ABOUT;BLANK HELP!!!

Can someone pleeeeeeeeeeeeeeease help me! I"ve hit my limit of computer knowledge. I keep getting the about: blank homepage!!!
Here's my Hijack this log !!! pLlllllease someone help

Logfile of HijackThis v1.97.7
Scan saved at 12:14:27 PM, on 5/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\J\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AF2F5D41-6C9C-48DB-9D40-C6B6AD18FA2F} - C:\WINDOWS\m.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi jj2303,

Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll

O2 - BHO: (no name) - {AF2F5D41-6C9C-48DB-9D40-C6B6AD18FA2F} - C:\WINDOWS\m.dll

O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu

Download and run CWShredder
Use the Fix button and follow the instructions provided by the program.

Download Ad-Aware at lavasoft.usa.com
After installing AAW, and before running the program, update by using the Globe icon.
Shut down and restart your computer into safe mode
Start AdAware again.
Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Rightclick in that panel and choose "select all" and click 'next'.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

Surf to http://www10.brinkster.com/expl0iter/freeatlast/PVtool.htm
And download and unzip Find-All.zip
Inside the unzipped folder find the file Find All.bat and doubleclick it.

When it is done it will produce a file output.txt in that same folder.
Post the content of that one.

Regards,

Pieter

 

Thank you so much for your hlep

--===**'FIND-ALL' VERSION 2, 5/04**===--

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (30A4:CC0B) - FS:NTFS clusters:4k
Total: 15 002 877 952 [14G] - Free: 4 531 630 080 [4.2G]


Locked or 'Suspect' file(s) found...
The system cannot execute the specified program.
The system cannot execute the specified program.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C7BCC824-9C32-4A50-8B95-C07A6CE0DA15}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

Class Install Handler
{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}
C:\WINDOWS\system32\urlmon.dll

deflate
{8f6b0360-b80d-11d0-a9b3-006097942311}
C:\WINDOWS\system32\urlmon.dll

gzip
{8f6b0360-b80d-11d0-a9b3-006097942311}
C:\WINDOWS\system32\urlmon.dll

lzdhtml
{8f6b0360-b80d-11d0-a9b3-006097942311}
C:\WINDOWS\system32\urlmon.dll

text/webviewhtml
{733AC4CB-F1A4-11d0-B951-00A0C90312E1}
%SystemRoot%\system32\SHELL32.dll


_______________________________

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

{53707962-6F74-2D53-2644-206D7942484F}
C:\PROGRA~1\SPYBOT~1\SDHelper.dll

{BDF3E430-B101-42AD-A544-FADC6B084872}
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

{C7BCC824-9C32-4A50-8B95-C07A6CE0DA15}
C:\WINDOWS\m.dll

--==***Probable "bad" file will be represented as
C:\WINDOWS...System32...XXXX.dll***==--

Handle v2.2
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
winlogon.exe pid: 608 NT AUTHORITY\SYSTEM
b4: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
f0: File C:\WINDOWS\system32\lsd_f3.dll
14c: Section \BaseNamedObjects\ShimSharedMemory
190: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
214: File C:\WINDOWS\AppPatch
218: File C:\WINDOWS\system32\dllcache
21c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm
220: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_adm
224: File C:\WINDOWS\system32
228: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_aut
22c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_aut
230: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin
234: File C:\WINDOWS\Fonts
238: File C:\WINDOWS\system32\drivers
23c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\servsupp
240: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar
244: File C:\Program Files\microsoft frontpage\version3.0\bin
248: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin
24c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\1033
250: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi
254: File C:\WINDOWS\system32\inetsrv
258: File C:\WINDOWS
25c: File C:\Program Files\Common Files\Microsoft Shared\DAO
260: File C:\Program Files\Windows Media Player
264: File C:\Program Files\Common Files\System\msadc
268: File C:\Program Files\Common Files\System\ado
26c: File C:\Program Files\Common Files\System\Ole DB
270: File C:\WINDOWS\inf
274: File C:\WINDOWS\system
278: File C:\WINDOWS\msagent
27c: File C:\WINDOWS\msagent\intl
280: File C:\Program Files\MSN Gaming Zone\Windows
284: File C:\WINDOWS\Help
288: File C:\WINDOWS\PCHealth\HelpCtr\Binaries
28c: File C:\Program Files\NetMeeting
290: File C:\WINDOWS\system32\drivers\disdn
294: File C:\WINDOWS\ime\CHTIME\Applets
298: File C:\WINDOWS\system32\wbem
29c: File C:\WINDOWS\system32\IME\CINTLGNT
2a0: File C:\WINDOWS\system32\Com
2a4: File C:\WINDOWS\system32\Setup
2a8: File C:\WINDOWS\ime\imjp8_1
2ac: File C:\Program Files\Common Files\Microsoft Shared\Triedit
2b0: File C:\Program Files\Windows NT
2b4: File C:\Program Files\Common Files\System
2b8: File C:\WINDOWS\system32\1033
2bc: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admcgi\scripts
2c0: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admisapi\scripts
2c4: File C:\WINDOWS\system32\usmt
2c8: File C:\WINDOWS\ime\imkr6_1\dicts
2cc: File C:\WINDOWS\system32\mui\0009
2d0: File C:\Program Files\Internet Explorer
2d4: File C:\WINDOWS\ime\imjp8_1\applets
2d8: File C:\WINDOWS\ime\imkr6_1\applets
2dc: File C:\WINDOWS\system32\xircom
2e0: File C:\Program Files\Internet Explorer\Connection Wizard
2e4: File C:\Program Files\Common Files\Microsoft Shared\MSInfo
2e8: File C:\WINDOWS\ime\imkr6_1
2ec: File C:\WINDOWS\ime\shared
2f0: File C:\WINDOWS\system32\IME\PINTLGNT
2f4: File C:\Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033
2f8: File C:\WINDOWS\Resources\Themes\Luna
2fc: File C:\Program Files\Movie Maker
300: File C:\WINDOWS\ime
304: File C:\WINDOWS\srchasst
308: File C:\Program Files\Outlook Express
30c: File C:\WINDOWS\system32\oobe
310: File C:\Program Files\Common Files\MSSoap\Binaries
314: File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033
318: File C:\WINDOWS\system32\npp
31c: File C:\WINDOWS\ime\shared\res
320: File C:\Program Files\Windows NT\Pinball
324: File C:\WINDOWS\ime\chsime\applets
328: File C:\WINDOWS\system32\Restore
32c: File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033
330: File C:\Program Files\Common Files\Microsoft Shared\Speech
334: File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor
338: File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead
33c: File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic
340: File C:\WINDOWS\system32\wbem\snmp
344: File C:\Program Files\Common Files\SpeechEngines\Microsoft
348: File C:\Program Files\Common Files\Microsoft Shared\Speech\1033
34c: File C:\WINDOWS\system32\spool\drivers\color
350: File C:\WINDOWS\system32\IME\TINTLGNT
354: File C:\WINDOWS\Help\Tours\mmTour
358: File C:\WINDOWS\PCHealth\UploadLB\Binaries
35c: File C:\Program Files\Common Files\Microsoft Shared\VGX
360: File C:\WINDOWS\system32\wbem\xml
364: File C:\Program Files\Windows NT\Accessories
368: File C:\Program Files\xerox\nwwia
378: File C:\WINDOWS\WinSxS
584: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
5d8: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
674: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
6e0: Section \BaseNamedObjects\mmGlobalPnpInfo
6f0: Section \BaseNamedObjects\WDMAUD_Device_Interface_Path
6f4: Section \BaseNamedObjects\WDMAUD_Path_Size
700: Section \BaseNamedObjects\WDMAUD_Callbacks
790: Section \BaseNamedObjects\__R_000000000010_SMem__
7e4: File C:\WINDOWS\system32


 

Can you see if there was also a file called windows.txt craeted in that folder.
If so post the content of that one.

