about:blank browser hijack

My homepage has bee reset to about:blank, and redirects me to a website hosted by crl.verisign.com. All it does is give you round-robin links in Java. Anyway, I can't get rid of it. I have run Hijackthis, Spybot, spyaudit, and spyblock. No luck. Any help is appreciated.

 

Hi,

You need to scan with HijackThis and save the log. Then, copy and paste the entire log into this same thread.

In the meantime, DO NOT RUN CWShredder! If you have one of the later versions of CWS that causes the about:blank problem, using CWShredder will only cause the hidden .dll files to morph and make them even more difficult to find and eradicate.

 

Here is the log:
Logfile of HijackThis v1.97.7
Scan saved at 8:29:38 PM, on 5/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\frxhser.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\frxhapp.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\spy\spyblocker.exe
C:\Spybot\SearchDestroy\TeaTimer.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Download\spy\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\alppd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\alppd.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\alppd.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\alppd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\alppd.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.techweb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\alppd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://smbusiness.dellnet.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\Program Files\\Netscape\\Users\\robby\\bookmark.htm"); (C:\Program Files\Netscape\Users\robby\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2453940F-B46F-49D2-BE9D-7EBCDCD8812C} - C:\WINDOWS\System32\alppd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SearchDestroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\spy\spyblocker.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot\SearchDestroy\TeaTimer.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/21bc3c18a1bfb1657817/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37912.7667476852
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

 

robcab,

Please DO NOT attempt to fix this with HijackThis. This is indeed one of the new CWS variants. HijackThis will only fix it until the next reboot, then it all comes back. The same with CWShredder. Also, there are hidden dll files that if improperly removed will only morph into multiple hidden dll files and intensify the problem.

This problem requires a special fix. I will give you a link to the required file and instructions for using it; however, this file could be temporarily unavailable due to a pending update. If you can't get it right away, wait a few hours and then try again. Keep trying until you get it.

Go here and download this self extracting file:
http://tools.zerosrealm.com/dllfix.exe

Save the file to your Desktop, double click dllfix.exe and follow the prompts.

Go to the newly created dllfix folder on your Desktop and double click start.bat and choose option #1. This will scan your computer for the 'bad' file.

Please post the log here first before you run the fix.

 

nonsuch, i am having the same problem and have run what you have posted, here is the log:
--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Tue 05/18/2004
10:17 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (F0A7:F892) - FS:NTFS clusters:4k
Total: 79 949 717 504 [74G] - Free: 56 652 578 816 [53G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:

*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:


*PC uptime:
10:17pm up 0 days, 1:20
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\D3DEJIJ.DLL +++ File read error
\\?\C:\WINDOWS\System32\D3DEJIJ.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
20026c 1784 norm SysFader
40080 1784 norm Start Menu
30040 1784 norm _Shell_TrayWnd
103d2 2868 norm SysFader
2b01d8 1784 norm SysFader
b021e 3324 norm Emoticon popup
201a8 364 norm Norton AntiVirus
10026 628 high NetDDE Agent
17026e 236 norm C:\WINDOWS\System32\cmd.exe
40346 2868 norm MajorGeeks Message Board - about:blank browser hijack - Microsoft Internet Expl
3400d8 1784 norm dllfix
2700da 3644 norm ActiveMovie Window
2200ec 3644 norm ActiveMovie Window
2700e8 3644 norm MSP PNP Notification Window
2e00e2 3644 norm CRTCClient
2600fa 3644 norm CRTCIMService
2c00f6 3644 norm DDE Server Window
10124 1016 norm _Static
10116 1016 norm SpywareGuard
1010e 1016 norm SpywareGuard
2f00be 2868 norm MCI command handling window
10402 2868 norm DDE Server Window
200ca 332 norm UnErase Process
801f8 3324 norm Animated BMP Sequence
d01c2 3324 norm Animated BMP
701cc 3324 norm MCI command handling window
301c8 1784 norm MCI command handling window
10194 1188 norm SpywareGuard Brower Hijacking Protection
1018e 1188 norm SG Browser Hijacking Protection
10254 3324 norm MSNUnnamedWindow
60246 3324 norm Dummy Video Parent
10242 3324 norm EchoPortManagerWnd
10232 3324 norm MSNMSGRPassportLogin
10230 3324 norm MSBLNetConn
501be 3324 norm DDE Server Window
201f6 304 norm NVSVCPMMWindowClass
101ac 364 norm DefAlert_Window_29DABAC8-AB93-43f3-926D-1DDE0C909FDF
10184 364 norm ccApp
10102 904 norm Digital Line Detect
200a2 404 norm Notification Wnd for RNAdmin
100c6 544 norm Pop-Up Stopper Free Edition
100b4 148 norm Dell Media Experience
100b2 340 norm Support
1f0294 1784 norm SysFader
10084 1784 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CF0B8EE-6596-11D5-A98E-0003470BB48E}]
@="CCHelper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
@="SpywareGuard Download Protection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6BC81D9-7349-4A5E-B79A-1DAAF1EED914}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C500693C-F74B-44C2-82BC-2A500F268F75}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




