Trojan horse BackDoor.Agent.BA

[pungkow]

Hello. I've been having a huge problem with this virus. sometimes when I log in, or startup certain programs it restarts my compute. I know where it's found. my avg antivirus has found it multiple times and in fact the alert telling me that it's there simply won't go away, no matter how many times I click it away. it's found in c:\windows\system32\kbdnb.dll

I can actually do a search for the file, and click delete on it, but I just get this warning message:cannont delete kbdnb: access is denied.
make sure that the disk is not full or write protected and that the file is not in use.

I've tried multiple things to disable it. I've went into task manager and disabled kbd.exe which I'm sure is the virus operating, and I've even found kbd installed and uninstalled it, but I can't get rid of the virus itself.

so today I logged in under admin mode and attemted the same search for it. I found it and attempted deleting it, getting the same response.

Both me and my dad are completely out of ideas on what to do. We need help.

[Jooske]

Hi there and welcome to the forum.

I don't think this is TDS related, as i don't see in your description you're running TDS to clean your system.
If not download it at www.diamondcs.com.au to scan and clean your system.
After installing and rebooting get back to the site for the latest database update, start TDS and set to scan everything and close all other scanners (your AVG > open the AVG GUI, uncheck all scan options and resident protection to close it) during that so TDS has free access to every file on your system. Can take a while so close avery unnecessary application and browser at that time and step away from the computer as it can take a while during the Full System Scan
In the end in the bottom console you'll see some alerts; rightclick on one of them to save to txt file; this is the scandump.txt in the TDS directory. Please post that in your next posting here, don't fix anything yet, just post that scanresult.


kbd.exe has nothing to do with your keyboard for instance? In that case you would not be able tio kill it or your keyboard would not work anymore, but ......
Look here:
WinTasks Process Library
kbd - kbd.exe - Process Information
Process File: kbd or kbd.exe
Process Name: Kbd
Description: Multimedia keyboard manager for Logitech keyboards and is required if you use the multimedia keys.
Company: Logitech
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A

So i would NOT kill nor delete that one!

kbdnb.dll
that one i did not find, so i'm not sure.
You might like to get Faber Toys at www.faberbox.com and look in the dependencies listing if those have to do with each other.
Look in the running processes, look for that kbd.exe and in the bottom box the related processes / *dlls show up.

The same you can do with TDS > System Analysis > Process List , search for the kbd.exe and look at all files related while you can scan them instantly for trojans.


If AVG detects it it should be able to deal with it.
In safe mode you could try to rename it so it won't run and you can find the other parts of it.

Googled more around for you, and found these three threads to be rather helpful:
http://www.faqfarm.com/Computer/Virus/Backdoor/36401
http://www.sophos.com/virusinfo/anal...ojbdoorba.html
http://www.computing.net/security/ww...rum/12255.html
Especially the third with solutions.
I see also for everybody it is hidden in another filename, so i hope it did not infect a normal legal system file you could need!

It is notoption for you to go back to a few days older system restore point?

I would advice before you do anything in the registry, please post your Hijackthis log in the forum as explained below here, to get step by step expert cleansing!
Did you post already the Hijackthis.log in that forum -- read how to create it and post it in that same forum http://www.wilderssecurity.com/showthread.php?t=15913
and wait for an expert to look into your log.

[Jooske]

http://www.wilderssecurity.com/showthread.php?t=37224
Ah i just found your former postings about this isue and that you have tried to delete the c:\windows\system32\kbdnb.dll file.
Why didn't it work there?
Maybe you can delete it when booting Windows in safe mode (pressing F8 at reboot several times to get there?)
and try it from there.
If still not same process to get into DOS mode and you should be able to boot into DOS and do those exact steps Pieter posted from there.
Do you have that option to reboot into DOS mode in XP?
Maybe with a bootdiscette if F8 during reboot doesn't bring you there?

[pungkow]

wow. this topic got huge :O
sorry I hadn't replied yet, I was away for a while.
I still have the virus I'm sure, but at this point it's not causing any mega problems because I temporarily uninstalled avg (bad Idea, I know, but I had to get rid of taht damn alert)
I've tried a few things, none of which have worked.
it seems that after I got the solutions I needed I can't find the file anymore. can't figure out why either. once I find it I'll try a few things on it, and if none of them work I'll ask for more advice. thanks jooske for being so helpful to emf_clan and whoever else posted in this thread. this virus is obviously a huge problem to some people.

[Jooske]

Hi there, good to see you back, thought you were breathlessly reading what happened.
You could follow the same steps as described here, which in general was making sure you have your files and folders settings to show everything to start with,
and produce a hijackthis log
it would have been really helpfully if you had the AVG alert so we know from the start which file to look for if it doesn't show up yet, but we can do without if needed, using TDS, hope you got TDS installed
(www.diamondcs.com.au -- install TDS, get the latest database manually from the site, have all scanners closed when installing, reboot after the install, and with the latest database, close all unnecessary programs and unnecessary browsers for your scan.
If you have TDS scanning with all scan options and other programs closed (especially all other scanners!) at the end you'll have some alerts in the bottom window, rightclick one of them to save to text, which is the scandump.txt inside your TDS directory. Post that text in your next posting too.

[pungkow]

first off: here's my hijackthis log. current as of a few seconds ago (no browser windows open, cuz I'm a good boy )
Logfile of HijackThis v1.97.7
Scan saved at 6:57:56 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\emsw.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Comcast\Comcast_Devmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Joel Vaughn\Desktop\paul\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Joel Vaughn\Application Data\Mozilla\Profiles\default\mcsqtxdf.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CPW] C:\Program Files\Comcast\Comcast_Devmon.exe C:\Program Files\Comcast\Comcast Photo Wizard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: AIM (HKLM)

second off I do know where this virus is.
*committed it to memory*
it's c:\windows\system32\kbdnb.dll


there was a time where I could search for it, and it'd be there, and it would stare me in the face, knowing that I don't know how to get rid of it, but now it's hiding from me. bastard
anyway. yeah. I got tds and got the update n all, but every time I would run tds it would say that I have to upate it. am I doing something wrong?
also you say to have all other scanners disabled. does this include mcaffee and spybot S&D? and if so is there a safe way to shut them down without exposing myself to unwanted opportunist viruses/spyware effects?

[Jooske]

Hi there a few things:
if you have TDS evaluating, it does remind you all time of the update in that decent and helpful way, till you registered. Just that you don't forget to grab your daily portion of update manually and reload TDS.
Registered users just press the update button and all is done, or they have their automated update twice a week (monday and friday).


Your HJT log ends at O9, is there no more, did you check all the scan options in it etc?
And in windows folder options to show all hidden files and hidden extensions, nothing to hide from you?

If that known virus is there, why didn't you delete it or get rid of it in other ways?
Does the DiamondCS tool APM help you here then, if it would be really hidden and nasty etc? (see at the products page free tools, a nice explanation page with screenshots about the Advanced Process Manipulation)

Disabled other scanners, yes i mean only during the scanning, after you can put them up again. It's especially for a scanner like AVG which has the nasty habit of hiding files it found for all eyes including other scanners as if it's claiming it's own private copyrights, and thus people say "only AVG found it!" while others don't even get a chance with AVG active!
TDS doesn't hide files, it alerts, and you decide what to do with them.


Except for the R1 and R0 lines with the sp.htm in them, i see this one too:
C:\WINDOWS\emsw.exe
I'm not even sure about the R with the about:blank in it if it is part of another infection.
I would prefer if you copy your complete log into the HJT experts cleaning room (for HJT you can leave the spybot etc protection on like you did now, but don't forget to copy all the lines there are) http://www.wilderssecurity.com/showthread.php?t=15913
Maybe they do say delete lines xxx till yyy and zzz but they might see a pattern belonging to a certain nasty and have special ways to have also now invisible stuff removed.
I see your WildTangent, that is known spyware, but own choice to keep it or not, and you probably use Quicktime enough to keep it in autostart? Removing it from autostart is useless then as it adds itself all time again, want it or not.

[Jooske]

Wait a moment, i see you have been there and exact the nasties they told you to remove are there still or again in the current log?
http://www.wilderssecurity.com/showthread.php?t=37224


You were told in the other thread to close all browser windows and (scanners too i would say for a moment)
and only use HJT
and to fix all the lines R1 and R0 with the sp.html in them and the about:blank

In that thread you were also told to delete that virus/trojan/worm file in either safe mode or under DOS so if you did all those steps exactly the former time the nasty should be gone completely and can't be staring in your face.
What could be the matter is that it came back with another name now.


This moment i'm not sure about the R3 with the missing search if that should go now or stay up, as the former time you deleted what was there or was missing.
Check only those lines i mentioned with the sp.html in them and that about:blank and press fix
Reboot and let's have another scan.

I mean a TDS scan in the first place:
have the latest radius update from the site http://tds.diamondcs.com.au/radius.tds
put it in the TDS directory as it is and reload or start TDS
in the TDS console go to System Testing > Scan Control , check all the scan options on both tabs, save;
now again make sure all other scanners are really closed
and choose the Full System Scan, while all other unnecessary windows and browsers are still closed.
After a while when it's ready, rightclick with your mouse on one of the alerts in the bottom window and choose the option "save to TEXT"
this will save it to the Scandump.txt which is visible immediately.
Please copy that text and past it in your next scan.

[Taz71498]

Ok, I am not sure at what point we are at with this log now.

Could you please do this:

Post a new HJT log here.

Also, do this:
Copy the contents of the quote box to Notepad.
Name the file Appinit.bat
Save as type All Files
Save on the Desktop.

Quote:

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Copy and paste that log here along with a new HJT log.

And please just stick in one spot so we know what we are handling. So don't go back to the other post, just stay here and we will help you through this.

[pungkow]

Sorry, once again for not responding in such a long time. I just sorta didn't wanna deal with it. you know the feeling. right?
anyway tazz, I've done that whole appniit.bat thing for clearing out my hijackthis log, and I still dont' know what, if anything it's supposed to help me with. care to give me an explanation?

Jooske: I'm not sure why it stops where it does, but I do have all the scan options selected.

Here's my newest of new htj logs. I had this browsser window open this time, but...meh.

Logfile of HijackThis v1.97.7
Scan saved at 9:02:30 AM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Comcast\Comcast_Devmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Joel Vaughn\Desktop\paul\hijackthis\HijackThis.exe
C:\Program Files\AIM\aim.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Joel Vaughn\Application Data\Mozilla\Profiles\default\mcsqtxdf.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41329268-3389-432A-9898-FAB2B3059530} - C:\WINDOWS\System32\klha.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CPW] C:\Program Files\Comcast\Comcast_Devmon.exe C:\Program Files\Comcast\Comcast Photo Wizard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O9 - Extra button: AIM (HKLM)

I guess that's it for now. though I do know I'm not answering a good portion of your questions. I'm just not in the mood for that. this is really just to show you that I'm still alive and (sorta) working on this problem. thanks

[Jooske]

Could you please post that appinit.bat log Tazz asked for?

Indeed all those sp.html and about:blank things are still there;
i wonder if you ever removed them and they just came back?

Do you have in thewindows folder options all files showing?

You don't have to clean out, that's up to you, but it's your >$2000 value system in the first place with the risk of losing valuable hard- and software and you could infect other people on internet.

If you now do a TDS scan (fully updated) and other scanners closed, which alerts does TDS give you? Please after scanning post your Scandump.txt

[pungkow]

good news: after running a spybot scan, alongside an ad aware scan and then rebooting (while system restore was turned off) I finnaly got rid of that about:blank thing. :-D

ok. here's my appinit.bat log thingyregf




t_mode=0
langpack=
skin=Winamp Modern
defext=mp3
titlefmt=[%artist% - ]$if2(%title%,$filepart(%filename%))
dspplugin_name=
check_ft_startup=1
pe_fontsize=11
visplugin_priority=2
visplugin_autoexec=0
dspplugin_num=0
sticon=0
splash=0
taskbar=0
ascb_new=1
ttips=1
riol=0
minst=0
whichicon=1
whichicon2=1
addtolist=0
snap=1
snaplen=10
parent=1
hilite=1
disvis=1
rofiob=0
s4N; hbin  ex_but_for_pos=3
ju¨ÿÿÿnk, ÄÁ�Å@VÄ
ÿÿÿÿ ÿÿÿÿÿÿÿÿ ð x ÿÿÿÿ 0 < h  Windows ÿÿÿskstx x
Ô
„¸ È   ¤    
  !  €
  !  ? 
    
    ? 

  

  


  

 Øÿÿÿvk < �


fùAppInit_DLLsÖ�æGÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ k b d n b . d l l  h
Ðÿÿÿvk  

ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  ( ðÿÿÿ9 0  ë=tÀÐÿÿÿvk  €' 
zGDIProcessHandleQuota"þàÿÿÿvk  x

°ºSpooler2ðÿÿÿy e s
Ñ_å h
Ø
( X * àÿÿÿvk  €

5swapdiskÐÿÿÿvk  

. TransmissionRetryTimeoutàÿÿÿh
Ø
( X * À  Ðÿÿÿvk  €' 
n USERProcessHandleQuotan À

(there were a lot of blank lines at the bottom of that,but I didn't want to keep them there, as they'd just be wasting space. so I took them off)

alright. here's my new hjt log, as of a minute or so ago.


Logfile of HijackThis v1.97.7
Scan saved at 12:51:20 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Comcast\Comcast_Devmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\mIRC\mirc.exe
C:\Documents and Settings\Joel Vaughn\Desktop\paul\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Joel Vaughn\Application Data\Mozilla\Profiles\default\mcsqtxdf.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CPW] C:\Program Files\Comcast\Comcast_Devmon.exe C:\Program Files\Comcast\Comcast Photo Wizard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: AIM (HKLM)



ok, and one question: when I do a search for a specific file, and it doesn't show up, I'm sure it's because I have something selected that hides it, but I've looked at all the options and I dont' see the option to make all files visible. a little help on where to find that. once again, sorry for taking so long to respond, I'm just REALLY REALLY not in the mood to deal with this.

[Taz71498]

Hello,

Well to find hidden files and folders:

Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

Be careful of what you delete.

Your log does look ok but if there is a hidden dll then it will come back. Would you do this so that we make sure there is no hidden dll:

Copy the contents of the quote box to Notepad.
Name the file Appinit.bat
Save as type All Files
Save on the Desktop.

Quote:

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Copy and paste that log here.

[pungkow]

hey tazz, I got two questions: first off, where do I go to get to folder options? I can't find it.

and second, why is it that you told me to post another appinit.bat log, when I already did in my previous post?

[Jooske]

In win98 this way, suppose it will not be very different in your system:
in Windows Explorer > view > folder options > there uncheck the options for hiding hidden folders and known extensions, so all is showing, apply, ok

[pungkow]

that probably is how to do it on my operating system too(btw I'm using xp)

unfortunately I can't find windows explorer....

[snowbound]

Quote:

Originally Posted by pungkow

that probably is how to do it on my operating system too(btw I'm using xp)

unfortunately I can't find windows explorer....

Here's how,

http://service1.symantec.com/SUPPORT...&osv=&osv_lvl=


snowbound

[Taz71498]

Hello

You had said that about:blank was gone but from what I can see in the windows.txt file you supplied, you still have a problem. I was trying to confirm that it was really still there.

I would really like you to post a new one.

Do you have XP home or Pro edition?

Also, what file system do you have, NTFS or Fat32? You can find this out by going to Start>My Computer and highlight the C: drive. Right click on it and choose properties. In the box that pops up it will tell you near the top what file system you have.

[pungkow]

I'm using ntfs/ home edition.

and yeah, you were right, the about:blank problem was still there. it just went away for a while. longer than it ever had
so yeah, here's the appinit.bat log thingy again if you still want it

regf




Pugf hbin  ¨ÿÿÿnk, ÄÁ�Å@VÄ
ÿÿÿÿ ÿÿÿÿÿÿÿÿ ð x ÿÿÿÿ 0 < h  Windows ÿÿÿsk x x
Ô
„¸ È   ¤    
  !  €
  !  ? 
    
    ? 

  

  


  

 Øÿÿÿvk < �


fùAppInit_DLLsÖ�æGÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ k b d n b . d l l  h
Ðÿÿÿvk  

ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  ( ðÿÿÿ9 0  ë=tÀÐÿÿÿvk  €' 
zGDIProcessHandleQuota"þàÿÿÿvk  x

°ºSpooler2ðÿÿÿy e s
Ñ_å h
Ø
( X * àÿÿÿvk  €

5swapdiskÐÿÿÿvk  

. TransmissionRetryTimeoutàÿÿÿh
Ø
( X * À  Ðÿÿÿvk  €' 
n USERProcessHandleQuotan À


thanks snowbound for the giving me that link. unfortunately even though I know the file I was looking for is still on my system, I couldn't find it.Yes I did check show hidden files and show protected system files, so that wasn't the problem ... any suggestions on how I can find it?

[Taz71498]

Ok, on with the fix:

If you don't have CWShredder, download it from here, you will use it later:
CWShredder

Open CWShredder and click on Update and the close it when it is done updating. Do not click on Fix yet.

If by chance you do not know how to start your computer into Safe Mode, go here and learn, you will need to start your computer into Safe Mode after the next part:
safe mode

Copy the contents of the Quote box into Note Pad and name it hiving.bat and save it on your desktop:

Code:

@echo off 
Echo Working

Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
If ERRORLEVEL==1 GoTo End  
 GoTo DOIT
:End

 echo >not.vbs MsgBox "No Appinit_Dlls value Present" ^& vbcrlf ^& "Removal Aborted"
Wscript.exe not.vbs
del not.vbs
Exit

:DOIT
If exist backup.hiv del  backup.hiv
If exist f.hiv del f.hiv

reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" backup.hiv
:one

PING 1.1.1.1 -n 2 -w 1000 >NUL
if not exist backup.hiv goto one

Reg Delete  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f


Reg add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
:Notthere

PING 1.1.1.1 -n 2 -w 1000 >NUL
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
IF ERRORLEVEL ==1 Go to Notthere

reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" backup.hiv

:two

PING 1.1.1.1 -n 2 -w 1000 >NUL
Reg Query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls 
IF ERRORLEVEL==1   GOTO two

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls /f
:appy

PING 1.1.1.1 -n 2 -w 1000 >NUL
Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls
If Not ERRORLEVEL==1   GOTO appy

Reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" f.hiv
:three

PING 1.1.1.1 -n 4 -w 1000 >NUL
if not exist f.hiv GOTO three

Reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /f

Reg Add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
:four

PING 1.1.1.1 -n 1 -w 1000 >NUL
Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
If ERRORLEVEL==1 GOTO  four

:five



PING 1.1.1.1 -n 2 -w 1000 >NUL
Reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" f.hiv
Reg Query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v USERProcessHandleQuota
If ErrorLevel==1  GOTO five

If exist f.hiv ren f.hiv fbackup.hiv

Echo > finished.vbs MsgBox "Done"
Wscript.exe finished.vbs
del finished.vbs

Immediately sign off the
internet and stay off until all steps are finished. (Print this to follow)

Double click on that file hiving.bat If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box. Double click on the batch to run it. After a reboot the super hidden nasty file will no longer be loaded and will be visible. This will end the constant reinstall of about:Blank.

Restart into Safe mode and find this file:
C:\WINDOWS\System32\kbdnb.dll

Use the security tab on kbdnb.dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Example:
lkbdnb.dll > bleh.txt
bleh.txt > badfile.111

Once you have successfully deleted the file restart into Regular Windows mode.

Extract and Run CWShredder immediately.
Press the fix button to clean, not Scan.

Restart and run hijackThis again.

Post your new log here in your next reply.

Also please create a new Windows.txt and attach it so we can doublecheck.

[pungkow]

FINNALY! I GOT RID OF KBDNB.DLL!!!!!!!!! *hugs taz and Jooske*
now I can finnaly get on with my life


here's my appinit.bat log


regf




Pugf hbin  *ÿÿÿnk, îå�LuÄ
ÿÿÿÿ ÿÿÿÿÿÿÿÿ À € ÿÿÿÿ 0 < h  Windowsows  ÿÿÿsk € €
Ô
„¸ È   ¤    
  !  €
  !  ? 
    
    ? 

  

  


  

 Ðÿÿÿvk  *


ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  (  p
Ðÿÿÿvk  €' 
zGDIProcessHandleQuota"þðÿÿÿ9 0  ë=tÀàÿÿÿvk  

°ºSpooler2ðÿÿÿy e s
Ñ_åàÿÿÿvk  €

5swapdisk p
¸
ø
( ` Ðÿÿÿvk  è


. TransmissionRetryTimeoutÐÿÿÿvk  €' 
n USERProcessHandleQuotan àÿÿÿp
¸
ø
( ` �

here's my hjt log: ( btw it still says default home page: about:blank:but my home page isn't about:blank when I sign on. I'll tell you if the about:blank comes back)


Logfile of HijackThis v1.97.7
Scan saved at 5:59:18 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Comcast\Comcast_Devmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Joel Vaughn\Desktop\paul\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Joel Vaughn\Application Data\Mozilla\Profiles\default\mcsqtxdf.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKCU\..\Run: [CPW] C:\Program Files\Comcast\Comcast_Devmon.exe C:\Program Files\Comcast\Comcast Photo Wizard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: AIM (HKLM)


well unless another problem pops up, or about:blank comes back I"ll be fine, I"m still going to check back in case one of you have something else you'd like me to do.

[Taz71498]

Hi,

You still have it in your log. Did you run CWShredder? If not, do so.

The hidden dll is gone I see, which is good.

I would like you to download Adaware if you don't already have it (don't run it yet, but I would like you to open it and update the reference file and then close it.)

Next, Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

Close all windows except HijackThis and check these lines then click on Fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JOELVA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

Don't reboot yet.

Start APM (the program you downloaded second)
In the upper window select explorer.exe
In the lower window find and rightclick C:\WINDOWS\System32\klha.dll (if it is there, if not, just close the program)
Select Unload DLL and click OK on the prompts that follow.

Reboot and scan with AdAware (the first program you downloaded)

Reboot.

Post a new HJT log.

[pungkow]

alrighty. I did as you said,and I think this is the cleanest hjt log I've ever had o.O

anyway I didn't have that khla or whatever you said, so I didn't do anything to it, and I'm not sure where to do this: "Select Unload DLL and click OK on the prompts that follow."
where do I do that?
also I already had ad aware so i I didn't need to download it again, and same for cws shredder, but I did follow the rest of the instructions to the letter.


Logfile of HijackThis v1.97.7
Scan saved at 7:59:45 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Comcast\Comcast_Devmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Joel Vaughn\Desktop\paul\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Joel Vaughn\Application Data\Mozilla\Profiles\default\mcsqtxdf.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKCU\..\Run: [CPW] C:\Program Files\Comcast\Comcast_Devmon.exe C:\Program Files\Comcast\Comcast Photo Wizard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: AIM (HKLM)

[Taz71498]

Hello,

Quote:

"Select Unload DLL and click OK on the prompts that follow."
where do I do that?

You don't need to, that was only if you found the C:\WINDOWS\System32\klha.dll, which you didn't find, so that is ok.

Yes, your log is squeeky clean! You are good to go.

Here is a link for you to go to that will give you suggestions on how to keep your computer safe:
http://www.wilderssecurity.com/showthread.php?t=27971

Happy Surfing!