Regards,

Pieter

 

Unfortunately there's nothing to copy in the windows.txt file, just a bunch of squares
any ideas on what I should dO?

thank you!

 

Download and install Registrar Lite

-Run reglite : type--
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
into the address bar, or expand the same key.

-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.

-Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\xxxxxxx.dll (random named dll) <- delete this line ,
'Apply' and 'ok' to set. (Do note down the name of the dll though)

-Rename the NotWindows folder back to its
original name Windows

-Restart computer

Check in the system32 folder if the culprit dll is visible.

Let us know.

Regards,

Pieter

 

I didn't see that appinit it that location
however, i did a search and found it in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\IniFileMapping\win.ini\Windows\\AppInit_DLLs

but i didn't so how i could clear the data value

 

Any idea on how I can find those DLL's?

 

Hi jj2303,

Please try this

Download this tool :

StartDreck

Unzip to folder of choice

DoubleClick: 'StartDreck.exe'
Hit: config
hit: Unmark all
Check these boxes only:
Registry->run keys
System/drivers> Running processes
hit >ok.

Copy the contents of the log here please

Thnx!

Cheers,

 

StartDreck (build 2.1.5 public BETA) - 2004-05-13 @ 22:39:38
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe
*msnmsgr="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*NAV Agent=C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
*ezShieldProtector for Px=C:\WINDOWS\System32\ezSP_Px.exe
*Installed=1
*Installed=1
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
*00000000=<unkown>
*00000004=<unkown>
*0000020C=\SystemRoot\System32\smss.exe
*0000024C=<unkown>
*00000264=\??\C:\WINDOWS\system32\winlogon.exe
*00000290=C:\WINDOWS\system32\services.exe
*0000029C=C:\WINDOWS\system32\lsass.exe
*00000350=C:\WINDOWS\system32\svchost.exe
*000003A0=C:\WINDOWS\System32\svchost.exe
*0000048C=<unkown>
*000004AC=<unkown>
*00000518=C:\WINDOWS\system32\spoolsv.exe
*00000578=C:\WINDOWS\System32\Ati2evxx.exe
*00000590=C:\WINDOWS\System32\gearsec.exe
*000005A8=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
*000005C4=C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
*000005DC=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
*000006D8=C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
*00000740=C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
*00000788=C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
*0000079C=C:\WINDOWS\wanmpsvc.exe
*000007D8=C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
*00000090=C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
*000000AC=C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
*000000C8=C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
*000002A0=C:\WINDOWS\Explorer.EXE
*0000058C=C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
*00000478=C:\WINDOWS\System32\ezSP_Px.exe
*000002C0=C:\WINDOWS\System32\ctfmon.exe
*00000600=C:\Program Files\MSN Messenger\msnmsgr.exe
*0000040C=C:\Program Files\Netscape\Netscape 6\netscp6.exe
*000004E4=C:\startdreck\StartDreck.exe
»Application specific

 

Hi again,

When you open reglite again and you navigate to this location :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

When you then look in the column next to it, don't you see a 'AppInit_DLLs' entry listed?

 

I just checked again, and I don't see that
i only see
ab default
ab device notsel
123 gdiprocessh
abspooler
abswapdisk
abtransmission
123userprocess

 

That's weird.

Hang in there jj2303, I'm asking around to some very qualified people to check this out as well

Thnx for your patience

Cheers,

 

okay thank you

 

Ok there is an updated version of findall

Can you redownload, extract to some folder run findall.bat and post the contents of :

output.txt
windows.txt (that one will look a bit strange, but ignore that)

Also post a new HijackThis log

Thnx!

Cheers,

 

Thank you, but where do I download findall from?

 

well euhm, from the first location you downloaded it from :

http://www10.brinkster.com/expl0iter/freeatlast/PVtool.htm

Cheers,

 

--===**'FIND-ALL' VERSION 2, 5/04**===--

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (30A4:CC0B) - FS:NTFS clusters:4k
Total: 15 002 877 952 [14G] - Free: 4 751 532 032 [4.4G]


Locked or 'Suspect' file(s) found...
The system cannot execute the specified program.
The system cannot execute the specified program.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C7BCC824-9C32-4A50-8B95-C07A6CE0DA15}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

Class Install Handler
{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}
C:\WINDOWS\system32\urlmon.dll

deflate
{8f6b0360-b80d-11d0-a9b3-006097942311}
C:\WINDOWS\system32\urlmon.dll

gzip
{8f6b0360-b80d-11d0-a9b3-006097942311}
C:\WINDOWS\system32\urlmon.dll

lzdhtml
{8f6b0360-b80d-11d0-a9b3-006097942311}
C:\WINDOWS\system32\urlmon.dll

text/webviewhtml
{733AC4CB-F1A4-11d0-B951-00A0C90312E1}
%SystemRoot%\system32\SHELL32.dll


_______________________________

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

{53707962-6F74-2D53-2644-206D7942484F}
C:\PROGRA~1\SPYBOT~1\SDHelper.dll

{BDF3E430-B101-42AD-A544-FADC6B084872}
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

{C7BCC824-9C32-4A50-8B95-C07A6CE0DA15}
C:\WINDOWS\m.dll

--==***Probable "bad" file will be represented as
C:\WINDOWS...System32...XXXX.dll***==--

Handle v2.2
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
winlogon.exe pid: 608 NT AUTHORITY\SYSTEM
b4: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
f0: File C:\WINDOWS\system32\lsd_f3.dll
14c: Section \BaseNamedObjects\ShimSharedMemory
19c: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
214: File C:\WINDOWS\AppPatch
218: File C:\WINDOWS\system32\dllcache
21c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm
220: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_adm
224: File C:\WINDOWS\system32
228: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_aut
22c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_aut
230: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin
234: File C:\WINDOWS\Fonts
238: File C:\WINDOWS\system32\drivers
23c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\servsupp
240: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar
244: File C:\Program Files\microsoft frontpage\version3.0\bin
248: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin
24c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\1033
250: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi
254: File C:\WINDOWS\system32\inetsrv
258: File C:\WINDOWS
25c: File C:\Program Files\Common Files\Microsoft Shared\DAO
260: File C:\Program Files\Windows Media Player
264: File C:\Program Files\Common Files\System\msadc
268: File C:\Program Files\Common Files\System\ado
26c: File C:\Program Files\Common Files\System\Ole DB
270: File C:\WINDOWS\inf
274: File C:\WINDOWS\system
278: File C:\WINDOWS\msagent
27c: File C:\WINDOWS\msagent\intl
280: File C:\Program Files\MSN Gaming Zone\Windows
284: File C:\WINDOWS\Help
288: File C:\WINDOWS\PCHealth\HelpCtr\Binaries
28c: File C:\Program Files\NetMeeting
290: File C:\WINDOWS\system32\drivers\disdn
294: File C:\WINDOWS\ime\CHTIME\Applets
298: File C:\WINDOWS\system32\wbem
29c: File C:\WINDOWS\system32\IME\CINTLGNT
2a0: File C:\WINDOWS\system32\Com
2a4: File C:\WINDOWS\system32\Setup
2a8: File C:\WINDOWS\ime\imjp8_1
2ac: File C:\Program Files\Common Files\Microsoft Shared\Triedit
2b0: File C:\Program Files\Windows NT
2b4: File C:\Program Files\Common Files\System
2b8: File C:\WINDOWS\system32\1033
2bc: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admcgi\scripts
2c0: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admisapi\scripts
2c4: File C:\WINDOWS\system32\usmt
2c8: File C:\WINDOWS\ime\imkr6_1\dicts
2cc: File C:\WINDOWS\system32\mui\0009
2d0: File C:\Program Files\Internet Explorer
2d4: File C:\WINDOWS\ime\imjp8_1\applets
2d8: File C:\WINDOWS\ime\imkr6_1\applets
2dc: File C:\WINDOWS\system32\xircom
2e0: File C:\Program Files\Internet Explorer\Connection Wizard
2e4: File C:\Program Files\Common Files\Microsoft Shared\MSInfo
2e8: File C:\WINDOWS\ime\imkr6_1
2ec: File C:\WINDOWS\ime\shared
2f0: File C:\WINDOWS\system32\IME\PINTLGNT
2f4: File C:\Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033
2f8: File C:\WINDOWS\Resources\Themes\Luna
2fc: File C:\Program Files\Movie Maker
300: File C:\WINDOWS\ime
304: File C:\WINDOWS\srchasst
308: File C:\Program Files\Outlook Express
30c: File C:\WINDOWS\system32\oobe
310: File C:\Program Files\Common Files\MSSoap\Binaries
314: File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033
318: File C:\WINDOWS\system32\npp
31c: File C:\WINDOWS\ime\shared\res
320: File C:\Program Files\Windows NT\Pinball
324: File C:\WINDOWS\ime\chsime\applets
328: File C:\WINDOWS\system32\Restore
32c: File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033
330: File C:\Program Files\Common Files\Microsoft Shared\Speech
334: File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor
338: File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead
33c: File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic
340: File C:\WINDOWS\system32\wbem\snmp
344: File C:\Program Files\Common Files\SpeechEngines\Microsoft
348: File C:\Program Files\Common Files\Microsoft Shared\Speech\1033
34c: File C:\WINDOWS\system32\spool\drivers\color
350: File C:\WINDOWS\system32\IME\TINTLGNT
354: File C:\WINDOWS\Help\Tours\mmTour
358: File C:\WINDOWS\PCHealth\UploadLB\Binaries
35c: File C:\Program Files\Common Files\Microsoft Shared\VGX
360: File C:\WINDOWS\system32\wbem\xml
364: File C:\Program Files\Windows NT\Accessories
368: File C:\Program Files\xerox\nwwia
378: File C:\WINDOWS\WinSxS
5a0: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
618: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
674: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
6e0: Section \BaseNamedObjects\mmGlobalPnpInfo
700: Section \BaseNamedObjects\WDMAUD_Device_Interface_Path
704: Section \BaseNamedObjects\WDMAUD_Path_Size
728: Section \BaseNamedObjects\WDMAUD_Callbacks
790: Section \BaseNamedObjects\__R_000000000010_SMem__
7e0: File C:\WINDOWS\system32


 

regf

 

Logfile of HijackThis v1.97.7
Scan saved at 8:59:58 AM, on 5/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Netscape\Netscape 6\netscp6.exe
C:\Program Files\Common Files\Netscape Shared\Security\psm.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\m.dll/sp.html (obfuscated)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C7BCC824-9C32-4A50-8B95-C07A6CE0DA15} - C:\WINDOWS\m.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi jj2303,

Could you mail me a copy of C:\WINDOWS\m.dll
Maybe it will reveal something if we take it apart.
Send it to the email address in my profile.

Regards,

Pieter

 

m.dll does not exist in the folder
any other ideas?

 

Before you fix anything please download and unzip The KillBox.zip from here:
http://download.broadbandmedic.com/

Run the program and in the dialog Window paste C:\WINDOWS\m.dll and click the "Find and Kill this file" button

Then reboot and find the copy of m.dll in C:\!Submit\[Date]
Could you please zip that up and mail it to pieterATwilderssecurity.org (replace AT with @)

Thanks in advance,

Pieter

 

i don't see a find and kill button?

 

apparently windows can not find that file