 

utility_hawk,

Run the start.bat again. Run option 2 and choose Option 1 in the submenu since the dllname was found in this line: file:///?C:WINDOWSSystem32D3DEJIJ.DLL

Option 1 -- > is if you found the dllname that is locked or in the appinit key.


Reboot. There will just be a md5 scan because the filename was entered manually. (option 2,1 in start.bat)

Reboot and Download Ad-aware. Check for updates. Then scan with Ad-aware and allow it to remove all it finds. After that is completed, reboot, then download and scan with CWShredder and allow it to fix anything it finds.

Reboot. Run HijackThis and save the fresh log.

Post a new Output.txt (option 1 in start.bat ), the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder) and a fresh HijackThis Log.

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Wed 05/19/2004
08:26 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (F0A7:F892) - FS:NTFS clusters:4k
Total: 79 949 717 504 [74G] - Free: 56 636 796 928 [53G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:

*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:


*PC uptime:
8:26pm up 0 days, 0:04
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\D3DEJIJ.DLL +++ File read error
\\?\C:\WINDOWS\System32\D3DEJIJ.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
502a4 1688 norm SysFader
20082 1688 norm Start Menu
30044 1688 norm _Shell_TrayWnd
1028c 500 norm Emoticon popup
101e0 2820 norm SysFader
1018c 1968 norm Norton AntiVirus
10026 632 high NetDDE Agent
301b8 2820 norm MajorGeeks Message Board - about:blank browser hijack - Microsoft Internet Expl
70244 3668 norm C:\WINDOWS\System32\cmd.exe
4025e 1688 norm dllfix
1011e 252 norm _Static
10110 252 norm SpywareGuard
1010a 252 norm SpywareGuard
102be 1688 norm MCI command handling window
1022a 2820 norm MCI command handling window
10286 500 norm MCI command handling window
10234 500 norm Dummy Video Parent
10232 500 norm VSPWrapper Hidden
1020e 500 norm MSNMSGRPassportLogin
1020c 500 norm MSBLNetConn
1020a 2820 norm DDE Server Window
101c0 500 norm ActiveMovie Window
101be 500 norm ActiveMovie Window
101bc 500 norm MSP PNP Notification Window
101ba 500 norm CRTCClient
501a6 500 norm CRTCIMService
201b4 1108 norm NVSVCPMMWindowClass
30140 1096 norm UnErase Process
101a0 500 norm DDE Server Window
1019c 1968 norm DefAlert_Window_29DABAC8-AB93-43f3-926D-1DDE0C909FDF
10182 1968 norm ccApp
100fe 156 norm Digital Line Detect
100cc 1984 norm Update Manager
100c0 120 norm Pop-Up Stopper Free Edition
100b2 1820 norm Dell Media Experience
300a6 1996 norm Notification Wnd for RNAdmin
100ac 1868 norm Support
301c2 1688 norm SysFader
10086 1688 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CF0B8EE-6596-11D5-A98E-0003470BB48E}]
@="CCHelper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6BC81D9-7349-4A5E-B79A-1DAAF1EED914}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C500693C-F74B-44C2-82BC-2A500F268F75}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access DCXMG941\Michael
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access DCXMG941\Michael





CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Wed 05/19/2004
08:13 PM

Backing up Registry Hive
The operation completed successfully

Deleting Windows Key
The operation completed successfully

Restoring Registry Hive
The operation completed successfully

Deleting temp value
The operation completed successfully

Running from C:\Documents and Settings\Michael\Desktop\dllfix
Processing File Manually
C:\WINDOWS\system32\d3dejij
Md5 Check of C:\WINDOWS\system32\d3dejij

File was found but md5 didnt match
MD5 was:
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\system32\d3dejij>
SetACL finished with error(s):
SetACL error message: The call to SetNamedSecurityInfo () failed
Operating system error message: The system cannot find the file specified.

