Jump to content


Photo

about:blank log


  • This topic is locked This topic is locked
17 replies to this topic

#1 kinger

kinger

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 22 June 2004 - 04:30 PM

Hey guys/gals,

New here I have been studying all the posts that seem to have this problem. Here is my hijack log, any help would MUCHO appreciated! Also what are you gurus looking for in these logs? THANKS!

Logfile of HijackThis v1.97.7
Scan saved at 4:20:25 PM, on 6/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\Lotus\Notes\ntmulti.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\RCSERV.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Adjust Screen Saver Settings\AdjustScreenSaverSettings.exe
C:\Program Files\JK Off'97\Office\OSA.EXE
C:\Program Files\XTNDConnect Server\Proxy\ConnectProxy.exe
C:\Program Files\Lotus\Notes\NLNOTES.EXE
C:\Program Files\Lotus\Notes\ntaskldr.EXE
C:\WINNT\system32\control.exe
C:\WINNT\system32\control.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\a02m6zz.USAC\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by 3M/IE 6.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = corpproxy1.mmm.com:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mmm.com;*.3m.com;*.3mhis.com;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2272C819-19F4-4A41-8CE2-F45B2ED2CC1C} - C:\WINNT\system32\eajlo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [SwdisUsrPCN.w38275] "C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [UFT] C:\UFT.exe
O4 - HKLM\..\Run: [3MTivoliMaint] WScript.exe C:\GESM\Logon\3MTivoliMaintScript.VBS \\ADUSAC-144\netlogon\SysMgmt\
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Shortcut to ConnectProxy.exe.lnk = C:\Program Files\XTNDConnect Server\Proxy\ConnectProxy.exe
O4 - Global Startup: Adjust Screen Saver Settings Utility.lnk = C:\Program Files\Adjust Screen Saver Settings\AdjustScreenSaverSettings.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\JK Off'97\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\JK Off'97\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: LotusMenu - http://3msource.mmm....nu/menudisp.cab
O16 - DPF: {0C528348-18DC-4ECE-819B-624E226028DA} (Frontier.Frontier_Launcher) - http://intranet.mmm....am_launcher.CAB
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.co...ad/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7581.2959259259
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.kolbe.com...sses/CFJava.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://themeetingso...bex/ieatgpc.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = usac.mmm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{06ECA998-1092-4B0C-9532-1408F2E93ADF}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{1630C2E6-5154-4846-A965-E79921A3649A}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{32D75AE9-2406-4904-A166-B152B0CF248E}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{46004F7A-FB62-4339-BA1C-BB0240A8700A}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{46C165BB-799E-4969-977E-DB242ED56B0B}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F2CE127-A96A-4F33-AE41-632E0C9BF991}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F2CE127-A96A-4F33-AE41-632E0C9BF991}: NameServer = 165.152.204.21,169.10.8.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{76EB54DF-C7A8-4A9E-9F81-C7EAA0FCDA7C}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6B7C07B-1E2E-49B6-98FB-2398A0FB4A28}: Domain = mmm.com.
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = usac.mmm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{06ECA998-1092-4B0C-9532-1408F2E93ADF}: Domain = mmm.com.
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = usac.mmm.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{06ECA998-1092-4B0C-9532-1408F2E93ADF}: Domain = mmm.com.

#2 kinger

kinger

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 22 June 2004 - 07:58 PM

Bump

#3 kinger

kinger

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 22 June 2004 - 08:14 PM

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2272C819-19F4-4A41-8CE2-F45B2ED2CC1C} - C:\WINNT\system32\eajlo.dll

C:\Program Files\Adobe\Acrobat 6.0

These look the most suspicous don't you think?

#4 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 22 June 2004 - 08:53 PM

Forget about running hijack this to fix it. I thought I had it licked and it did me no good. Try running ad aware (available from download.com, although their servers area bit busy now) and it should solve it. Worked for me.

#5 kinger

kinger

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 23 June 2004 - 08:08 AM

Yeah it takes care of it for a while, then it comes back. This is a pesky one :grrr:

#6 Fryguy

Fryguy

    Member

  • New Member
  • Pip
  • 1 posts

Posted 23 June 2004 - 08:20 AM

I have the same problem. I am running Hijack Blaster and at random intervals it will go off saying it is changing my home page to sp.html and that there is a dll file acting as a dll. I refuse the change and I find the sp.html under c:/documents and settings/administrator/local settings/temp and delete it, I find the dll, whose name changes with every new hijack attempt, under c:/winnt/system32 - I am running Win 2000 Pro - (I have the dir sorted by date modified so this file is the first in the list and shows that it was created the second the hijack occured) and delete that. I run Hijack this and remove the offending entries and think I am safe. But it comes back.

I will try Adware and see if that helps, but I doubt it.

Please Help Us oh Wise Ones!!!!

Ryan

#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 23 June 2004 - 08:20 AM

Download and install : "Beta-Fix.exe" from
the 'Find-all page' link in my signature.

Run the "!LOG!.bat" file, post the results.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 kinger

kinger

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 23 June 2004 - 12:03 PM

Here you go, thanks for your help!


Microsoft Windows 2000 [Version 5.00.2195]
The type of the file system is NTFS.
C: is not dirty.

Wed 06/23/2004
12:00am up 0 days, 3:59
»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Locked or 'Suspect' file(s) found...


C:\WINNT\System32\CTLAPMM.DLL +++ File read error
\\?\C:\WINNT\System32\CTLAPMM.DLL +++ File read error
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»Special 'locked' files scan in 'System32'........
**File C:\Beta-Fix\LIST.TXT
CTLAPMM.DLL Can't Open!

****Filtering files in System32... (-h -s -r...) ***
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

C:\WINNT\SYSTEM32\
ctlapmm.dll Fri Jun 18 2004 8:19:14p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\CTLAPMM.DLL

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
no access BUILTIN\Users
no access BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group USAC\Domain Users.
User is a member of group \Everyone.
User is a member of group BUILTIN\Users.
User is a member of group BUILTIN\Administrators.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.
User is a member of group USAC\FYDC Supervisor.
User is a member of group USAC\CA-AllUsers.
User is a member of group USAC\FYDC Engineers.
User is a member of group USAC\GLS SYSMGMT SYSMGMT.
User is a member of group USAC\SCS LPA FWSR R.
User is a member of group USAC\GLS SYSMGMT NestedSysMgmt15.
User is a member of group USAC\SCS WMSPROJ M.
User is a member of group USAC\GLS FYDC Default.
User is a member of group USAC\SCS DORESULTS M.
User is a member of group USAC\FYDC MgtTeam.
User is a member of group USAC\A02M6ZZ.
User is a member of group USAC\GLS SYSMGMT SYSMGMT.
User is a member of group USAC\FYDC MgtTeam.
User is a member of group USAC\SCS DORESULTS M.
User is a member of group USAC\FYDC Engineers.
User is a member of group USAC\SCS LPA FWSR R.
User is a member of group USAC\SCS WMSPROJ M.
User is a member of group USAC\GLS FYDC Default.
User is a member of group USAC\FYDC Supervisor.
User is a member of group USAC\CA-RegMaterialApps_R.
User is a member of group USAC\MMM_MASTER$_R.
User is a member of group USAC\CA-ADO_Files.
User is a member of group USAC\CA-SOD_R.
User is a member of group USAC\CA-LAPMApps_R.
User is a member of group USAC\CA-CORPAPPL_R.
User is a member of group USAC\CA-SCS_Web_U.
User is a member of group USAC\CA-PACKAGING_R.
User is a member of group USAC\CA-TorontoDCApps_R.
User is a member of group USAC\CA-ExportOpApps_R.
User is a member of group USAC\CA-CustomApps_R.
User is a member of group USAC\CA-TransportApps_R.
User is a member of group USAC\CA-DecAnalysis_R.
User is a member of group USAC\CA-FinancLookup_R.
User is a member of group USAC\CA-LABELRM_R.
User is a member of group USAC\CA-LAPMWeb_R.
User is a member of group USAC\CA-ADConversion_R.
User is a member of group USAC\CA-CustomApps_R.
User is a member of group USAC\CA-DecAnalysis_R.
User is a member of group USAC\CA-ExportOpApps_R.
User is a member of group USAC\CA-FinancLookup_R.
User is a member of group USAC\CA-LABELRM_R.
User is a member of group USAC\CA-LAPMApps_R.
User is a member of group USAC\CA-RegMaterialApps_R.
User is a member of group USAC\CA-TorontoDCApps_R.
User is a member of group USAC\CA-TransportApps_R.
User is a member of group USAC\CA-ADO_Files.
User is a member of group USAC\CA-SOD_R.
User is a member of group USAC\CA-CORPAPPL_R.
User is a member of group USAC\CA-LAPMWeb_R.
User is a member of group USAC\CA-PACKAGING_R.
User is a member of group USAC\MMM_MASTER$_R.

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: USAC\Domain Users



»»»»»»Backups created...»»»»»»
12:01am up 0 days, 4:00
Wed 06/23/2004

A C:\Beta-Fix\winBackup.hiv
--a-- - - - - - 8,192 06-23-2004 winbackup.hiv
A C:\Beta-Fix\keys1\winkey.reg
--a-- - - - - - 287 06-23-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLs0
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
AppInit
DLLs0
DeviceNotSelectedTimeout
GDIProcessHandleQuota
Spooler
swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota0
2CMVa
InfPath
0CMVa
Characteristics
.CMVa
NetCfgInstanceId
,CMVa
MatchingDeviceId$
*CMVa
DriverDate
(CMVa
ProviderName
&CMVa
InfPath
$CMVa
!SeAc

**File C:\Beta-Fix\WIN.TXT
         ŕ˙˙˙Đ 8 € ° ŕ  @ Ř˙˙˙vk < ř   , AppInit_DLLs0 0 Ŕ˙˙˙C : \ W I N N T \ s y s t e m 3 2 \ c t l a p m m . d l l Đ˙˙˙vk  h   0 DeviceNotSelectedTimeoutč˙˙˙1 5  `ĺ °ĺ čĺ Đ˙˙˙vk  €'   e GDIProcessHandleQuota 3 ŕ˙˙˙vk  Đ   f Spooler đ˙˙˙y e s 6 9 ŕ˙˙˙vk  €   , swapdiskĐ˙˙˙vk  0   5 TransmissionRetryTimeoutđ˙˙˙9 0  `č Đ˙˙˙vk  €'   0 USERProcessHandleQuota0 ? ˙˙˙˙”ů‹ă   Ŕę2C


#9 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 23 June 2004 - 02:24 PM

Well done!
Your bad file is positively identified on all counts!

Follow the next set of steps carefully:



-Open the Beta-Fix\Keys1 Subfolder!
-Right-Click on the "MOVEit.bat" file, select->edit:
That will open the file as empty text file.
-Copy and paste the entire hilited line in the quote box
(all one line) into that blank file:

move %WinDir%\System32\CTLAPMM.DLL %SystemDrive%\junkxxx\CTLAPMM.DLL


-Save the file and close.

--Get ready to restart your computer:
-In the same folder, DoubleClick on the "FIX.bat" file.
You will be prompted by popup -Alert with 15 seconds
to restart.
-Allow it to restart!

-On restart, Navigate to:
C:\Beta-Fix\ main folder:
-DoubleClick on the "RESTORE.bat" file.

It'll run and produce new log. (log1.txt) post it here!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#10 kinger

kinger

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 23 June 2004 - 04:16 PM

Thanks again! Here is the log1.txt:



Wed 06/23/2004
4:13pm up 0 days, 0:03

Microsoft Windows 2000 [Version 5.00.2195]
The type of the file system is NTFS.
C: is not dirty.

*Locked files...
* result\\?\C:\junkxxx\CTLAPMM.DLL

»»»Filtering files in System32.......( 'R;H;S') »»»
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

No matches found.

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

C:\JUNKXXX\
ctlapmm.dll Fri Jun 18 2004 8:19:14p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\CTLAPMM.DLL


Search text: ÝSTREAMINGDEVICESETUP2Ţ ®CASE Insensitive Match
Searching ==>C:\JUNKXXX\CTLAPMM.DLL
Run Time(sec) 0
**File C:\JUNKXXX\CTLAPMM.DLL
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....ŕ.

move %WinDir%\System32\CTLAPMM.DLL %SystemDrive%\junkxxx\CTLAPMM.DLL
-ra-- W32i - - - - 57,344 06-18-2004 ctlapmm.dll
A R C:\junkxxx\CTLAPMM.DLL
File: <C:\junkxxx\CTLAPMM.DLL>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




»»Permissions:
C:\junkxxx\CTLAPMM.DLL Everyone:(special access:)

SYNCHRONIZE
FILE_EXECUTE

BUILTIN\Administrators:F

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: BUILTIN\Administrators

Primary Group: USAC\Domain Users

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators

File "C:\junkxxx\CTLAPMM.DLL"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: BUILTIN\Administrators

Primary Group: USAC\Domain Users


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
no access BUILTIN\Users
no access BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



---------- WIN.TXT
AppInit_DLLs0

---------- NEWWIN.TXT
AppInit_DLLs0
**File C:\Beta-Fix\NEWWIN.TXT
       
**File C:\Beta-Fix\NEWWIN.TXT
00001330: 01 00 00 00 01 00 2C 00 . 5F 44 4C 4C 73 30 00 30 ......,. _DLLs0.0
**File C:\Beta-Fix\NEWWIN.TXT
        ŕ˙˙˙Đ  H € ¨ č  Đ˙˙˙vk     0 DeviceNotSelectedTimeoutč˙˙˙1 5  `ĺ °ĺ čĺ Đ˙˙˙vk  €'   e GDIProcessHandleQuota 3 Ř˙˙˙vk  p   f Spooler Y o m đ˙˙˙y e s 6 9 Ř˙˙˙vk  €   , swapdiskc o m Đ˙˙˙vk  Ř   5 TransmissionRetryTimeoutđ˙˙˙9 0  `č Đ˙˙˙vk  €'   0 USERProcessHandleQuota0 Ř˙˙˙vk  €   , AppInit_DLLs0 0 Ŕ ˙˙˙˙

#11 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 23 June 2004 - 04:26 PM

Great progress! :thumbsup:

Last step(s):


-Open the Beta-Fix\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses!

When done, Delete and entire 'beta-Fix' file+folder(s)
From C:\


As for the remains, run any and all
removal tools once again as they should work properly now!
In particular, CWShredder and fully updated Ad-Aware!
Feel free to post follow up hijackthis log when done! :)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#12 kinger

kinger

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 24 June 2004 - 10:47 AM

Here goes. Thanks again. I have my web page back for the time being but hijack this is still showing the about:blank listed in the R1 categories. Is it gone for good? I'm thinking not. Thanks for your help so far:

Logfile of HijackThis v1.97.7
Scan saved at 10:44:46 AM, on 6/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\Lotus\Notes\ntmulti.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\RCSERV.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Adjust Screen Saver Settings\AdjustScreenSaverSettings.exe
C:\Program Files\JK Off'97\Office\OSA.EXE
C:\Program Files\XTNDConnect Server\Proxy\ConnectProxy.exe
C:\Documents and Settings\a02m6zz.USAC\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://3msource.mmm.com/wps/portal
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\A02M6Z~1.USA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by 3M/IE 6.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = corpproxy1.mmm.com:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mmm.com;*.3m.com;*.3mhis.com;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [SwdisUsrPCN.w38275] "C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [UFT] C:\UFT.exe
O4 - HKLM\..\Run: [3MTivoliMaint] WScript.exe C:\GESM\Logon\3MTivoliMaintScript.VBS \\ADUSAC-144\netlogon\SysMgmt\
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Shortcut to ConnectProxy.exe.lnk = C:\Program Files\XTNDConnect Server\Proxy\ConnectProxy.exe
O4 - Global Startup: Adjust Screen Saver Settings Utility.lnk = C:\Program Files\Adjust Screen Saver Settings\AdjustScreenSaverSettings.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\JK Off'97\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\JK Off'97\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: LotusMenu - http://3msource.mmm....nu/menudisp.cab
O16 - DPF: {0C528348-18DC-4ECE-819B-624E226028DA} (Frontier.Frontier_Launcher) - http://intranet.mmm....am_launcher.CAB
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.co...ad/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7581.2959259259
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.kolbe.com...sses/CFJava.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://themeetingso...bex/ieatgpc.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = usac.mmm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{06ECA998-1092-4B0C-9532-1408F2E93ADF}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{1630C2E6-5154-4846-A965-E79921A3649A}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{32D75AE9-2406-4904-A166-B152B0CF248E}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{46004F7A-FB62-4339-BA1C-BB0240A8700A}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{46C165BB-799E-4969-977E-DB242ED56B0B}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F2CE127-A96A-4F33-AE41-632E0C9BF991}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F2CE127-A96A-4F33-AE41-632E0C9BF991}: NameServer = 165.152.204.21,169.10.8.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{76EB54DF-C7A8-4A9E-9F81-C7EAA0FCDA7C}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6B7C07B-1E2E-49B6-98FB-2398A0FB4A28}: Domain = mmm.com.
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = usac.mmm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{06ECA998-1092-4B0C-9532-1408F2E93ADF}: Domain = mmm.com.
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = usac.mmm.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{06ECA998-1092-4B0C-9532-1408F2E93ADF}: Domain = mmm.com.

#13 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 24 June 2004 - 11:49 AM

Fix all the pointed entries in hijackthis:

*ALL R1/R0/O6 - lines.

Go to start/run/type:
%temp%

Clear the entire contents of temp folder.
(One or 2 files may ne unuse, which you can ignore)

Restart your computer and post a follow up log.

Problem is gone. These are jest left overs... ;)

Edited by freeatlast, 24 June 2004 - 11:52 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#14 kinger

kinger

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 24 June 2004 - 01:10 PM

Wow thanks for your help, its seems to have cured my problem for now, but my "Tools" bar on IE6 are still only showing 3 options, "mail and news", "Syncronize", and "Internet Options" Shouldn't I have more? I swear I had more before the hijacking? Anyway thanks for the help and here is my ly 'hopefully' last hijack log!

Logfile of HijackThis v1.97.7
Scan saved at 1:04:16 PM, on 6/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\Lotus\Notes\ntmulti.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\RCSERV.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Adjust Screen Saver Settings\AdjustScreenSaverSettings.exe
C:\Program Files\JK Off'97\Office\OSA.EXE
C:\Program Files\XTNDConnect Server\Proxy\ConnectProxy.exe
C:\Documents and Settings\a02m6zz.USAC\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://3msource.mmm.com/wps/portal
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [SwdisUsrPCN.w38275] "C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [UFT] C:\UFT.exe
O4 - HKLM\..\Run: [3MTivoliMaint] WScript.exe C:\GESM\Logon\3MTivoliMaintScript.VBS \\ADUSAC-02\netlogon\SysMgmt\
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Shortcut to ConnectProxy.exe.lnk = C:\Program Files\XTNDConnect Server\Proxy\ConnectProxy.exe
O4 - Global Startup: Adjust Screen Saver Settings Utility.lnk = C:\Program Files\Adjust Screen Saver Settings\AdjustScreenSaverSettings.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\JK Off'97\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\JK Off'97\Office\OSA.EXE
O16 - DPF: LotusMenu - http://3msource.mmm....nu/menudisp.cab
O16 - DPF: {0C528348-18DC-4ECE-819B-624E226028DA} (Frontier.Frontier_Launcher) - http://intranet.mmm....am_launcher.CAB
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.co...ad/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7581.2959259259
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.kolbe.com...sses/CFJava.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://themeetingso...bex/ieatgpc.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = usac.mmm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{06ECA998-1092-4B0C-9532-1408F2E93ADF}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{1630C2E6-5154-4846-A965-E79921A3649A}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{32D75AE9-2406-4904-A166-B152B0CF248E}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{46004F7A-FB62-4339-BA1C-BB0240A8700A}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{46C165BB-799E-4969-977E-DB242ED56B0B}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F2CE127-A96A-4F33-AE41-632E0C9BF991}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F2CE127-A96A-4F33-AE41-632E0C9BF991}: NameServer = 165.152.204.21,169.10.8.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{76EB54DF-C7A8-4A9E-9F81-C7EAA0FCDA7C}: Domain = mmm.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6B7C07B-1E2E-49B6-98FB-2398A0FB4A28}: Domain = mmm.com.
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = usac.mmm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{06ECA998-1092-4B0C-9532-1408F2E93ADF}: Domain = mmm.com.
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = usac.mmm.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{06ECA998-1092-4B0C-9532-1408F2E93ADF}: Domain = mmm.com.

#15 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 24 June 2004 - 01:31 PM

All's well as expected! :D

As for the "tools" issue, that's exactly what I have there +
third part links if installed. (not be default)

In addition to "show related links" which is part of
Alexa/MSN search but detected as spyware by Ad-Aware
and similar scanners.
Alexa was cleared of most privacy allegations
and can be ignored in the scan results.
I assume your removal tools
removed it, you can reset IE options to defaults:
Programs->Reset Web settings
Advanced->Restore defaults.

Stay out of trouble :cool:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#16 kinger

kinger

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 24 June 2004 - 03:43 PM

All's well as expected! :D

As for the "tools" issue, that's exactly what I have there +
third part links if installed. (not be default)

In addition to "show related links" which is part of
Alexa/MSN search but detected as spyware by Ad-Aware
and similar scanners.
Alexa was cleared of most privacy allegations
and can be ignored in the scan results.
I assume your removal tools
removed it, you can reset IE options to defaults:
Programs->Reset Web settings
Advanced->Restore defaults.

Stay out of trouble :cool:

Awesome thanks so much for your help, you should write a how-to and make it a sticky, I see you replied to others with the exact same words as this thread. Save ya some typing :-) Thanks again your a lifesaver.

BTW where does that e-mail I sent go to?

#17 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 24 June 2004 - 03:52 PM

Thanks again your a lifesaver.

BTW where does that e-mail I sent go to?

My pleasure! :D

email goes to my ever-growing pests collection &tests lab :weee:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#18 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 27 June 2004 - 11:56 AM

Glad we could help :D



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button