Find your solution!

AvengerII · 06-Apr-2004, 09:12 PM #1

My Microsoft Internet Explorer ("MIE") address page opens with "about:blank". I tried going into MIE Tools/Internet Options/Advanced/ and clicking off "enable 3rd party browsers extensions" and rebooted.

Same result when I open MIE = about:blank.

I ran "Hijackthis" and "Stinger" but without success.

It appears that some of my Doc files are missing that contained procedures to turn off the Windows XP backup file system

HELP !!!!

Paul K. aka "AvengerII"

Flrman1 · 06-Apr-2004, 09:24 PM #2

Post your Hijack This log and we'll see if we can determine the source of the problem.

HR guru · 06-Apr-2004, 10:31 PM #3

ogfile of HijackThis v1.97.7
Scan saved at 10:30:36 PM, on 4/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINDOWS\System32\PELMICED.EXE
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSBasic.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Basic\CCHelper.dll
O2 - BHO: (no name) - {48918FB4-1FD5-4DF3-87F0-12C36350039D} - C:\WINDOWS\System32\gfmnaaa.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Basic\psbasic.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperBasic] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSBasic.exe"
O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRA~1\SPYWAR~1\Spyware-Cop.exe" /s
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon...ad/tgctlcm.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab

Flrman1 · 06-Apr-2004, 10:50 PM #4

This looks like it may be a new variant of a CWS hijack, but it is possible that it is in the CWShredder database. Let's try running CWShredder. If it doesn't remove it we'll remove it manually.

Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

When it is finished restart your computer.

IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"

Come back here and post another Hijack This log and we'll get rid of what's left.

HR guru · 06-Apr-2004, 11:12 PM #5

I run CW Shredder and restarted. No luck!

Flrman1 · 06-Apr-2004, 11:43 PM #6

First please do this:

Navigate to the C:\WINDOWS\system32 folder and locate the gfmnaaa.dll file. Right click it and choose "Send to compressed (zipped) folder". The zipped folder will appear there in the System32 folder. Attach a copy of that zipped folder and send it to me here. Please include a link to this thread so I'll remember where it came from.

This file may be hidden so click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {48918FB4-1FD5-4DF3-87F0-12C36350039D} - C:\WINDOWS\System32\gfmnaaa.dll

O4 - HKLM\..\Run: [Services] C:\WINDOWS\svchost.exe

Restart to safe mode and delete:

The C:\WINDOWS\System32\gfmnaaa.dll file
The C:\WINDOWS\svchost.exe file

*Note: Do Not delete the svchost.exe file that is located in the C:Windows\System32 folder. It is a legitimate windows file.

How to start your computer in safe mode

Flrman1 · 07-Apr-2004, 08:17 AM #7

Thanks for the files.

Did this fix the Hijack?

AvengerII · 08-Apr-2004, 03:48 PM #8

This is what I found

Logfile of HijackThis v1.97.7
Scan saved at 3:46:15 PM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
E:\WINDOWS\System32\atiptaxx.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
E:\Program Files\ATI Multimedia\main\launchpd.exe
E:\Program Files\Palm\AlarmApp.exe
E:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
E:\Program Files\QUICKENW\QWDLLS.EXE
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Palm\HOTSYNC.EXE
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Command Software\dvpapi.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - E:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - E:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - E:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - E:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - E:\WINDOWS\DOWNLO~1\mqgold1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - E:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Smapp] E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "E:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [B'sCLiP] E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\RunServices: [Windows Update] mplupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Freedom] E:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [ATI Launchpad] "E:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [RealUpdater] E:\WINDOWS\System32\realupd.exe
O4 - Startup: HotSync Manager.lnk = E:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: NetAst.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alarm Manager.LNK = E:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: eBay Toolbar.LNK = E:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = E:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: eBay Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: eBay Toolbar (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\update.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...862.6054861111
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/o...abs/cssweb.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {D232CDB6-0000-0000-0000-000000000000} - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup144.cab

Flrman1 · 08-Apr-2004, 03:56 PM #9

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\update.exe

Restart your computer.

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

AvengerII · 08-Apr-2004, 04:26 PM **#10**

deleted the 16 - dpf {1000000 etc and ran Hijack as instructed and rebooted machine - sorry it didn't fix the problem - ran hijack again and here is the latest log:

Logfile of HijackThis v1.97.7
Scan saved at 4:21:01 PM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
E:\WINDOWS\System32\atiptaxx.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
E:\Program Files\Zero Knowledge\Freedom\Freedom.exe
E:\Program Files\ATI Multimedia\main\launchpd.exe
E:\Program Files\Palm\AlarmApp.exe
E:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
E:\Program Files\QUICKENW\QWDLLS.EXE
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Palm\HOTSYNC.EXE
E:\Program Files\Common Files\Command Software\dvpapi.exe
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
E:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - E:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - E:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - E:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - E:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - E:\WINDOWS\DOWNLO~1\mqgold1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - E:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Smapp] E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "E:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [B'sCLiP] E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\RunServices: [Windows Update] mplupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Freedom] E:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [ATI Launchpad] "E:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [RealUpdater] E:\WINDOWS\System32\realupd.exe
O4 - Startup: HotSync Manager.lnk = E:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: NetAst.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alarm Manager.LNK = E:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: eBay Toolbar.LNK = E:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = E:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: eBay Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: eBay Toolbar (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...862.6054861111
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/o...abs/cssweb.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {D232CDB6-0000-0000-0000-000000000000} - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup144.cab

Flrman1 · 08-Apr-2004, 04:29 PM **#11**

The log is clean. What is the problem now?

**dvk01** · 08-Apr-2004, 04:53 PM **#12**

this O4 - HKLM\..\RunServices: [Windows Update] mplupdate.exe
appears to be

http://securityresponse.symantec.com...llw.moega.html

Flrman1 · 08-Apr-2004, 05:04 PM **#13**

Thanks Derek. I'm still having a hard time with the new look of the forum.

Not only did I miss that one. I missed this one too:

O4 - HKCU\..\Run: [RealUpdater] E:\WINDOWS\System32\realupd.exe

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O4 - HKLM\..\RunServices: [Windows Update] mplupdate.exe

O4 - HKCU\..\Run: [RealUpdater] E:\WINDOWS\System32\realupd.exe

Restart to safe mode and delete:

The E:\WINDOWS\System32\realupd.exe file

And the mplupdate.exe file. It will probably be in the E:\WINDOWS\System32 folder as well.

They may be hidden so be sure and set the folder options as I showed you before.

AvengerII · 08-Apr-2004, 11:55 PM **#14**

I'm not sure if my last message got to u - to make a long story short I had to redo all the instructions in ur threads. Being a novice at this and having a life time membership in the "Village Idiot" Club I didn't realize where the "log" was so I may have screwed up the procedure.

However the files u mentioned in ur 1st thread had disappeared on their own after applying the last 2 thread instructions . After the last reboot MIE is still showing about:blank as the home page after i had changed it via Tools and rebooted.

Here is the current log:

Logfile of HijackThis v1.97.7
Scan saved at 11:37:02 PM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
E:\WINDOWS\System32\atiptaxx.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
E:\Program Files\ATI Multimedia\main\launchpd.exe
E:\Program Files\Palm\AlarmApp.exe
E:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
E:\Program Files\QUICKENW\QWDLLS.EXE
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Palm\HOTSYNC.EXE
E:\Program Files\Common Files\Command Software\dvpapi.exe
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
E:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - E:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - E:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - E:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - E:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - E:\WINDOWS\DOWNLO~1\mqgold1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - E:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Smapp] E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "E:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [B'sCLiP] E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Freedom] E:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [ATI Launchpad] "E:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Startup: HotSync Manager.lnk = E:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: NetAst.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alarm Manager.LNK = E:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: eBay Toolbar.LNK = E:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = E:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: eBay Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: eBay Toolbar (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...862.6054861111
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/o...abs/cssweb.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {D232CDB6-0000-0000-0000-000000000000} - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup144.cab

AvengerII · 09-Apr-2004, 01:02 AM **#15**

http://www.dbforums.com/t705228.html

check this site out especially the Mar 9 o4 entry

Tag Cloud
audio bios blue screen boot bsod computer connection crash dcom dell driver drivers email error excel firefox freeze google hard drive hardware hijackthis internet laptop logon logs off macro malware motherboard network networking problem ram redirect router screen slow software sound trojan usb userinit.exe virus vista webcam wifi windows windows 7 windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for: