• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
mag00

CWS.Searchx

13 posts in this topic

first, my apollogies for my horrible english. please, forget my errors in words and my write.

 

i will try to explain this

i'm with this problem for a week yet.

 

my configuration is:

windows xp professional (all atualizations made in windowsupdate, except for directx 9.0)

servicepack 1a

blackICE 3.5 firewall

norton systemworks

ad-aware 6.0

 

i've used CWShredder 1.59 and it removed this stupid malicious code, but, it always return.

 

my log generated by hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 00:28:36, on 23/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\Program Files\ISS\BlackICE\blackd.exe
D:\Program Files\ISS\BlackICE\blackice.exe
D:\WINDOWS\System32\cmd.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\f@h2\fah4console.exe
D:\WINDOWS\System32\cmd.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\Program Files\f@h\fah4console.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\ISS\BlackICE\rapapp.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\Program Files\f@h\FahCore_79.exe
D:\Program Files\f@h2\FahCore_78.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\hjk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FBEE2F9-65E5-4AB8-B2D9-0A493FB66EE7} - D:\WINDOWS\System32\ejopdha.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to start.lnk = D:\Program Files\f@h2\start.bat
O4 - Global Startup: Shortcut to start2.lnk = D:\Program Files\f@h\start2.bat
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\mag00\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38141.7091898148
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C49E9EBB-2772-4707-8434-D9DB3D3971FB}: NameServer = 200.204.0.10

 

i'm going crazy with this! :grrr:

 

please, if someone helpme i'll be very tankfull.

Share this post


Link to post
Share on other sites

[Restart the Machine]

 

As a first thing run Hijack this and fix the following:

Make sure that you dont open any other application window

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O17 - HKLM\System\CCS\Services\Tcpip\..\{C49E9EBB-2772-4707-8434-D9DB3D3971FB}: NameServer = 200.204.0.10

 

[Clean the Temporary files]

 

Start > Run > type cleanmgr

Select C: drive and clean all the temporary files

 

 

I suspect the following one:

 

O2 - BHO: (no name) - {3FBEE2F9-65E5-4AB8-B2D9-0A493FB66EE7} - D:\WINDOWS\System32\ejopdha.dll

 

Goto D:\WINDOWS\System32 select the file ejopdha.dll

right click and Properties > Version Tab.

 

Check the Company Name and Description and all, if it does look like legitimate for you take a back up of the file and fix the same in Hijack this and also

delete the file from D:\WINDOWS\System32\

 

Except for the above your log file is pretty clean.

Share this post


Link to post
Share on other sites

theXplore, Please see The various helper groups here. Do join the team if you want to post help, we'd love to have you with us. :)

 

The fix suggested above will get rid of it for a while, but it will come back. There's a hidden file that will make it come back.

 

Mag00,

 

Download Registrar Lite:

http://www.resplendence.com/reglite

 

 

Setting up:

Install Registrar Lite.

 

 

 

Start:

Copy and paste this line to reglite's address bar. Then press 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

And hit the "go" tab .

Find: "Appinit_Dlls" value on the right side

panel, DoubleClick, copy and post here

the following fields:

-Size:

-Value:

 

Post the above results and a new HiJackThis log in this thread.

Edited by Archon_Wing

Share this post


Link to post
Share on other sites

hello!! new log file here and other two informations that you asked:

 

on register -> Size: 32

-> Value: D:\WINDOWS\System32\d3deiil.dll

 

new log file:

Logfile of HijackThis v1.97.7
Scan saved at 22:23:54, on 23/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\Program Files\ISS\BlackICE\blackd.exe
D:\Program Files\ISS\BlackICE\blackice.exe
D:\WINDOWS\System32\cmd.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\f@h2\fah4console.exe
D:\WINDOWS\System32\cmd.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\Program Files\f@h\fah4console.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\Program Files\f@h2\FahCore_78.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\Program Files\HLSW\hlsw.exe
D:\Program Files\f@h\FahCore_78.exe
D:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Registrar Lite\rl.exe
D:\hjk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FBEE2F9-65E5-4AB8-B2D9-0A493FB66EE7} - D:\WINDOWS\System32\ejopdha.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to start.lnk = D:\Program Files\f@h2\start.bat
O4 - Global Startup: Shortcut to start2.lnk = D:\Program Files\f@h\start2.bat
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\mag00\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38141.7091898148
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C49E9EBB-2772-4707-8434-D9DB3D3971FB}: NameServer = 200.204.0.10

 

 

just to remember, i don't know if it's important.. i have dual boot in this machine. local C: with W2KServer and local D: with WXPProf. the spy is just in WXP.

 

thank's

Share this post


Link to post
Share on other sites

First download Winfile. http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm (Second one)

Unzip this file to its own folder.

 

Now we are going to get rid of the hidden DLL that is causing all the problems.

In Registar Lite:

=====================================

First we need to make it visible:

Copy and paste this line to reglite's address bar. Then press 'Go':

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

Rename the Folder Windows to NotWindows

(the folder is highlighted as a purple folder in the left hand pane of reglite)

 

Click "AppInit_DLLs" again and clear the data value:

C:\WINDOWS\System32\d3deiil.dll < -- delete this line ,

'Apply' and 'ok' to set.

 

Rename the NotWindows folder back to its original name Windows

========================================

Restart your computer.

 

After restart, try to locate the d3deiil.dll in System32 folder but Don't attempt to delete it yet.

 

Go to your root drive: C:\ And create new folder.

Name it: "junk"

===============================

 

Run the 'Winfile' you previously downloaded and unzipped.

Expand and navigate to System32 folder.

You need to navigate by Double clicking to expand.

 

When in System32 click top menu: File --> Select files

Copy and paste to the box: d3deiil.dll hit select-

Find and highlite that file.

Next in top menu>Security>permissions, tell us what is listed there for that file.

Also check the 'owner' tab

 

Lastly, try this: Menu -File --> move...

In From: Copy/paste:

C:\WINDOWS\System32\d3deiil.dll

 

In To: Copy and paste:

C:\junk\d3deiil.dll

 

Then hit ok.

 

Close Winfile and check in C:\junk for that file.

 

No further action is needed yet...

 

Post back results for now.

Share this post


Link to post
Share on other sites

i'm think that it solved my problem :)

thank you for help :)

 

Logfile of HijackThis v1.97.7
Scan saved at 01:11:28, on 24/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ISS\BlackICE\blackd.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\ISS\BlackICE\rapapp.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\Program Files\ISS\BlackICE\blackice.exe
D:\WINDOWS\System32\cmd.exe
D:\WINDOWS\System32\cmd.exe
D:\Program Files\f@h2\fah4console.exe
D:\Program Files\f@h\fah4console.exe
D:\Program Files\f@h2\FahCore_78.exe
D:\Program Files\f@h\FahCore_78.exe
D:\hjk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to start.lnk = D:\Program Files\f@h2\start.bat
O4 - Global Startup: Shortcut to start2.lnk = D:\Program Files\f@h\start2.bat
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\mag00\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38141.7091898148
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C49E9EBB-2772-4707-8434-D9DB3D3971FB}: NameServer = 200.204.0.10

Share this post


Link to post
Share on other sites

Just a bit more

Go ahead and use the security tab on the file (in Winfile) and take ownership.

Change the permissions to 'you --> with Admin rights-> FULL control

Then try to delete it, if that fails try to rename it first to different name+ext.

You can do it all in Winfile.

Ex:

d3deiil.dll.dll >bleh.txt

bleh.txt > badfile.111

Few times... Etc.

Or you can try deleting the entire junk folder.

 

 

After that,

Run Cwshredder and adaware again with the latest updates.

Then,

Restart and Post a new HiJackThis log in this thread.

Edited by Archon_Wing

Share this post


Link to post
Share on other sites

Yes, and post your Hijack This log too there.

Share this post


Link to post
Share on other sites

without a restart

 

Logfile of HijackThis v1.97.7
Scan saved at 00:53:03, on 25/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ISS\BlackICE\blackd.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\ISS\BlackICE\rapapp.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\Program Files\ISS\BlackICE\blackice.exe
D:\WINDOWS\System32\cmd.exe
D:\WINDOWS\System32\cmd.exe
D:\Program Files\f@h\fah4console.exe
D:\Program Files\f@h2\fah4console.exe
D:\Program Files\f@h2\FahCore_79.exe
D:\Program Files\f@h\FahCore_78.exe
D:\Program Files\HLSW\hlsw.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Kazaa Lite Resurrection\kazaalite.kpp
D:\hjk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to start.lnk = D:\Program Files\f@h2\start.bat
O4 - Global Startup: Shortcut to start2.lnk = D:\Program Files\f@h\start2.bat
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\mag00\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38141.7091898148
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C49E9EBB-2772-4707-8434-D9DB3D3971FB}: NameServer = 200.204.0.10

Share this post


Link to post
Share on other sites

I used these instructions and they removed CWS.Searchx. Nothing else did. My about:blank is now gone. FANTASTIC!!! Hugely grateful to Archon Wing. :lol:

Share this post


Link to post
Share on other sites

Select the following, close all browser windows including this one and fix:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\mag00\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Edited by Archon_Wing

Share this post


Link to post
Share on other sites

thank you guys for figuring out this solution to the aboutblank problem. It plagued me for two days...I think this thread should be featured and locked somewhere so as to make it easier for hijacked homepage sufferers to find.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0