Author Topic: about blank aswell (Read 2097 times)

owen · « **on:** March 24, 2005, 05:11:43 PM »

hello guestelo
i also have the same problem as alot of other people on this forum my home page is, yes you guest it about:blank.
i tried following your solution for somebody else's hijack log to get the sort of idea of what to do but it hasn't worked.
anyway here is my hijack log. i'm sure your a very busy person sorting out everyones spyware stuff but if you get a chance could you please have a look at mine. thank you very much
owen

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Logfile of HijackThis v1.99.1
Scan saved at 21:57:41, on 24/03/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Any User.ANY-0C83B2LVGI6\Desktop\nina\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {4BB01396-218E-4E73-B874-649AA011B0AF} - C:\WINNT\System32\ijbl.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll,DllInstall
O18 - Filter: text/html - {23825487-92CD-42EE-BE6A-2153BBA521C2} - C:\WINNT\System32\ijbl.dll
O18 - Filter: text/plain - {23825487-92CD-42EE-BE6A-2153BBA521C2} - C:\WINNT\System32\ijbl.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe

guestolo · « **Reply #1 on:** March 26, 2005, 12:02:54 AM »

Guest owen, I'm sorry I missed your post
If you still need a hand please register and post back a fresh Hijackthis log

owen · « **Reply #2 on:** March 28, 2005, 01:33:29 PM »

hi guestelo
i've registered now and here is my log file. i thought i might have deleted some things i shouldn't have using hi jackthis so i restored all the backups just before creating this log.
thanks for looking
regards owen

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Logfile of HijackThis v1.99.1
Scan saved at 19:38:14, on 28/03/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Any User.ANY-0C83B2LVGI6\Desktop\nina\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4BB01396-218E-4E73-B874-649AA011B0AF} - C:\WINNT\System32\ijbl.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8D0506AB-8CB3-4631-A7EC-7CAC99C31AA5} - C:\WINNT\System32\ijbl.dll
O2 - BHO: (no name) - {9B8C9419-C1CA-488D-8FD6-7F264078BF57} - C:\WINNT\System32\ijbl.dll
O2 - BHO: (no name) - {F1241467-FAA5-424B-B76F-87861125EA45} - C:\WINNT\System32\ijbl.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - Startup: Pika Backup.lnk = C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O18 - Filter: text/html - {4EA73DF3-08C5-418F-A152-7D32753D40D8} - C:\WINNT\System32\ijbl.dll
O18 - Filter: text/plain - {4EA73DF3-08C5-418F-A152-7D32753D40D8} - C:\WINNT\System32\ijbl.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe

guestolo · « **Reply #3 on:** March 28, 2005, 09:03:05 PM »

Download Startdreck.zip
[attachment=97:attachment]

Unzip it to it's own folder

run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post this log

Also
Download DLLCompare

Start the Program and click the Run Locate.com
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button and post it back here

owen · « **Reply #4 on:** March 29, 2005, 11:42:52 AM »

hello questolo
this is the startdreck log and the dllcompare log
thanks again
owen

StartDreck (build 2.1.7 public stable) - 2005-03-29 @ 17:43:27 (GMT +01:00)
Platform: Windows 2000 (Win NT 5.0.2195 )
Internet Explorer: 5.00.2920.0000
Logged in as Any User at ANY-0C83B2LVGI6

»Registry
»Run Keys
»Current User
»Run
+nView
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Default User
»Run
»RunOnce
*^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
»Local Machine
»Run
*sp=rundll32 C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll,DllInstall
*Synchronization Manager=mobsync.exe /logon
*NvCplDaemon=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
*NeroCheck=C:\WINNT\System32\NeroCheck.exe
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Speed racer=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*AudioHQ=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
*HPDJ Taskbar Utility=C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
*InCD=C:\Program Files\ahead\InCD\InCD.exe
*APVXDWIN="C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
*UpdReg=C:\WINNT\Updreg.exe
*nwiz=nwiz.exe /install
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*{4BB01396-218E-4E73-B874-649AA011B0AF}
`InprocServer32=C:\WINNT\System32\ijbl.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
*{8D0506AB-8CB3-4631-A7EC-7CAC99C31AA5}
`InprocServer32=C:\WINNT\System32\ijbl.dll
*{9B8C9419-C1CA-488D-8FD6-7F264078BF57}
`InprocServer32=C:\WINNT\System32\ijbl.dll
*{F1241467-FAA5-424B-B76F-87861125EA45}
`InprocServer32=C:\WINNT\System32\ijbl.dll
»Files
»System/Drivers
»Running Processes
+0=<idle>
+8=<system>
+144=\SystemRoot\System32\smss.exe
+172=\??\C:\WINNT\system32\csrss.exe
+192=\??\C:\WINNT\system32\winlogon.exe
+220=C:\WINNT\system32\services.exe
+232=C:\WINNT\system32\lsass.exe
+488=C:\WINNT\system32\svchost.exe
+524=C:\WINNT\system32\spoolsv.exe
+568=C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
+584=C:\WINNT\System32\CTsvcCDA.exe
+600=C:\WINNT\System32\svchost.exe
+636=C:\WINNT\System32\nvsvc32.exe
+652=C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe
+712=C:\WINNT\system32\regsvc.exe
+696=C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
+700=C:\WINNT\system32\MSTask.exe
+788=C:\WINNT\system32\stisvc.exe
+844=C:\WINNT\System32\WBEM\WinMgmt.exe
+1188=C:\WINNT\Explorer.exe
+1248=C:\WINNT\System32\rundll32.exe
+908=C:\WINNT\System32\devldr32.exe
+1204=C:\WINNT\System32\rundll32.exe
+1288=C:\Program Files\Internet Explorer\iexplore.exe
+1148=C:\Documents and Settings\Any User.ANY-0C83B2LVGI6\Desktop\nina\startdreck\StartDreck.exe
»Application specific

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />"
________________________________________________

1,222 items found: 1,222 files, 0 directories.
Total of file sizes: 218,905,819 bytes 208.76 M

Administrator Account = True

AppInit_DLLs value = NVDESK32.DLL (not hidden)
--------------------End log---------------------

owen · « **Reply #5 on:** March 29, 2005, 11:51:39 AM »

hello again
i ran dll compare looking for *.* rather than just *.dll and a few popped up and i rescanned them all. i don't know if you wanted this but here is the log anyway.
regards
owen

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\cdi5t.drv Tue 16 Apr 2002 11:27:54 A.SH. 5 0.00 K
C:\WINNT\SYSTEM32\desktop.ini Sun 15 Aug 2004 14:04:40 ...H. 271 0.26 K
C:\WINNT\SYSTEM32\folder.htt Sun 15 Aug 2004 14:04:40 ...H. 21,692 21.18 K
________________________________________________

1,981 items found: 1,949 files (4 H/S), 32 directories (2 H/S).
Total of file sizes: 306,911,865 bytes 292.69 M

Administrator Account = True

AppInit_DLLs value = NVDESK32.DLL (not hidden)
--------------------End log---------------------

guestolo · « **Reply #6 on:** March 29, 2005, 04:25:41 PM »

Download and save to Desktop
SpSeHjFix110.zip
Unzip the contents, so you now have SpSeHjfix110.exe on your desktop

===Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Install for now, don't run a scan yet

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

Find and delete this file, if found
C:\WINNT\System32\ijbl.dll <--this file

Stay in safe mode

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {4BB01396-218E-4E73-B874-649AA011B0AF} - C:\WINNT\System32\ijbl.dll

O2 - BHO: (no name) - {8D0506AB-8CB3-4631-A7EC-7CAC99C31AA5} - C:\WINNT\System32\ijbl.dll
O2 - BHO: (no name) - {9B8C9419-C1CA-488D-8FD6-7F264078BF57} - C:\WINNT\System32\ijbl.dll
O2 - BHO: (no name) - {F1241467-FAA5-424B-B76F-87861125EA45} - C:\WINNT\System32\ijbl.dll

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll,DllInstall

O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - Startup: PowerReg Scheduler V3.exe

O18 - Filter: text/html - {4EA73DF3-08C5-418F-A152-7D32753D40D8} - C:\WINNT\System32\ijbl.dll
O18 - Filter: text/plain - {4EA73DF3-08C5-418F-A152-7D32753D40D8} - C:\WINNT\System32\ijbl.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't log off or restart yet

Instead run SpSeHjfix110.exe and click the START Disinfection
It should Reboot your computer after you run it, if not

Restart your computer back to Normal mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page,

Afterwards post back a fresh Hijackthis log,
And the log from SpSeHjfix110.exe
Could you also post a fresh StartDreck log

owen · « **Reply #7 on:** March 30, 2005, 07:08:12 PM »

hi questelo
i've done what you asked in your last post and it seems to have sorted out my problem. i couldn't delete the file
C:\WINNIT\system32\ijbl.dll
when i found it the computer said it was in use. but the rest of the instructions seem to have fixed it. here are the hijackthis, spehjfix111 and startdreck logs any way.
please tell me if anything still looks amiss to you.
thank you very much for all your help.
owen

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Logfile of HijackThis v1.99.1
Scan saved at 01:03:08, on 31/03/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Documents and Settings\Any User.ANY-0C83B2LVGI6\Desktop\nina\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - Startup: Pika Backup.lnk = C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe

(3/31/05 00:50:38) SPSeHjFix started v1.1.1
(3/31/05 00:50:38) OS: Win2000 (5.0.2195)
(3/31/05 00:50:38) Language: english
(3/31/05 00:50:45) Disinfection started
(3/31/05 00:50:45) Bad-Dll(IEP): c:\docume~1\anyuse~1.any\locals~1\temp\se.dll
(3/31/05 00:50:45) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINNT\System32\ijbl.dll
(3/31/05 00:50:45) Searchassistant Uninstaller - Keys Deleted
(3/31/05 00:50:45) FilterKey: HKCR\text/html (deleted)
(3/31/05 00:50:45) FilterKey: HKCR\CLSID\{860D3C78-6CCA-4CB4-969A-9FD87EC6DD5B} (deleted)
(3/31/05 00:50:45) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(3/31/05 00:50:45) FilterKey: HKCR\text/plain (deleted)
(3/31/05 00:50:45) FilterKey: HKCR\CLSID\{860D3C78-6CCA-4CB4-969A-9FD87EC6DD5B} (error while deleting)
(3/31/05 00:50:45) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(3/31/05 00:50:45) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AC3AA9C6-B511-4936-9EF6-35C83DC820C0} (deleted)
(3/31/05 00:50:45) BHO-Key: HKCR\CLSID\{AC3AA9C6-B511-4936-9EF6-35C83DC820C0} (deleted)
(3/31/05 00:50:45) UBF: 6
(3/31/05 00:50:45) UBB: 2
(3/31/05 00:50:45) UBR: 12
(3/31/05 00:50:45) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(3/31/05 00:50:45) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\anyuse~1.any\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\anyuse~1.any\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(3/31/05 00:50:45) Stealth-String not found
(3/31/05 00:50:45) Temp-Files delete on Reboot
(3/31/05 00:50:45) File added to delete: c:\winnt\system32\ijbl.dll
(3/31/05 00:50:45) File added to delete: c:\docume~1\anyuse~1.any\locals~1\temp\se.dll
(3/31/05 00:50:45) File added to delete: c:\docume~1\anyuse~1.any\locals~1\temp\~df5db1.tmp
(3/31/05 00:50:45) Reboot

(3/31/05 00:54:33) SPSeHjFix started v1.1.1
(3/31/05 00:54:33) OS: Win2000 (5.0.2195)
(3/31/05 00:54:33) Language: english
(3/31/05 00:55:20) Disinfection started
(3/31/05 00:55:20) Bad-Dll(IEP): (not found)
(3/31/05 00:55:20) Bad-Dll(IEP) in BHO: (not found)
(3/31/05 00:55:20) UBF: 4
(3/31/05 00:55:20) UBB: 1
(3/31/05 00:55:20) UBR: 12
(3/31/05 00:55:20) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(3/31/05 00:55:20) Bad IE-pages: (none)
(3/31/05 00:55:20) Stealth-String not found
(3/31/05 00:55:20) Temp-Files delete on Reboot
(3/31/05 00:55:20) File added to delete: c:\docume~1\anyuse~1.any\locals~1\temp\se.dll
(3/31/05 00:55:20) File added to delete: c:\docume~1\anyuse~1.any\locals~1\temp\~dfd30c.tmp
(3/31/05 00:55:20) Reboot

(3/31/05 01:03:41) SPSeHjFix started v1.1.1
(3/31/05 01:03:41) OS: Win2000 (5.0.2195)
(3/31/05 01:03:41) Language: english
(3/31/05 01:03:50) Disinfection started
(3/31/05 01:03:50) Bad-Dll(IEP): (not found)
(3/31/05 01:03:50) Bad-Dll(IEP) in BHO: (not found)
(3/31/05 01:03:50) UBF: 4
(3/31/05 01:03:50) UBB: 1
(3/31/05 01:03:50) UBR: 10
(3/31/05 01:03:50) Bad IE-pages: (none)
(3/31/05 01:03:50) Stealth-String not found
(3/31/05 01:03:50) Not infected->END

StartDreck (build 2.1.7 public stable) - 2005-03-31 @ 01:04:43 (GMT +01:00)
Platform: Windows 2000 (Win NT 5.0.2195 )
Internet Explorer: 5.00.2920.0000
Logged in as Any User at ANY-0C83B2LVGI6

»Registry
»Run Keys
»Current User
»Run
+nView
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Default User
»Run
»RunOnce
*^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
»Local Machine
»Run
*Synchronization Manager=mobsync.exe /logon
*NvCplDaemon=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
*NeroCheck=C:\WINNT\System32\NeroCheck.exe
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Speed racer=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*AudioHQ=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
*HPDJ Taskbar Utility=C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
*InCD=C:\Program Files\ahead\InCD\InCD.exe
*APVXDWIN="C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
*nwiz=nwiz.exe /install
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINNT\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Any User.ANY-0C83B2LVGI6\Start Menu\Programs\Startup\Pika Backup.lnk
»Default User
»Local Machine
*C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Acrobat Assistant.lnk
*C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINNT\System32\config.nt
*C:\autoexec.bat
*C:\WINNT\System32\autoexec.nt
*C:\WINNT\System32\drivers\etc\hosts
»System/Drivers
»Running Processes
+0=<idle>
+8=<system>
+148=\SystemRoot\System32\smss.exe
+172=\??\C:\WINNT\system32\csrss.exe
+168=\??\C:\WINNT\system32\winlogon.exe
+220=C:\WINNT\system32\services.exe
+232=C:\WINNT\system32\lsass.exe
+496=C:\WINNT\system32\svchost.exe
+520=C:\WINNT\system32\spoolsv.exe
+572=C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
+588=C:\WINNT\System32\CTsvcCDA.exe
+604=C:\WINNT\System32\svchost.exe
+640=C:\WINNT\System32\nvsvc32.exe
+656=C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe
+120=C:\WINNT\system32\regsvc.exe
+716=C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
+740=C:\WINNT\system32\MSTask.exe
+772=C:\WINNT\system32\stisvc.exe
+808=C:\WINNT\System32\WBEM\WinMgmt.exe
+1004=C:\WINNT\Explorer.exe
+1160=C:\WINNT\System32\devldr32.exe
+1208=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
+1132=C:\WINNT\System32\RUNDLL32.EXE
+1268=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
+1308=C:\Program Files\QuickTime\qttask.exe
+1328=C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
+1372=C:\Program Files\ahead\InCD\InCD.exe
+1388=C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
+1416=C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
+684=C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
+1396=C:\WINNT\System32\rundll32.exe
+900=C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
+1340=C:\WINNT\system32\NOTEPAD.EXE
+620=C:\WINNT\system32\NOTEPAD.EXE
+260=C:\Documents and Settings\Any User.ANY-0C83B2LVGI6\Desktop\nina\startdreck\StartDreck.exe
»NT Services
*Alerter   Alerter   -   on demand
*Application Management   AppMgmt   -   on demand
*Computer Browser   Browser   running   auto
*C-DillaSrv   C-DillaSrv   running   auto
*Indexing Service   cisvc   -   on demand
*ClipBook   ClipSrv   -   on demand