File was zipped for submission to Shadowwar
File is located at C:\Documents and Settings\Michael\Desktop\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.


Logfile of HijackThis v1.97.7
Scan saved at 8:26:09 PM, on 5/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael\My Documents\Instalers\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Basic\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {A6BC81D9-7349-4A5E-B79A-1DAAF1EED914} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {C500693C-F74B-44C2-82BC-2A500F268F75} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab


PS. thank you sooooooooo much

 

Hi,

Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

Run HijackThis and place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.” Please note that any items preceded by "optional" are suggested fixes that will not remove the program but may have the added benefit of freeing up some of your system’s resources.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {A6BC81D9-7349-4A5E-B79A-1DAAF1EED914} - (no file)

O2 - BHO: (no name) - {C500693C-F74B-44C2-82BC-2A500F268F75} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

OPTIONAL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

OPTIONAL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

If you placed these two following 06 item restrictions through either Spybot Search & Destroy or SpywareGuard (i.e., like locking your homepage, etc.) leave them; IF YOU DID NOT DO THIS, "fix" them with HijackThis.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


O13 - Home Prefix:

O13 - Mosaic Prefix:

O13 - FTP Prefix:

O13 - Gopher Prefix:

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Reboot, and you should have a clean log.

Please forward the zipped file that is mentioned in your log above to Shadowwar at the provided e-mail address. Be sure to incluse a link to your post here at Major Geeks. It is to Shadowwar that thanks is owed for writing the dllfix program, as well as Mosaic1 and FreeatLast for their valuable input to him.

You're very welcome.

 

Hey Guys, I've had the same problem. Please help, I've used the zerosrealm.com that was posted above and here is my log (I appreciate the help!):--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Thu 05/20/2004
11:31a

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (0409647) - FS:NTFS clusters:4k
Total: 20 012 072 960 [19G] - Free: 13 333 041 152 [12G]


*IE version and Service packs:
5.0.2920.0 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP4;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3310.0 C:\WINNT\System32\msjava.dll


*PC uptime:
11:31am up 8 days, 20:59
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
7502a0 1116 norm SysFader
50130 1116 norm _Shell_TrayWnd
120062 1116 norm SysFader
15d01ce 1496 norm SysFader
e005e 1116 norm Fax Monitor
10016 188 high NetDDE Agent
320160 1196 norm C:\WINNT\system32\cmd.exe
a60312 1116 norm Timer
10801c6 1116 norm Timer
1bc023c 1496 norm http://majorgeeks.com/vb/showthread.php?t=32954 - Microsoft Internet Explorer
17101ba 1116 norm dllfix
e70270 1116 norm Acrobat IEHelper
8d01e6 1708 norm _Static
90186 1708 norm Browser Hijack Blaster
d0022c 1708 norm Browser Hijack Blaster
7e0232 1116 norm _ToolbarWindow32
f5023a 1116 norm MCI command handling window
64026e 1496 norm MCI command handling window
14f01d2 1496 norm Acrobat IEHelper
105028a 1496 norm DDE Server Window
76016c 1776 norm _Static
16901cc 1776 norm Browser Hijack Blaster
a40258 1776 norm Browser Hijack Blaster
5006c 1116 norm CSC Notifications Window
c0154 1116 norm Power Meter
40144 1116 norm Connections Tray
c30150 1116 norm MS_WebcheckMonitor
40134 1116 norm DDE Server Window
85017c 1272 norm RealPlayer
7702ba 1272 norm Notification Wnd for PNSetupMgr
1420212 1272 norm Audio Services Internal Messages
15b0240 1272 norm RMAEngineCommInternal
660038 1056 norm McAfee_FwClientClass
3701dc 1056 norm MCI command handling window
1007e 852 norm VShield Status
1007c 852 norm NAI_VS_STAT
227002a 1556 norm McAfee Firewall
d80378 592 norm McAfeeActiLogService
bc003e 1576 norm Auto Update Client Window
2005c 932 norm VirusScan Console
1012a 904 norm VShieldWin_Class
10026 696 norm SYSTEM AGENT COM WINDOW
10022 472 norm NetDDE
1001a 188 high MM Notify Callback
260044 1116 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E1128F1-53FA-11d5-8490-0048548030CA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9CF2F03-2AA1-454E-90D8-2632932FAF5A}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{ABB9990E-031B-4357-9859-CD504A653259}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{ABB9990E-031B-4357-9859-CD504A653259}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




