xDail0x Posted May 25, 2005 Report Share Posted May 25, 2005 I been experiencing problem with Internet Explorer. Always AbouT:Blank....Can someone help me?Logfile of HijackThis v1.99.1Scan saved at 12:19:44 AM, on 5/25/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Unable to get Internet Explorer version!Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\PackethSvc.exeC:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exeC:\WINDOWS\system32\crypserv.exeC:\WINDOWS\system32\msCMTSrvc.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\apigf.exeC:\Program Files\The Cleaner\tca.exeC:\Program Files\The Cleaner\tcm.exeC:\Program Files\AIM+\AIM+.exeC:\Program Files\AIM95\aim.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper.exeC:\Program Files\Ventrilo\Ventrilo.exeC:\WINDOWS\system32\ntkw32.exeC:\PROGRA~1\WinZip\winzip32.exeC:\DOCUME~1\Zer0\LOCALS~1\Temp\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missingO2 - BHO: Class - {BC0FF74A-7E39-79D3-0B70-06EC5F199D5F} - C:\WINDOWS\netfh32.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exeO4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exeO4 - HKLM\..\Run: [os2T3ni] wldtml.exeO4 - HKLM\..\Run: [ntkw32.exe] C:\WINDOWS\system32\ntkw32.exeO4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odlO4 - HKCU\..\Run: [ZBt3RhGFU] lffmgr10.exeO4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0O4 - Startup: palmOne Registration.lnk = C:\Program Files\Handspring\register.exeO4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exeO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exeO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dllO9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409O15 - Trusted Zone: *.awmdabest.comO15 - Trusted Zone: *.awmdabest.com (HKLM)O15 - Trusted IP range: 206.161.125.149O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet ZoneO15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cabO16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cabO16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cabO16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cabO16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.phxx.net/pcpConnCheck.cabO16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dllO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cabO16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflasher.de/plugin/powerres.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exeO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by3fd.bay3.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109210053893O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/smarterchild/websetup.cabO16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cabO16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cabO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cabO23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apigf.exe" /s (file missing)O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exeO23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exeO23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Link to post Share on other sites
Dan Posted May 25, 2005 Report Share Posted May 25, 2005 (edited) Hi,Please read through the instructions before you start (you may want to print this out).Please download and install these programs - don't run them yet!!Please download and unzipAbout:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.AboutBuster MUST be updated before you use it.Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.Please download and install AD-Aware.Check Here on how setup and use it - please make sure you update it first.Download and unzip cwsserviceremove to your desktop. use either link below:http://computercops.biz/modules.php?name=Forums&file=download&id=3002[/urlhttp://www.mytechsupport.ca/helpwithpcs/up...rviceremove.zipDownload CW-Shredder at the link below:http://cwshredder.net/bin/CWSshtreder.exeOpen Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"Click "Apply" then "OK"For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here http://www.davehigham.zen.co.uk/downloads/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.+++++++++++++++++++++++++++++++++++++++++++++++++Here's the fix:Important Step1. Go to Start->Run and type "Services.msc" (without quotes) then hit OkScroll down and find the service called:PLACE SERVICE FILE HEREWhen you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.2. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:PROCESSES TO BE STOPPEDIf you find the files, click on them, and then click End Process => Exit the Task Manager.4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"HJT FIXES HERE5. Delete the following files if present:If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.FILE DELETIONS HERE(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.7. Scan with AdAware and let it remove any bad files found.8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:Temporary FilesTemporary Internet FilesRecycle Bin9. Double click on the cwsserviceremove and when asked to merge say yes.10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.11. Reboot into normal mode.12. Download the Hoster from here Press "Restore Original Hosts" and press "OK". Exit Program.13. Download and run this online virus scan:Make sure you check "AutoClean"then reboot and post a fresh Hijack This log to see how we did. Edited May 25, 2005 by dknoppix Link to post Share on other sites
xDail0x Posted May 27, 2005 Author Report Share Posted May 27, 2005 You are missing the part where i am suppose to click on the service.. I cannot find\\Here's the fix:Important Step1. Go to Start->Run and type "Services.msc" (without quotes) then hit OkScroll down and find the service called:~~~~>Right here<~~~~PLACE SERVICE FILE HEREWhen you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.\\ Link to post Share on other sites
Dan Posted May 27, 2005 Report Share Posted May 27, 2005 er...Sorry, my mistake... Sorry about the delay..----Hi,Please read through the instructions before you start (you may want to print this out).Please download and install these programs - don't run them yet!!Please download and unzipAbout:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.AboutBuster MUST be updated before you use it.Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.Please download and install AD-Aware.Check Here on how setup and use it - please make sure you update it first.Download and unzip cwsserviceremove to your desktop. use either link below:http://computercops.biz/modules.php?name=Forums&file=download&id=3002[/urlhttp://www.mytechsupport.ca/helpwithpcs/up...rviceremove.zipDownload CW-Shredder at the link below:http://cwshredder.net/bin/CWSshtreder.exeOpen Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"Click "Apply" then "OK"For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here http://www.davehigham.zen.co.uk/downloads/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.Important Step1. Go to Start->Run and type "Services.msc" (without quotes) then hit OkScroll down and find the service called:Remote Procedure Call (RPC) HelperWhen you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.2. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:ntkw32.exeapigf.exeIf you find the files, click on them, and then click End Process => Exit the Task Manager.4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dqiet.dll/sp.html#28129R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =R3 - Default URLSearchHook is missingO2 - BHO: Class - {BC0FF74A-7E39-79D3-0B70-06EC5F199D5F} - C:\WINDOWS\netfh32.dllO4 - HKLM\..\Run: [os2T3ni] wldtml.exeO4 - HKLM\..\Run: [ntkw32.exe] C:\WINDOWS\system32\ntkw32.exeO4 - HKCU\..\Run: [ZBt3RhGFU] lffmgr10.exeO15 - Trusted Zone: *.awmdabest.comO15 - Trusted Zone: *.awmdabest.com (HKLM)O15 - Trusted IP range: 206.161.125.149O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet ZoneO15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apigf.exe" /s (file missing)5. Delete the following files if present:If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.C:\WINDOWS\system32\apigf.exeC:\WINDOWS\system32\ntkw32.exe(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)Press Start --> Find. Find the following files and delete them:wldtml.exelffmgr10.exe6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.7. Scan with AdAware and let it remove any bad files found.8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:Temporary FilesTemporary Internet FilesRecycle Bin9. Double click on the cwsserviceremove and when asked to merge say yes.10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.11. Reboot into normal mode.12. Download the Hoster from here http://members.aol.com/toadbee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.13. Download and run this online virus scan:http://housecall.trendmicro.com/housecall/start_corp.aspMake sure you check "AutoClean"Then reboot and post a fresh Hijack This log as well as an About:Buster log to see how we did.dk Link to post Share on other sites
xDail0x Posted May 28, 2005 Author Report Share Posted May 28, 2005 Thanks for your help Here is the log files you asked forLogfile of HijackThis v1.99.1Scan saved at 11:12:33 AM, on 5/28/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Unable to get Internet Explorer version!Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\PackethSvc.exeC:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exeC:\WINDOWS\system32\crypserv.exeC:\WINDOWS\system32\msCMTSrvc.exeC:\WINDOWS\System32\NMSSvc.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\AIM+\AIM+.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper.exeC:\Program Files\AIM95\aim.exeC:\PROGRA~1\WinZip\winzip32.exeC:\WINDOWS\System32\Notepad.exeC:\DOCUME~1\Zer0\LOCALS~1\Temp\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exeO4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odlO4 - HKCU\..\Run: [ZBt3RhGFU] lffmgr10.exeO4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0O4 - Startup: palmOne Registration.lnk = C:\Program Files\Handspring\register.exeO4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exeO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exeO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dllO9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409O15 - Trusted Zone: *.awmdabest.comO15 - Trusted IP range: 206.161.125.149O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet ZoneO15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cabO16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cabO16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cabO16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cabO16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.phxx.net/pcpConnCheck.cabO16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dllO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cabO16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflasher.de/plugin/powerres.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by3fd.bay3.hotmail.msn.com/resources/MsnPUpld.cabO16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109210053893O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/smarterchild/websetup.cabO16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cabO16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cabO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cabO23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exeO23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exeO23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeScanned at: 12:25:44 AM on: 5/28/2005-- Scan 1 ---------------------------About:Buster Version 4.0Reference List : 26No ADS found on systemRemoved 2 Random Key EntriesAttempted Clean Of Temp folder.Removed Uninstall Key (HSA)Removed Uninstall Key (SE)Removed Uninstall Key (SW)Pages Reset... Done!-- Scan 2 ---------------------------About:Buster Version 4.0Reference List : 26No ADS found on systemAttempted Clean Of Temp folder.Pages Reset... Done! Link to post Share on other sites
Dan Posted May 29, 2005 Report Share Posted May 29, 2005 Hi,Just wanted to let you know, that I am away for the weekend, and probably will get you an answer tomorrow morning.dk Link to post Share on other sites
Dan Posted May 30, 2005 Report Share Posted May 30, 2005 Hi,Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":http://www.mvps.org/winhelp2002/DelDomains.infSave the file to the desktop. Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal. Now, Open HijackThis, click the "Scan" button, and check the following items (If still present):R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =O4 - HKCU\..\Run: [ZBt3RhGFU] lffmgr10.exeO15 - Trusted Zone: *.awmdabest.comO15 - Trusted IP range: 206.161.125.149O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet ZoneO15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exeClose all windows except HijackThis, and click the "Fix Checked" button.Press Start-->Find. Find the following file and delete it:lffmgr10.exeReboot and post a new log.dk Link to post Share on other sites
Recommended Posts