*Creative Service for CDROM Access   Creative Service for   running   auto
*DHCP Client   Dhcp   running   auto
*Logical Disk Manager Administrative Service   dmadmin   -   on demand
*Logical Disk Manager   dmserver   running   auto
*DNS Client   Dnscache   running   auto
*Event Log   Eventlog   running   auto
*COM+ Event System   EventSystem   running   on demand
*Fax Service   Fax   -   on demand
*Server   lanmanserver   running   auto
*Workstation   lanmanworkstation   running   auto
*TCP/IP NetBIOS Helper Service   LmHosts   running   auto
*Messenger   Messenger   running   auto
*NetMeeting Remote Desktop Sharing   mnmsrvc   -   on demand
*Distributed Transaction Coordinator   MSDTC   -   on demand
*Windows Installer   MSIServer   -   on demand
*Network DDE   NetDDE   -   on demand
*Network DDE DSDM   NetDDEdsdm   -   on demand
*Net Logon   Netlogon   -   on demand
*Network Connections   Netman   running   on demand
*NT LM Security Support Provider   NtLmSsp   -   on demand
*Removable Storage   NtmsSvc   running   auto
*NVIDIA Driver Helper Service   NVSvc   running   auto
*Panda anti-virus service   PAVSRV   running   auto
*Plug and Play   PlugPlay   running   auto
*IPSEC Policy Agent   PolicyAgent   running   auto
*Protected Storage   ProtectedStorage   running   auto
*Remote Access Auto Connection Manager   RasAuto   -   on demand
*Remote Access Connection Manager   RasMan   running   on demand
*Routing and Remote Access   RemoteAccess   -   disabled
*Remote Registry Service   RemoteRegistry   running   auto
*Remote Procedure Call (RPC) Locator   RpcLocator   -   on demand
*Remote Procedure Call (RPC)   RpcSs   running   auto
*QoS RSVP   RSVP   -   on demand
*Security Accounts Manager   SamSs   running   auto
*Smart Card Helper   SCardDrv   -   on demand
*Smart Card   SCardSvr   -   on demand
*Task Scheduler   Schedule   running   auto
*RunAs Service   seclogon   running   auto
*System Event Notification   SENS   running   auto
*Internet Connection Sharing   SharedAccess   -   on demand
*Print Spooler   Spooler   running   auto
*Still Image Service   StiSvc   running   auto
*Performance Logs and Alerts   SysmonLog   -   on demand
*Telephony   TapiSrv   running   on demand
*Telnet   TlntSvr   -   on demand
*Distributed Link Tracking Client   TrkWks   running   auto
*Uninterruptible Power Supply   UPS   -   on demand
*Utility Manager   UtilMan   -   on demand
*Windows Time   W32Time   -   on demand
*Windows Management Instrumentation   WinMgmt   running   auto
*Windows Management Instrumentation Driver Exten   Wmi   running   on demand
`sions
»Application specific

guestolo · « **Reply #8 on:** March 30, 2005, 08:12:49 PM »

That's looking better, but by the lack of Windows updates you will probably get reinfected
You should visit Windows Updates and Get all Latest Critcal updates and Service Packs
Don't install the Recommended updates unless preferred

Restart your machine when prompted and go back to Windows updates until there are no more Critical and Service Packs to Install

When that's done
You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

I also see Messenger service running, this can allow popups even when your not online>>This is not the same as MSN Messenger
Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Messenger

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

TheTechGuide Forum

News:

Author Topic: about blank aswell (Read 2097 times)

owen

about blank aswell

guestolo

about blank aswell

owen

about blank aswell

guestolo

about blank aswell

owen

about blank aswell

owen

about blank aswell

guestolo

about blank aswell

owen

about blank aswell

guestolo

about blank aswell