1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

About:blank returns continuously

Discussion in 'Virus & Other Malware Removal' started by MindReaper, Apr 15, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. MindReaper

    MindReaper Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    20
    I've been having this wonderful little love/hate relationship with the about:blank hijacker. I've run CWShredder, Hijack This, Ad-Aware 6.0, and some other programs that have been posted on numerous other sites, all to no avail. The about:blank will disappear for a while (minutes, hours, and even as long as a day :mad: ) but it always returns in force. I'm probably forgetting to do something simple due to lack of patience and sleep. I would greatly appreciate the help. All programs are up to date as of this posting:

    The below listed log is probably more than you need, but right now i can't explain why this thing keeps reoccuring after being cleaned numerous times, so maybe someone will catch something i didn't. :)

    StartupList report, 4/15/2004, 10:23:06 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Administrator\Desktop\HijackThis.EXE
    Detected: Windows 2000 SP4 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\system32\cisvc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\snmp.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\mqsvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNT\system32\cidaemon.exe
    C:\WINNT\system32\cidaemon.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
    C:\WINNT\system32\notepad.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
    *No files*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    *No files*

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    Synchronization Manager = mobsync.exe /logon
    pccguide.exe = "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    PCClient.exe = "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    TM Outbreak Agent = "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINNT\System32\mshta.exe "%1" %*

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigIE

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
    StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\System32\ie4uinit.exe

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINNT\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINNT\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINNT\Explorer\Explorer.exe: not present
    C:\WINNT\System\Explorer.exe: not present
    C:\WINNT\System32\Explorer.exe: not present
    C:\WINNT\Command\Explorer.exe: not present
    C:\WINNT\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINNT
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    *No BHO's found*

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [DirectAnimation Java Classes]
    CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
    OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

    [Microsoft XML Parser for Java]
    CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
    OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [Scanner Class]
    InProcServer32 = C:\temp\TDECntrl\TDECntrl.dll
    CODEBASE = http://www.trojanscan.com/trojanscan/TDECntrl.CAB

    [HouseCall Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINNT\System32\rnr20.dll
    NameSpace #2: C:\WINNT\System32\winrnr.dll
    Protocol #1: C:\WINNT\system32\msafd.dll
    Protocol #2: C:\WINNT\system32\msafd.dll
    Protocol #3: C:\WINNT\system32\msafd.dll
    Protocol #4: C:\WINNT\system32\rsvpsp.dll
    Protocol #5: C:\WINNT\system32\rsvpsp.dll
    Protocol #6: C:\WINNT\system32\msafd.dll
    Protocol #7: C:\WINNT\system32\msafd.dll
    Protocol #8: C:\WINNT\system32\msafd.dll
    Protocol #9: C:\WINNT\system32\msafd.dll
    Protocol #10: C:\WINNT\system32\msafd.dll
    Protocol #11: C:\WINNT\system32\msafd.dll
    Protocol #12: C:\WINNT\system32\msafd.dll
    Protocol #13: C:\WINNT\system32\msafd.dll
    Protocol #14: C:\WINNT\system32\msafd.dll
    Protocol #15: C:\WINNT\system32\msafd.dll
    Protocol #16: C:\WINNT\system32\msafd.dll
    Protocol #17: C:\WINNT\system32\msafd.dll
    Protocol #18: C:\WINNT\system32\msafd.dll
    Protocol #19: C:\WINNT\system32\msafd.dll
    Protocol #20: C:\WINNT\system32\msafd.dll
    Protocol #21: C:\WINNT\system32\msafd.dll
    Protocol #22: C:\WINNT\system32\msafd.dll
    Protocol #23: C:\WINNT\system32\msafd.dll
    Protocol #24: C:\WINNT\system32\msafd.dll
    Protocol #25: C:\WINNT\system32\msafd.dll
    Protocol #26: C:\WINNT\system32\msafd.dll
    Protocol #27: C:\WINNT\system32\msafd.dll
    Protocol #28: C:\WINNT\system32\msafd.dll
    Protocol #29: C:\WINNT\system32\msafd.dll
    Protocol #30: C:\WINNT\system32\msafd.dll
    Protocol #31: C:\WINNT\system32\msafd.dll
    Protocol #32: C:\WINNT\system32\msafd.dll
    Protocol #33: C:\WINNT\system32\msafd.dll
    Protocol #34: C:\WINNT\system32\msafd.dll
    Protocol #35: C:\WINNT\system32\msafd.dll
    Protocol #36: C:\WINNT\system32\msafd.dll
    Protocol #37: C:\WINNT\system32\msafd.dll
    Protocol #38: C:\WINNT\system32\msafd.dll
    Protocol #39: C:\WINNT\system32\msafd.dll
    Protocol #40: C:\WINNT\system32\msafd.dll
    Protocol #41: C:\WINNT\system32\msafd.dll

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
    Alerter: %SystemRoot%\System32\services.exe (manual start)
    Application Management: %SystemRoot%\system32\services.exe (manual start)
    ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
    RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
    ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
    Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
    Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)
    Computer Browser: %SystemRoot%\System32\services.exe (autostart)
    Closed Caption Decoder: system32\drivers\ccdecode.sys (manual start)
    CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
    Indexing Service: %SystemRoot%\system32\cisvc.exe (autostart)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
    DHCP Client: %SystemRoot%\System32\services.exe (autostart)
    Disk Driver: System32\DRIVERS\disk.sys (system)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    Logical Disk Manager Driver: System32\DRIVERS\dmio.sys (system)
    Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
    Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\System32\services.exe (autostart)
    Creative AudioPCI (ES1371,ES1373) (WDM): system32\drivers\es1371mp.sys (manual start)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
    Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
    Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
    Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
    Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
    Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
    Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
    Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
    i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
    IIS Admin Service: C:\WINNT\System32\inetsrv\inetinfo.exe (autostart)
    IntelIde: System32\DRIVERS\intelide.sys (system)
    IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
    RIP Listener: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
    IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
    PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
    Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\System32\services.exe (autostart)
    Workstation: %SystemRoot%\System32\services.exe (autostart)
    TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
    Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4): System32\DRIVERS\lne100v4.sys (manual start)
    Linksys LNE100TX(v5) Fast Ethernet Adapter: System32\DRIVERS\lne100v5.sys (manual start)
    TCP/IP Print Server: %SystemRoot%\System32\tcpsvcs.exe (manual start)
    Logitech USB Microphone: system32\drivers\lvsound2.sys (system)
    Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
    Messenger: %SystemRoot%\System32\services.exe (disabled)
    NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
    Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
    Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
    BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)
    MSMQ access control: \??\C:\WINNT\System32\drivers\mqac.sys (manual start)
    MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
    FTP Publishing Service: C:\WINNT\System32\inetsrv\inetinfo.exe (manual start)
    Windows Installer: C:\WINNT\System32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Message Queuing: C:\WINNT\System32\mqsvc.exe (autostart)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
    NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
    NetBEUI Protocol: system32\DRIVERS\nbf.sys (autostart)
    Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
    Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
    NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
    Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
    NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
    NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
    Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    NTSIM: \??\C:\WINNT\system32\ntsim.sys (manual start)
    nv: System32\DRIVERS\nv4_mini.sys (manual start)
    nv4: System32\DRIVERS\nv4.sys (manual start)
    NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
    IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
    Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
    Parallel port driver: System32\DRIVERS\parport.sys (system)
    Trend Micro Personal Firewall: C:\Program Files\Trend Micro\Internet Security\PccPfw.exe (autostart)
    PCI Bus Driver: System32\DRIVERS\pci.sys (system)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
    WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
    Protected Storage: %SystemRoot%\system32\services.exe (autostart)
    Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
    Logitech QuickCam Web: System32\DRIVERS\LVCE.sys (manual start)
    Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
    Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
    Rdbss: System32\DRIVERS\rdbss.sys (system)
    Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
    Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Remote Registry Service: %SystemRoot%\system32\regsvc.exe (disabled)
    Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
    Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
    Secdrv: \??\C:\WINNT\System32\drivers\SECDRV.SYS (manual start)
    RunAs Service: %SystemRoot%\system32\services.exe (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
    Serial port driver: System32\DRIVERS\serial.sys (system)
    Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Simple TCP/IP Services: %SystemRoot%\System32\tcpsvcs.exe (autostart)
    BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
    Simple Mail Transport Protocol (SMTP): C:\WINNT\System32\inetsrv\inetinfo.exe (disabled)
    SNMP Service: %SystemRoot%\System32\snmp.exe (autostart)
    SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    Srv: System32\DRIVERS\srv.sys (manual start)
    BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
    Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
    Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
    Tmfilter: system32\drivers\Tmfilter.sys (autostart)
    Trend NT Realtime Service: "C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe" (autostart)
    Trend Micro Proxy Service: C:\Program Files\Trend Micro\Internet Security\tmproxy.exe (autostart)
    Trend Micro TDI Driver: \SystemRoot\System32\Drivers\tmtdi.sys (system)
    Common Firewall Driver: \SystemRoot\System32\Drivers\tm_cfw.sys (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
    Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
    Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    %StandardHub.SvcDesc%: System32\DRIVERS\usbhub.sys (autostart)
    Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
    VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
    Vsapint: system32\drivers\Vsapint.sys (autostart)
    Windows Time: %SystemRoot%\System32\services.exe (manual start)
    World Wide Web Publishing Service: C:\WINNT\System32\inetsrv\inetinfo.exe (autostart)
    Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
    Microsoft WDM Virtual Wave Driver (WDM): system32\drivers\wdmaud.sys (system)
    Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
    WMDM PMSP Service: C:\WINNT\System32\mspmspsv.exe (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
    World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
    Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
    Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    IBM PC Camera: System32\DRIVERS\C-it98.sys (manual start)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    SysTray: stobject.dll
    WebCheck: C:\WINNT\System32\webcheck.dll

    --------------------------------------------------
    End of report, 29,545 bytes
    Report generated in 0.330 seconds



    Logfile of HijackThis v1.97.7
    Scan saved at 10:41:15 AM, on 4/15/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\system32\cisvc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\snmp.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\mqsvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNT\system32\ctfmon.exe
    C:\WINNT\system32\cidaemon.exe
    C:\WINNT\system32\cidaemon.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bal.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bal.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bal.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bal.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bal.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bal.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {938FF519-5838-4F19-9E92-EBC49259DCA1} - C:\WINNT\system32\bal.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

    The log at the bottom is what JUST appeared. I was clean through most of last night, but after opening and closing the browser about 15 times, it reappeared. I apologize for the overly long, and mostly useless post but i'm at my wits end as to why it keeps reappearing after being cleaned over and over and over again.

    Totaly Frustrated,
    Reaper
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi MindReaper

    Welcome to TSG! :)

    Download this zip.

    http://www.zero.vulc4n.com/downloads/pv.zip

    unzip it to the desktop.

    Be sure to have at least 1 internet explorer window open.

    Double click on the runme.bat

    This will open a command window. In the command window enter the digit 1 by hitting the 1 key on your keyboard and then hit the Enter key.

    Notepad will open with a log in it. Please copy and paste the log into this thread.
     
  3. MindReaper

    MindReaper Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    20
    Thank you for your timely response!

    I did as you asked and downloaded the pv.zip. When i double clicked on the runme.bat , it brings up a C:\WINNT\system32\cmd.exe , i entered "1" and hit enter and a notepad popped up next to the command box, but the notepad was blank. There were no entries.

    It says "pv is not recognized as an internal or external command" (This flies by in the blink of an eye after hitting enter and it took me quite a few times finally be able to understand what it says)
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    This has been working fine on XP, but so far it isn't working on 2k. Please do this, open the runme.bat and tell me if the options you have in 2k are different than what I have here in XP. See pic:
     

    Attached Files:

  5. MindReaper

    MindReaper Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    20
    It appears to be exactly the same
     

    Attached Files:

  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hang in there. It may take me a bit, but I need to do some checking on an alternative method to finding out what the hidden file is that keeps reloading this hijack. It is a bit tricky to remove.

    I just spoke to the guy that developed the pv.zip file and he's going to do some checking. I'll do some checking too. I will post back as soon as I have more info.
     
  7. MindReaper

    MindReaper Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    20
    I have lots of time on my hands and 4 other working computers so take your time :)

    I'm normally very good at beating viruses and hacking out registries but this is one that finally has me stumped. :(

    Here is a link to another website that i was following in hopes of an answer but the site admin closed it prematurely (they were onto something and maybe it will help some):

    http://www.computercops.biz/postx24263-0-60.html
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Yes I'm a member of the Security Experts group at Computer Cops and that is where most of the security gurus that develop these tools hang out and exchange info on the latest threats and removal procedures.

    Since you appear to be pretty adept at digging through the registry I can probably trust you to use another method for finding the hidden file that keeps reloading this hijacker. I will have to some doublechecking on exacly where to look in 2k. Also I have quite a few threads that I need to respond to right quick first. I'll post back soon.
     
  9. MindReaper

    MindReaper Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    20
    No problem, take your time and reply when you can :)
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Ok I'm not positive that I have got this right. I don't have a 2k machine to test it on.

    Go to start>Run and type regedt32. Press enter.

    Open the registry and navigate here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    Highlight Windows in the left pane.

    Look in the right pane for this value:

    AppInit_Dlls

    I do believe that the hidden file we are looking for should be plainly visible there under AppInit_Dlls. See if there is a file path to a random .dll file similar to this one in your log:

    C:\WINNT\system32\bal.dll

    If there is copy that file path back here.
     
  11. MindReaper

    MindReaper Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    20
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows is there but there is no Value Data located under that string

    Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows i have the following strings:

    (default) REG_SZ (value not set)
    AppInit_DLLs REG_SZ Under data it is blank
    Devicenotselectedtimeout REG_SZ 15
    GDIProcessHandleQuota REG_DWORD 0x00002710 (1000)
    Spooler REG_SZ yes
    swapdisk REG_SZ 0000000000
    TransmissionRetryTimeout REG_SZ 90
    USERProcessHandleQuota REG_DWORD 0x00002710 (1000)

    The AppInit_DLLs i have modified and delted that particual string numberous times. I've deleted it and rebooted without closing out the regedit, only to have to reappear (apparently exactly the same). I've also modified the string data with 0000000000 and another time with KOKOKOKOK, each time clicking OK and the rebooting without closing the registry and also closing the registry and rebooting, with no apparent change.
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    OK let me see what I can find out. I know there's a way to find it in 2k. I've been looking throught the info at computer Cops, but thus far I haven't found a definitve answer for 2k. I'm still looking.
     
  13. MindReaper

    MindReaper Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    20
    No problem, kind of fun to have an interesting challenge :D
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    One more thought. When you navigate to the AppInit_DLLs right click it and choose Modify Binary Data do you see something that looks like this:

    0000 00 00 3A 00 5C 00 77 00 ..:.\.w.
    0008 69 00 6E 00 64 00 6F 00 i.n.d.o.
    0010 77 00 73 00 5C 00 73 00 w.s.\.s.
    0018 79 00 73 00 74 00 65 00 y.s.t.e.
    0020 6D 00 33 00 32 00 5C 00 m.3.2.\.
    0028 6D 00 73 00 6B 00 6B 00 m.s.k.k.
    0030 67 00 2E 00 64 00 6C 00 g...d.l.
    0038 6C 00 00 00 l...

    This is how it looks in XP. The hidden file path is on the right. It's not bolded like that. I added the bold to to make it obvious what to look for.

    The hidden file translates to this:

    Windows\system32\mskkg.dll
     
  15. MindReaper

    MindReaper Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    20
    No, there is no such information in the Value Data of AppInit_DLLs in that registry key.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/220681

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice