about:blank and BHO issue

Discussion in 'adware, spyware & hijack cleaning' started by brad2003, Jul 7, 2004.

Thread Status:
Not open for further replies.
  1. brad2003

    brad2003 Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    19
    I seem to be having the same difficulty that everyone else is having with the a random BHO being added to my machine every time I go onto the internet. My search page tries to change to about:blank. Now, I have read through other threads and have tried other things but nothing seesm to work. CWShredder and Adaware catches something everytime I run them (usually a different ".dll" from my WINNT/System32 directory, which I then delete) but the problem does not go away for good. Below is my hijackthis.log...any ideas?

    Logfile of HijackThis v1.97.7
    Scan saved at 8:55:35 AM, on 7/7/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\llssrv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\oracle\ora81\bin\vppdc.exe
    C:\oracle\ora81\BIN\TNSLSNR.exe
    c:\oracle\ora81\bin\ORACLE.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\system32\CCM\CcmExec.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\WINNT\AGRSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINNT\system32\dla\tfswctrl.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\iPass\iPassConnect Informatica Remote Access\IPassConnectGUI.exe
    C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Informatica PowerCenter 7.1\RepositoryServer\bin\pmrepserver.exe
    C:\Program Files\Informatica PowerCenter 7.1\RepositoryServer\bin\pmrepagent.exe
    C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
    C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\bweisber\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://central.informatica.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: iPassConnect Informatica Remote Access.lnk = C:\Program Files\iPass\iPassConnect Informatica Remote Access\IPassConnectGUI.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: http://www.accountonline.com
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www11.informatica.com/Citrix/Icaweb/wficat.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7730555556
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://informatica.webex.com/client/v_localized/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = informatica.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{44A970B5-5365-4B40-97D2-C4C002CB566B}: NameServer = 10.1.32.61,10.1.32.62
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = informatica.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = informatica.com,informatica.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
    O17 - HKLM\System\CS1\Services\Tcpip\..\{44A970B5-5365-4B40-97D2-C4C002CB566B}: NameServer = 10.1.32.61,10.1.32.62
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = informatica.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = informatica.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = informatica.com,informatica.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    I am not seeing anything in your log, so let's see if you have a hidden dll.

    Copy the contents of the quote box to Notepad.
    Name the file Appinit.bat
    Save as type All Files
    Save on the Desktop.
    Quote:
    Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
    ren windows1.hiv windows.txt


    Double click on Appinit.bat
    This will create a file on the desktop named windows.txt
    Copy and paste that log here.

    I would also like you to do this:
    download this appinit.zip

    Unzip it so that both files (regread.exe and runread.exe) are in the same folder (make it it's own folder) then double click on runread.exe to run it.
    After it's been run there will be a "regread.log" file in the same folder you unzipped it to.

    Copy the contents of that here also.
     
  3. brad2003

    brad2003 Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    19
    I can't seem to get the batch file to save the windows.txt file. I pasted in the reg commnad exactly how you have it there. Am I doing something wrong?

    Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
    ren windows1.hiv windows.txt

    I did manage to download the other zip file, though. Contents are below.

    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 54 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : "C:\WINNT\system32\logh.dll"
    0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 4e 00 54 00 | C.:.\.W.I.N.N.T.
    0010 5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 33 00 | \.s.y.s.t.e.m.3.
    0020 32 00 5c 00 6c 00 6f 00 67 00 68 00 2e 00 64 00 | 2.\.l.o.g.h...d.
    0030 6c 00 6c 00 00 00 | l.l...

    Thanks for the assistance!
     
  4. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    I am finding that sometimes it doesn't save the file on the desktop. Do a search for window.txt and see if you find it that way. I want to compare the two logs with one another. Let me know.
     
  5. brad2003

    brad2003 Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    19
    No dice. I ran the batch file again and searched my entire machine for "window*". Nothing. The DOS window disappears too quickly for me to figure out why it is not saving the file. Here are the contents of the file again -- you see anything I am doing wrong?

    Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
    ren windows1.hiv windows.txt
     
  6. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    It may be because you have Win2000. Let me get back to you, I want to check with an expert before we proceed.
     
Thread Status:
Not open for further replies.