 

NonSuch and chaslang, thank you so much. I will be sure to send that file.

 

Hi all,

Thank you for all of your asisstance. I have run the dllfix program and here are the results. Hope I can return the favor sometime if you have any netowrking problems.
Thanks

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Mon 05/24/2004
10:41 PM

System Info:
Microsoft Windows XP [Version 5.1.2600]
C: "" (1419:00D8) - FS:NTFS clusters:4k
Total: 79 990 845 440 [74G] - Free: 27 822 006 272 [26G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
! REG.EXE VERSION 2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q324929;Q810847;Q813951;Q813489;Q818529;Q822925;Q828750;Q330994;Q824145;Q832894;Q831167;
*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
10:41pm up 0 days, 0:10
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
803b8 2028 norm SysFader
1007e 2028 norm Start Menu
4003c 2028 norm _Shell_TrayWnd
30350 2028 norm SysFader
400d0 3428 norm SysFader
10310 644 norm Norton AntiVirus
10180 696 norm ViolationDlg
20146 696 norm AutoVPNAlertDlg
10028 952 high NetDDE Agent
6003a 3428 norm MajorGeeks Message Board - about:blank browser hijack - Microsoft Internet Expl
503de 4040 norm C:\WINDOWS\System32\cmd.exe
50356 2028 norm dllfix
b03aa 2028 norm DDE Server Window
3038e 3428 norm MCI command handling window
203bc 3428 norm DDE Server Window
100ca 712 idle Tea Timer
100be 712 idle Spybot-S&D Resident
40134 1712 norm VPN-1 SecuRemote
3011a 696 norm ZoneAlarm Pro
10184 696 norm PermissionDlg
10104 1132 norm UnErase Process
5f00ea 2028 norm MS_WebcheckMonitor
4012c 2028 norm Connections Tray
3c00e2 2028 norm Power Meter
100ba 684 norm Notification Wnd for RNAdmin
100b4 644 norm ccApp
100ae 636 norm DVDSentry
10080 2028 norm Program Manager
40040 2028 norm M
40042 2028 norm Default IME
10314 644 norm M
10312 644 norm Default IME
101d6 696 norm M
101b8 696 norm M
101b6 696 norm M
10186 696 norm Default IME
60034 3428 norm M
300d2 3428 norm Default IME
403d6 2028 norm M
303da 2028 norm Default IME
6035c 3428 norm Default IME
100dc 712 idle M
100c0 712 idle Default IME
10172 1712 norm M
1015e 1712 norm Default IME
20148 696 norm Default IME
20144 696 norm Default IME
10182 696 norm Default IME
1013c 1476 norm Default IME
10108 1132 norm Default IME
6400da 2028 norm Default IME
100bc 684 norm Default IME
100b6 644 norm Default IME
100b0 636 norm Default IME
10092 2028 norm M
4004c 2028 norm Default IME
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="apitrap.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2453940F-B46F-49D2-BE9D-7EBCDCD8812C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"
REGEDIT4
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{38672A00-A946-4A03-88BB-894DF998317E}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{38672A00-A946-4A03-88BB-894DF998317E}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
*Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

 

Group,
Sorry to come late to the party. I'm having the same "about:blank" problem. The log I produced with the dllfix program looks different from what Utlity-Hawk posted. I may have screwed this up far worse by using Hijackthis and CWShredder a couple of times, trying to boot this bug.
Below is the log that dllfix, option 1, produced for me. Any help would be greatly appreciated.
Junkadelphia

