

Primary Group: NOTEBOOK\None

 

 

---------- WIN.TXT

AppInit_DLLsantiÀÿÿÿC

 

---------- NEWWIN.TXT

AppInit_DLLsecte¸

**File C:\Beta-Fix\NEWWIN.TXT

ame=Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 @ ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ?¸| àÿÿÿvk X °ºSpooler2ðÿÿÿy e s Èn àÿÿÿvk € =pswapdisk ° ø 8 h   Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' R USERProcessHandleQuota\ àÿÿÿ° ø 8 h   Ð Øÿÿÿvk € S AppInit_DLLsecte¸

**File C:\Beta-Fix\NEWWIN.TXT

00001338: 01 00 00 00 01 00 53 00 . 5F 44 4C 4C 73 65 63 74 ......S. _DLLsect

**File C:\Beta-Fix\NEWWIN.TXT

ame=Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 @ ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ?¸| àÿÿÿvk X °ºSpooler2ðÿÿÿy e s Èn àÿÿÿvk € =pswapdisk ° ø 8 h   Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' R USERProcessHandleQuota\ àÿÿÿ° ø 8 h   Ð Øÿÿÿvk € S AppInit_DLLsecte¸

Share this post


Link to post
Share on other sites

Wonderful progress, 'wineguy'! :thumbsup:

 

Last step, open the Beta-Fix\Files2< Subfolder!

Run the -> "ZIPZAP.bat" file.

It will quickly clean the rest and

will make a copy of the bad file(s) in the same

folder (junkxxx.zip) and open your email client with instructions:

Simply drag and drop the 'junkxxx.zip' file from

the folder into the mail message and submit

to the specified addresses!

 

When done, Delete and entire beta-Fix file+folder(s)

And check if the C:\junkxxx folder is deleted as

well, otherwise delete it (I don't remember if

your version moved it as well since I updated since)

 

As for the remains, run any and all

removal tools once again as they should work properly now!

In particular, CWShredder and fully updated Ad-Aware!

Feel free to post follow up hijackthis log when done! :)

- - - - - - - - - - - -- - - - - - - - - - - -- - - - - - - - - - - -- - - - - - - - - - - -- - - - - - -

 

*Note to 'quattromax' above...

Your log doesn't expose any signs of the same infection.

I'm not certain if that's because you're running a

non-English version or windows or what's the actual status.

As opposed to 'jumping in' to someone else's thread, read

the FAQs above,. start your own topic and post your hijackthis log.

Share this post


Link to post
Share on other sites

Hallelujah and thank you so much. It appears to be gone and performance on my computer has improved 200%. Here is my follow up HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:30:35 PM, on 6/20/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TOSHIBA\Power Management\CePMTray.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Toshiba Controls\CpRmtKey.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\EzButton\CplBTQ00.EXE

C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Handspring\HOTSYNC.EXE

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\toshiba\ivp\ism\ivpsvmgr.exe

C:\Program Files\Microsoft ActiveSync\WCESMgr.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.baronesswines.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.baronesswines.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [workflo] D:\install\workflow.exe

O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE

O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Thank you once again. I could not have figured this out without you.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0