Fri 06/04/2004

12:14 PM



System Info:

Microsoft Windows XP [Version 5.1.2600]

C: "" (F86F:EB9D) - FS:NTFS clusters:4k

Total: 60 019 351 552 [56G] - Free: 27 520 352 256 [26G]





*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

*Notepad version :

? C:\WINDOWS\system32\notepad.exe

5.1.2600.0 C:\WINDOWS\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q822925;Q330994;Q828750;Q824145;





Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\RESODG.DLL +++ File read error

\\?\C:\WINDOWS\System32\RESODG.DLL +++ File read error





REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F3C81CDA-0BBC-47BB-AEDE-3CACB4E6C85F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{61D8C364-4EE7-48C1-BAA8-94CCC814800F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{61D8C364-4EE7-48C1-BAA8-94CCC814800F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"



! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

Sorry to "hijack" this thread, but I am also suffering from the about: blank hijack.

Here is my dllfix.exe log. Thanks in advance.
System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (2812:6CD8) - FS:NTFS clusters:4k
Total: 18 350 563 328 [17G] - Free: 6 500 302 848 [6.1G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q330994;Q832894;Q837009;Q831167;



Locked or 'Suspect' file(s) found...


Scanning for main Hijacker:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access G\Bones
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access G\Bones

 

It looks like I have the latest adaware reference file. (it updated today)

I keep finding this in the registry.

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank
Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

I rid myself of part of the problem. A dll file that was a appinit_dll file, that was hidden in hlm\software\microsoft\windows nt\current version\windows (if you just deleted it, it would remake itself. The key to deleting it was renaming the windows part, to something like windows2, then delete it...rename the folder back to windos when done...)

I can post a new hijack this log, or the other prog log if needed.

My problem is still this. If I set my home page to about blank, this problem shows up in the registry. If I quarantine it, and change my homepage, it won't come back to the registry, unless I change my home page back to about blank...

 

Ohh, and here is my hijackthis log. Thanks again guys.



Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Rage3dTweak\Rage3DTweak\RegTwk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
E:\programs\quicktime\qttask.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\rage3dtweak\rage3dtweak\gameutil.exe
C:\Program Files\Plextor\PlexTool.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Bones\Desktop\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3dTweak\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "E:\programs\quicktime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: PlexTools Professional.lnk = C:\Program Files\Plextor\PlexTool.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38040.7127777778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

NOTE: This is cross-posted from the thread:
http://www.majorgeeks.com/vb/showthread.php?p=365191#post365191

I am having the same problem as Eric. I have followed the advice of posters in other threads on the dreaded "about:blank" problem. I have managed to rid my computer of this thing, sometimes for a few days. But it always returns.

By way of background -- I am running Windows XP Home Edition 2002. I have downloaded and/or updated the latest copies of CW Shredder, AdAware and Spybot. I have also deleted these files several tims using HijackThis. [Previously, I posted the log in another thread.]

I have done this with system restore turned off. And it keeps coming back. CW Shredder sometimes notices about:blank and sometimes does not. AdAware and Spybot find it every time and I delete. And still this thing returns.

I would any help and advice.

 

Hi,This hijack F___ed me off 4 a while.I ran Hijack-this then found the culprit dll,mine was mpjhama.dll. all i did was rename the dll to xx.dll and this fixed the problem.Not an absolute fix but it at least it gives you back your own homepage.

 

i sure hope someone can help me out, adware keeps on showing 8 files theres 2 about blanks in my registory and 6 sp.html which i think are the problem, i only see 6 sphtmls and 1 about blank link in highjackthis , how can i delete em , cause ofc they keep on comming back, so wich dll should i delete? my hijackthis log : (sure hope i get a quick respond, thnx again)

Logfile of HijackThis v1.97.7
Scan saved at 17:28:15, on 28-6-2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ironhead1\Bureaublad\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\IRONHE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\IRONHE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\IRONHE~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\IRONHE~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\IRONHE~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\IRONHE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxi.telenet.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {949399A3-C57D-47E6-8F8D-07152A512EFB} - C:\WINNT\system32\ejn.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\spywarescan\freescan.exe -FastScan
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab