Jump to content
Sign in to follow this  
redmaledeer

ADSs detected by Ad-Aware SE

Recommended Posts

redmaledeer

(Ad-Aware SE Personal Build 1.06r1)(Windows XP Home SP1, IE6; all critical updates.) This latest version of Ad-Aware allows scanning for ADSs. As I understand it, ADSs (Alternative Data Streams) are invisible files or data which can be attached to, or be part of, conventional files. These were intended for legitimate purposes, but, being invisible, they present a fine place for malware to hide. Okay. I scanned my computer and four ADSs turned up in the critical tab. Presumably I could quarantine or delete these, as I could with other items in the critical tab. My question is whether I want to. Part of the Ad-Aware log is at the end of this post. That is in two parts: a shorter first part headed "Scanning and Enumerating ADS...", and a longer second part headed "C: Enumerating detected ADS...". The first part lists the same four ADSs as are in the critical tab. All seem to be associated with reputable programs. Are these ADSs legitimate, or are they malware? If I quarantine or delete them, will I just be getting rid of the ADSs, or will I also be getting rid of the reputable files to which they are attached? I suppose I could deal with this by uninstalling the four reputable programs, and then downloading and installing clean new copies. I could then see if the ADSs were in those clean new installs. But that seems like brute force based on ignorance. Any enlightenment would be welcome. The second part of the log below also deals with ADSs. It has fourteen entries, some of which are near=duplicates, and some (not all) of which refer to the above four ADSs. I don't really need to understand this second part in order to answer my practical question, which is how I should handle the four ADSs which turn up in the critical tab. Incidentally, AboutBuster claims to remove ADSs. It does not find any ADSs on my machine..... ....C: Drive supports Alternate Data Streams.Scanning and Enumerating ADS...»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Other Object Recognized! Type : Alternate Data Stream Data : #5SummaryInformation TAC Rating : 7 Category : Malware Comment : Object : C:\Program Files\RegClean\RegClean.exe:\ Other Object Recognized! Type : Alternate Data Stream Data : #5SummaryInformation TAC Rating : 7 Category : Malware Comment : Object : C:\Program Files\Registrar Lite\reglite.exe:\ Other Object Recognized! Type : Alternate Data Stream Data : #5SummaryInformation TAC Rating : 7 Category : Malware Comment : Object : C:\Program Files\Windows Media Player\npds.zip:\ Other Object Recognized! Type : Alternate Data Stream Data : #5SummaryInformation TAC Rating : 7 Category : Malware Comment : Object : C:\WINDOWS\StartupMonitor.exe:\C: Enumerating detected ADS...»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Location:C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db:encryptableStreamName:encryptableStreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:0 BytesNameSize:36 BytesLocation:C:\Documents and Settings\All Users.WINDOWS\Documents\My Pictures\Sample Pictures\Thumbs.db:encryptableStreamName:encryptableStreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:0 BytesNameSize:36 BytesLocation:C:\Documents and Settings\Owner\Desktop\Bob's Stuff\Thumbs.db:encryptableStreamName:encryptableStreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:0 BytesNameSize:36 BytesLocation:C:\Documents and Settings\Owner.HOME\My Documents\My Pictures\Thumbs.db:encryptableStreamName:encryptableStreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:0 BytesNameSize:36 BytesLocation:C:\Program Files\Lavasoft\Ad-Aware SE Personal\unregaaw.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}StreamName:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}StreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:0 BytesNameSize:90 BytesLocation:C:\Program Files\Online Services\MSN80\Menu\Thumbs.db:encryptableStreamName:encryptableStreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:0 BytesNameSize:36 BytesLocation:C:\Program Files\RegClean\RegClean.exe:#5SummaryInformationStreamName:#5SummaryInformationStreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:88 BytesNameSize:52 BytesLocation:C:\Program Files\RegClean\RegClean.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}StreamName:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}StreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:0 BytesNameSize:90 BytesLocation:C:\Program Files\Registrar Lite\reglite.exe:#5SummaryInformationStreamName:#5SummaryInformationStreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:88 BytesNameSize:52 BytesLocation:C:\Program Files\Registrar Lite\reglite.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}StreamName:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}StreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:0 BytesNameSize:90 BytesLocation:C:\Program Files\Windows Media Player\npds.zip:#5SummaryInformationStreamName:#5SummaryInformationStreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:88 BytesNameSize:52 BytesLocation:C:\Program Files\Windows Media Player\npds.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}StreamName:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}StreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:0 BytesNameSize:90 BytesLocation:C:\WINDOWS\StartupMonitor.exe:#5SummaryInformationStreamName:#5SummaryInformationStreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:88 BytesNameSize:52 BytesLocation:C:\WINDOWS\StartupMonitor.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}StreamName:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}StreamID:BACKUP_ALTERNATE_DATA (4)StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)DataSize:0 BytesNameSize:90 BytesDisk Scan Result for C:\»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 0Objects found so far: 4

Share this post


Link to post
Share on other sites
Guest LilBambi

Do you have HiJackThis! on your computer? If not, it might help to download and extract the file from the zip folder into a folder of its own on your drive and run it. Be sure to close all Internet Explorer and Explorer files before clicking to scan.Then post the HiJackThis! log in this topic within the 'code' brackets so we can see what is going on.We have several folks here that are qualified HJT log analyzers as members of Scot's Newsletter Forums. B) Also may be able to tell you whether the ADS' Ad-Aware found are a problem or a false positive.

Share this post


Link to post
Share on other sites
TeMerc

If you decide to quarentine them, and find that the apps related no longer function, you have the option to recover the files back to their original path.It looks to me those entries are f\ps.I would also say that About:Buster will not, in and of itself, remove ADS streams. It is used in conjunction with other removal tools.You can post a log from HJT if you like, and I can have a peek at it for you.

Share this post


Link to post
Share on other sites
redmaledeer

Here is my HijackThis log. In interpreting it, perhaps it is useful to know that about:blank is on my machine. No protective program seems able to detect it, but about:blank pops up every once in a while followed soon by an advertisement. I just discovered that HijackThis itself has an ADS detector (under Misc Tools/Open ADS Spy Utility). When run, this detects ADSs, including the four ADSs which AdAware put into its critical tab. However, if this scan is repeated with the scan option "Ignore Safe System Info Streams" checked, no ADSs are detected. This suggests that all the ADSs on my machine are "Safe," tho I don't know why they should be "System Info Streams." It seems to me that figuring out a procedure for dealing with ADSs detected by AdAware would be a Good Thing. ADSs are of increased importance, and AdAware seems like a principal program for detecting them. Thanks all.........Logfile of HijackThis v1.99.1Scan saved at 5:01:41 AM, on 8/7/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\ewido\security suite\ewidoctrl.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Prevx Home\PXAgent.exeC:\Program Files\PivX\Qwik-Fix Pro\qfloadsvc.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\WINDOWS\StartupMonitor.exeC:\program files\regprot\regprot.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\AnalogX\CookieWall\cookie.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\PROGRA~1\PESTPA~2\PPMemCheck.exeC:\PROGRA~1\PESTPA~2\PPControl.exeC:\PROGRA~1\PESTPA~2\CookiePatrol.exeC:\Program Files\Prevx Home\SAGUI.exeC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\Program Files\AutoSizer\AutoSizer.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Weather Pulse\weatherpulse.exeC:\WINDOWS\System32\wuauclt.exeC:\Program Files\Technology Lighthouse\PTFB\PTFB.exeC:\Program Files\SpywareGuard\sgmain.exeC:\Program Files\OpenOffice.org1.1.1\program\soffice.exeC:\Program Files\TinyResMeter\tinyresmeter.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\SpywareGuard\sgbhp.exeC:\Program Files\PivX\Qwik-Fix Pro\qfui.exeC:\Program Files\Clipomatic\Clipomatic.exeC:\Documents and Settings\Owner.HOME\Desktop\Copy of Empty\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Micro$oft Internet ExplorerR3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dllO2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dllO3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dllO3 - Toolbar: &Netcraft Toolbar - {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - C:\Program Files\Netcraft Toolbar\nctb.dllO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exeO4 - HKLM\..\Run: [RegProt] c:\program files\regprot\regprot.exe /startO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exeO4 - HKLM\..\Run: [Qwik-Fix Pro User Interface] "C:\Program Files\PivX\Qwik-Fix Pro\qfui.exe"O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exeO4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~2\PPMemCheck.exeO4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~2\PPControl.exeO4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~2\CookiePatrol.exeO4 - HKLM\..\Run: [PrevxHome] C:\Program Files\Prevx Home\SAGUI.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXEO4 - HKCU\..\Run: [TLH_PTFBPro] "C:\Program Files\Technology Lighthouse\PTFB Pro\Launcher.exe"O4 - HKCU\..\Run: [Weather Pulse] C:\Program Files\Weather Pulse\weatherpulse.exeO4 - Startup: bagent.exe.lnk = C:\Program Files\Quicken\bagent.exeO4 - Startup: Command Prompt.lnk = C:\WINDOWS\system32\cmd.exeO4 - Startup: PTFB.lnk = C:\Program Files\Technology Lighthouse\PTFB\PTFB.exeO4 - Startup: quickstart.exe.lnk = C:\Program Files\OpenOffice.org1.1.1\program\quickstart.exeO4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeO4 - Startup: TinyResMeter.lnk = C:\Program Files\TinyResMeter\tinyresmeter.exeO4 - Startup: Zone Labs Security.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dllO12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dllO12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dllO12 - Plugin for ¸æ´: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dllO14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.comO16 - DPF: ppctlcab - O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dllO18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dllO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)O23 - Service: Qwik-Fix Pro (qfcoresvc) - PivX Solutions, Inc. - C:\Program Files\PivX\Qwik-Fix Pro\qfloadsvc.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites
TeMerc

OK, after looking thru the log and reading what you posted above, it appears the ADS findings are not infections.However, with regards to the popups and about:blank, where does this occur? Are you saying that your browser shows about:blank?And what type of popup?With all your protection, I am surprised you got any infection at all.

Share this post


Link to post
Share on other sites
redmaledeer

Hi TeMerc - Thanks for checking my log. about:blank is said to be a homepage hijacker. Maybe I've slowed it down by graying out the Home Page entry in Tools/Internet Options/General. I did that by using the Disable checkbox in Spyware Blaster Tools/Misc. IE Settings. In any event, about:blank doesn't take over my home page. I mean that if I click on my Launch Internet Explorer Button, IE comes up with my normal home page. What it does is that once in a while an unrequested ordinary IE browser window pops up with "about:blank" in the address slot. An ad soon appears in the body of the window; the address slot either continues to say "about:blank", or changes to what is presumably the address of the ad. If the address of the ad has been blocked by my Hosts file, then the body will instead have a message that that site can't be reached. No protective program so far detects about:blank on my computer. I've also downloaded the Registrar Lite registry editor. This is supposed to be the only registry editor which will see part of about:blank in a key Registry entry. According to my search on the web, dealing with that entry is the first step in manual removal of about:blank. As you may guess, Registrar Lite doesn't see about:blank in that Registry entry either. about:blank is supposed to be Adware, but not Spyware. Does anyone have information to the contrary? Otherwise I'll simply put up with the ads for a while, unless someone suggests another approach. As to the original question of the ADSs detected by AdAware, I'll assume they're benign. I may eventually take TeMerc's suggestion and see what happens if I quarantine them, or uninstall and then clean install them as I suggested earlier. Thanks for the replies.

Share this post


Link to post
Share on other sites
TeMerc

OK, something is generating these popups and we need to find out what it could be. Can you give me the url, if any, of these ads?In the mean time, lets get a quick look at some more detail from HJT:Please generate a startup list using HJT. And please check the 2 boxes next to the 'Generate Startuplist' button:List also minor sections (full)List empty sections (complete)

Share this post


Link to post
Share on other sites
redmaledeer

TeMerc - Here is the startup list from HJT. Comments about ads follow.........StartupList report, 8/8/2005, 9:15:20 PMStartupList version: 1.52.2Started from : C:\Program Files\HijackThis\HijackThis.EXEDetected: Windows XP SP1 (WinNT 5.01.2600)Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)* Using default options* Including empty and uninteresting sections* Showing rarely important sections==================================================Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\ewido\security suite\ewidoctrl.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Prevx Home\PXAgent.exeC:\Program Files\PivX\Qwik-Fix Pro\qfloadsvc.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\AGRSMMSG.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\WINDOWS\StartupMonitor.exeC:\program files\regprot\regprot.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\System32\wuauclt.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\AnalogX\CookieWall\cookie.exeC:\Program Files\PivX\Qwik-Fix Pro\qfui.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\PROGRA~1\PESTPA~2\PPMemCheck.exeC:\PROGRA~1\PESTPA~2\PPControl.exeC:\PROGRA~1\PESTPA~2\CookiePatrol.exeC:\Program Files\Prevx Home\SAGUI.exeC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\Program Files\AutoSizer\AutoSizer.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Weather Pulse\weatherpulse.exeC:\Program Files\Technology Lighthouse\PTFB\PTFB.exeC:\Program Files\SpywareGuard\sgmain.exeC:\Program Files\OpenOffice.org1.1.1\program\soffice.exeC:\Program Files\TinyResMeter\tinyresmeter.exeC:\Program Files\SpywareGuard\sgbhp.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\HijackThis\HijackThis.exe--------------------------------------------------Listing of startup folders:Shell folders Startup:[C:\Documents and Settings\Owner.HOME\Start Menu\Programs\Startup]bagent.exe.lnk = C:\Program Files\Quicken\bagent.exeCommand Prompt.lnk = C:\WINDOWS\system32\cmd.exePTFB.lnk = C:\Program Files\Technology Lighthouse\PTFB\PTFB.exequickstart.exe.lnk = C:\Program Files\OpenOffice.org1.1.1\program\quickstart.exeSpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeTinyResMeter.lnk = C:\Program Files\TinyResMeter\tinyresmeter.exeZone Labs Security.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeShell folders AltStartup:*Folder not found*User shell folders Startup:*Folder not found*User shell folders AltStartup:*Folder not found*Shell folders Common Startup:[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]*No files*Shell folders Common AltStartup:*Folder not found*User shell folders Common Startup:*Folder not found*User shell folders Alternate Common Startup:*Folder not found*--------------------------------------------------Checking Windows NT UserInit:[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]UserInit = C:\WINDOWS\system32\userinit.exe,[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]*Registry key not found*[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]*Registry value not found*[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]*Registry key not found*--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunAGRSMMSG = AGRSMMSG.exeApoint = C:\Program Files\Apoint2K\Apoint.exeATIModeChange = Ati2mdxx.exeATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeCpqset = C:\Program Files\HPQ\Default Settings\cpqset.exeeabconfg.cpl = C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartRun StartupMonitor = StartupMonitor.exeRegProt = c:\program files\regprot\regprot.exe /startccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exegcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"CookieWall = C:\Program Files\AnalogX\CookieWall\cookie.exeQwik-Fix Pro User Interface = "C:\Program Files\PivX\Qwik-Fix Pro\qfui.exe"Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeSymantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exePPMemCheck = C:\PROGRA~1\PESTPA~2\PPMemCheck.exePestPatrol Control Center = C:\PROGRA~1\PESTPA~2\PPControl.exeCookiePatrol = C:\PROGRA~1\PESTPA~2\CookiePatrol.exePrevxHome = C:\Program Files\Prevx Home\SAGUI.exeSunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce*No values found*--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*No values found*--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices*No values found*--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce*No values found*--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\RunAutoSizer = "C:\Program Files\AutoSizer\AutoSizer.exe"SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeMSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /backgroundTClockEx = C:\Program Files\TClockEx\TCLOCKEX.EXETLH_PTFBPro = "C:\Program Files\Technology Lighthouse\PTFB Pro\Launcher.exe"Weather Pulse = C:\Program Files\Weather Pulse\weatherpulse.exe--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce*No values found*--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*Registry key not found*--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices*No values found*--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce*No values found*--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run*Registry key not found*--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run*Registry key not found*--------------------------------------------------Autorun entries in Registry subkeys of:HKLM\Software\Microsoft\Windows\CurrentVersion\Run*No subkeys found*--------------------------------------------------Autorun entries in Registry subkeys of:HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce*No subkeys found*--------------------------------------------------Autorun entries in Registry subkeys of:HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*No subkeys found*--------------------------------------------------Autorun entries in Registry subkeys of:HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices*No subkeys found*--------------------------------------------------Autorun entries in Registry subkeys of:HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce*No subkeys found*--------------------------------------------------Autorun entries in Registry subkeys of:HKCU\Software\Microsoft\Windows\CurrentVersion\Run*No subkeys found*--------------------------------------------------Autorun entries in Registry subkeys of:HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce*No subkeys found*--------------------------------------------------Autorun entries in Registry subkeys of:HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*Registry key not found*--------------------------------------------------Autorun entries in Registry subkeys of:HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices*No subkeys found*--------------------------------------------------Autorun entries in Registry subkeys of:HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce*No subkeys found*--------------------------------------------------Autorun entries in Registry subkeys of:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run*Registry key not found*--------------------------------------------------Autorun entries in Registry subkeys of:HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run*Registry key not found*--------------------------------------------------File association entry for .EXE:HKEY_CLASSES_ROOT\exefile\shell\open\command(Default) = "%1" %*--------------------------------------------------File association entry for .COM:HKEY_CLASSES_ROOT\comfile\shell\open\command(Default) = "%1" %*--------------------------------------------------File association entry for .BAT:HKEY_CLASSES_ROOT\batfile\shell\open\command(Default) = "%1" %*--------------------------------------------------File association entry for .PIF:HKEY_CLASSES_ROOT\piffile\shell\open\command(Default) = "%1" %*--------------------------------------------------File association entry for .SCR:HKEY_CLASSES_ROOT\scrfile\shell\open\command(Default) = "%1" /S--------------------------------------------------File association entry for .HTA:HKEY_CLASSES_ROOT\htafile\shell\open\command(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*--------------------------------------------------File association entry for .TXT:HKEY_CLASSES_ROOT\txtfile\shell\open\command(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1--------------------------------------------------Enumerating Active Setup stub paths:HKLM\Software\Microsoft\Active Setup\Installed Components(* = disabled by HKCU twin)[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP[>{26923b43-4d38-484f-9b9e-de460746276c}] *StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub[{7790769C-0471-11d2-AF11-00C04FA35D02}] *StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install[{89820200-ECBD-11cf-8B85-00AA005B4340}] *StubPath = regsvr32.exe /s /n /i:U shell32.dll[{89820200-ECBD-11cf-8B85-00AA005B4383}] *StubPath = %SystemRoot%\system32\ie4uinit.exe[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install--------------------------------------------------Enumerating ICQ Agent Autostart apps:HKCU\Software\Mirabilis\ICQ\Agent\Apps*Registry key not found*--------------------------------------------------Load/Run keys from C:\WINDOWS\WIN.INI:load=*INI section not found*run=*INI section not found*Load/Run keys from Registry:HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*HKCU\..\Windows NT\CurrentVersion\Windows: load=HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=--------------------------------------------------Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:Shell=*INI section not found*SCRNSAVE.EXE=*INI section not found*drivers=*INI section not found*Shell & screensaver key from Registry:Shell=Explorer.exeSCRNSAVE.EXE=*Registry value not found*drivers=*Registry value not found*Policies Shell key:HKCU\..\Policies: Shell=*Registry value not found*HKLM\..\Policies: Shell=*Registry value not found*--------------------------------------------------Checking for EXPLORER.EXE instances:C:\WINDOWS\Explorer.exe: PRESENT!C:\Explorer.exe: not presentC:\WINDOWS\Explorer\Explorer.exe: not presentC:\WINDOWS\System\Explorer.exe: not presentC:\WINDOWS\System32\Explorer.exe: not presentC:\WINDOWS\Command\Explorer.exe: not presentC:\WINDOWS\Fonts\Explorer.exe: not present--------------------------------------------------Checking for superhidden extensions:.lnk: HIDDEN! (arrow overlay: yes).pif: HIDDEN! (arrow overlay: yes).exe: not hidden.com: not hidden.bat: not hidden.hta: not hidden.scr: not hidden.shs: HIDDEN!.shb: HIDDEN!.vbs: not hidden.vbe: not hidden.wsh: not hidden.scf: HIDDEN! (arrow overlay: NO!).url: HIDDEN! (arrow overlay: yes).js: not hidden.jse: not hidden--------------------------------------------------Verifying REGEDIT.EXE integrity:- Regedit.exe found in C:\WINDOWS- .reg open command is normal (regedit.exe %1)- Company name OK: 'Microsoft Corporation'- Original filename OK: 'REGEDIT.EXE'- File description: 'Registry Editor'Registry check passed--------------------------------------------------Enumerating Browser Helper Objects:SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}SpoofStick BHO - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE}--------------------------------------------------Enumerating Task Scheduler jobs:Norton AntiVirus - Scan my computer - Owner.jobSpybot - Search & Destroy - Scheduled Task.jobSymantec NetDetect.job--------------------------------------------------Enumerating Download Program Files:[ppctlcab][{2FC9A21E-2069-4E47-8235-36318989DB13}][{4B48D5DF-9021-45F7-A240-60304302A215}][Java Plug-in 1.5.0_04]InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllCODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab[Java Plug-in 1.5.0_02]InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllCODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab[Java Plug-in 1.5.0_04]InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllCODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab[shockwave Flash Object]InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx--------------------------------------------------Enumerating Winsock LSP files:NameSpace #1: C:\WINDOWS\System32\mswsock.dllNameSpace #2: C:\WINDOWS\System32\winrnr.dllNameSpace #3: C:\WINDOWS\System32\mswsock.dllProtocol #1: C:\WINDOWS\system32\mswsock.dllProtocol #2: C:\WINDOWS\system32\mswsock.dllProtocol #3: C:\WINDOWS\system32\mswsock.dllProtocol #4: C:\WINDOWS\system32\rsvpsp.dllProtocol #5: C:\WINDOWS\system32\rsvpsp.dllProtocol #6: C:\WINDOWS\system32\mswsock.dllProtocol #7: C:\WINDOWS\system32\mswsock.dllProtocol #8: C:\WINDOWS\system32\mswsock.dllProtocol #9: C:\WINDOWS\system32\mswsock.dllProtocol #10: C:\WINDOWS\system32\mswsock.dllProtocol #11: C:\WINDOWS\system32\mswsock.dllProtocol #12: C:\WINDOWS\system32\mswsock.dllProtocol #13: C:\WINDOWS\system32\mswsock.dllProtocol #14: C:\WINDOWS\system32\mswsock.dllProtocol #15: C:\WINDOWS\system32\mswsock.dllProtocol #16: C:\WINDOWS\system32\mswsock.dllProtocol #17: C:\WINDOWS\system32\mswsock.dll--------------------------------------------------Enumerating Windows NT/2000/XP servicesMicrosoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)aeaudio: system32\drivers\aeaudio.sys (manual start)Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)Agere Systems Soft Modem: System32\DRIVERS\AGRSM.sys (manual start)Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)Alps Pointing-device Filter Driver: System32\DRIVERS\Apfiltr.sys (manual start)Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)Broadcom 802.11 Network Adapter Driver: System32\DRIVERS\bcmwl5.sys (manual start)Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)ATI Cabo AGP Filter: System32\DRIVERS\atisgkaf.sys (system)Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)Indexing Service: %SystemRoot%\system32\cisvc.exe (disabled)ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)Microsoft ACPI Control Method Battery Driver: System32\DRIVERS\CmBatt.sys (manual start)Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Disk Driver: System32\DRIVERS\disk.sys (system)Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)dmboot: System32\drivers\dmboot.sys (disabled)dmio: System32\drivers\dmio.sys (disabled)dmload: System32\drivers\dmload.sys (disabled)Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)EABFiltr: \??\C:\WINDOWS\System32\drivers\EABFiltr.sys (system)eabusb: \??\C:\Windows\System32\drivers\eabusb.sys (manual start)Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Event Log: %SystemRoot%\system32\services.exe (autostart)COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (disabled)Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)Intel Processor Driver: System32\DRIVERS\intelppm.sys (manual start)IPv6 Firewall Driver: System32\DRIVERS\Ip6Fw.sys (manual start)IPv6 Internet Connection Firewall: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)IPSEC driver: System32\DRIVERS\ipsec.sys (system)IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)mchInjDrv: \??\C:\WINDOWS\TEMP\mc21.tmp (disabled)Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)MRXSMB: System32\DRIVERS\mrxsmb.sys (system)Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050803.009\NAVENG.Sys (manual start)NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050803.009\NavEx15.Sys (manual start)Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)NetBIOS Interface: System32\DRIVERS\netbios.sys (system)NetBT: System32\DRIVERS\netbt.sys (system)Network DDE: %SystemRoot%\system32\netdde.exe (disabled)Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)Net Logon: %SystemRoot%\System32\lsass.exe (manual start)Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)Parallel port driver: System32\DRIVERS\parport.sys (manual start)PCI Bus Driver: System32\DRIVERS\pci.sys (system)PCIIde: System32\DRIVERS\pciide.sys (system)Pcmcia: System32\DRIVERS\pcmcia.sys (system)Plug and Play: %SystemRoot%\system32\services.exe (autostart)IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)Prevx Agent: "C:\Program Files\Prevx Home\PXAgent.exe" -f (autostart)Prevx Driver: System32\drivers\pxfsf.sys (system)Processor Driver: System32\DRIVERS\processr.sys (system)Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)Qwik-Fix Pro: C:\Program Files\PivX\Qwik-Fix Pro\qfloadsvc.exe (autostart)Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)Direct Parallel: System32\DRIVERS\raspti.sys (manual start)Rdbss: System32\DRIVERS\rdbss.sys (system)RDPCDD: System32\DRIVERS\RDPCDD.sys (system)Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver: System32\DRIVERS\Rtlnic51.sys (manual start)Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: System32\DRIVERS\R8139n51.SYS (manual start)Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)SAVRT: \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS (system)SAVRTPEL: \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS (system)SAVScan: C:\Program Files\Norton AntiVirus\SAVScan.exe (autostart)ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Secdrv: System32\DRIVERS\secdrv.sys (manual start)Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)smwdm: system32\drivers\smwdm.sys (manual start)Symantec Network Drivers Service: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (manual start)SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (autostart)Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)System Restore Filter Driver: System32\DRIVERS\sr.sys (system)System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Srv: System32\DRIVERS\srv.sys (manual start)SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{86DA3EB2-8559-45DD-8480-0AA424222404} (manual start)Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)symlcbrd: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys (autostart)SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)SymWMI Service: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (autostart)Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)Terminal Device Driver: System32\DRIVERS\termdd.sys (system)Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)Microcode Update Driver: System32\DRIVERS\update.sys (manual start)Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)VgaSave: \SystemRoot\System32\drivers\vga.sys (system)vsdatant: System32\vsdatant.sys (system)TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Microsoft Windows Management Interface for ACPI: System32\DRIVERS\wmiacpi.sys (system)WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)--------------------------------------------------Enumerating Windows NT logon/logoff scripts:*No scripts set to run*Windows NT checkdisk command:BootExecute = autocheck autochk /p \??\C:Windows NT 'Wininit.ini':PendingFileRenameOperations: C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\GLB1A2B.EXE||C:\Documents and Settings\Owner.HOME\Cookies\index.dat||C:\Documents and Settings\Owner.HOME\Cookies\index.dat||C:\Documents and Settings\Owner.HOME\Local Settings\Temporary Internet Files\Content.IE5\index.dat||C:\Documents and Settings\Owner.HOME\Local Settings\Temporary Internet Files\Content.IE5\index.dat||C:\Documents and Settings\Owner.HOME\Local Settings\Temporary Internet Files\Content.IE5\index.dat|||e--------------------------------------------------Enumerating ShellServiceObjectDelayLoad items:PostBootReminder: C:\WINDOWS\system32\SHELL32.dllCDBurn: C:\WINDOWS\system32\SHELL32.dllWebCheck: C:\WINDOWS\System32\webcheck.dllSysTray: C:\WINDOWS\System32\stobject.dll--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run*Registry key not found*--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run*Registry key not found*--------------------------------------------------End of report, 35,801 bytesReport generated in 1.781 secondsCommand line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only

Share this post


Link to post
Share on other sites
TeMerc

While I look thru this tonite, can you please give me the types of ads your getting in the popup IE windows. This could be of great help. Many of the sneaky infections can be determined by the affiliate popups, thanks.

Edited by TeMerc

Share this post


Link to post
Share on other sites
redmaledeer

Hi TeMerc - Here is a popup of the sort where "about:blank" continues in the address slot after the ad appears in the body of the the popup window (or tries to appear but is stopped by my Hosts file or otherwise).I went to weather.com (http://www.weather.com) and typed in my local postal code. Shortly after I got my local weather the unrequested IE browser window popped up with "about:blank" in the address slot. The ad itself did not appear, tho it doesn't look as if it was stopped by my Hosts file. It was only evidenced by one of those multi=colored little squares in the upper left of the unrequested browser window. I right=clicked on that browser window, and selected Properties. A lengthy URL was shown, which began http://c5.zedo.com/. I imagine that the rest of the URL specified exactly which Zedo ad was trying to get into the browser window. The blue line at the top of the unrequested IE browser said "From weather.com - NetBlue - Microsoft Internet Explorer". "about:blank" continued to be in the address slot. Spoofstick said that the unrequested browser was on www.weather.com. I need hardly say that Zedo and NetBlue are ad=pushers. Something like this happens every time I go to weather.com, which is why I don't go there very often. I will post information about other popups as they occur. I wouldn't be surprised if they get scarce now that I would like to see them. If this starts to take too much of your effort, I wouldn't take it amiss if you stopped working on it. I had resigned myself to living with these ads until (hopefully) about:buster or some other protective program caught up with whatever I have. Resigned, that is, unless spyware is also involved. Cheers and Thanks. -- Redmaledeer

Share this post


Link to post
Share on other sites
TeMerc

Ok, preliminary investigation may point to a rootkit infection, based on findings of this line on your startup list, located in services:mchInjDrv: \??\C:\WINDOWS\TEMP\ mc21.tmp (disabled)Pretty much everything I have found points to a rootkit called AFXRootkit.But I am consulting with a security expert on this. Even tho it is listed as disabled, these rootkits are amazingly complex, and require quite a bit of analysis.If you do any online banking of any sort, or any other transactions which involve sensitive matrial\info, I would contact all those parties and change all your passwords. These precautions may turn out to be unnecessary, but, I'd rather be safe than sorry.I'll continue to research tonite and hopefully have a specific answer by the morning.EDIT to add:You may want to run that file thru this online scanner:Joti Online File scannerThen post the results here.

Edited by TeMerc

Share this post


Link to post
Share on other sites
redmaledeer

Hi TeMerc - C:\WINDOWS\TEMP\mc21.tmp doesn't exist on my machine. Nor does anything with mc21 in it. I didn't do anything that I know of to get rid of these. Incidentally, some time back I downloaded the trial version of Webroot Spysweeper. That was part of my fight against about:blank on my machine. It didn't detect about:blank and I uninstalled it. I mention his because I Googled mchInjDrv, and there seems to be a connection between mchInjDrv and Webroot Spysweeper. But at this point you probably wouldn't see Webroot Spysweeper on my machine.

Share this post


Link to post
Share on other sites
TeMerc

OK, lets do a little bit more on the precautionary side.Please Dl and run Rootkit RevealerJust follow directions. Do not save to desktop, run in normal mode. Please post log produced.Also, this line:O4 - Startup: Command Prompt.lnk = C:\WINDOWS\system32\cmd.exeDo you know what it relates to?If not please run that file thru Joti and see what it finds.You have some odd lines here and this is whats having me do some other consults, and thusly my requests for these procedures.

Edited by TeMerc

Share this post


Link to post
Share on other sites
redmaledeer

Hi TeMerc - O4 - Startup: Command Prompt.lnk = C:\WINDOWS\system32\cmd.exe is the "Windows Command Processor." It opens up a DOS=like window on startup, which I use to run chkdsk on startup. RootkitRevealer finds one discrepancy: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\€ 1/18/2005 3:33 PM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ seems to have as its sub=entries information about various communications devices, e.g., a modem. The last sub=sub=entry of each of these sub=entries is "Reinstall String." For all the other sub=entries this is a file which seemingly provides backup for a driver. But for the sub=entry in the discrepancy, it is 6.14.10.6396. This seems to be the model number of a legitimate driver. The discrepancy has content, so I don't understand why it is supposed to be 0 bytes. Learning about Rootkits was on my list of good intentions. I wasn't planning to do it this way, tho. There is also a rootkit detector called Black Light? Thanks again.

Share this post


Link to post
Share on other sites
TeMerc
Hi TeMerc -          O4 - Startup: Command Prompt.lnk = C:\WINDOWS\system32\cmd.exe    is the "Windows Command Processor."  It opens up a DOS=like window on startup,  which I use to run chkdsk on startup.
Thats fine, thanks.
RootkitRevealer finds one discrepancy:        HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\€ 1/18/2005 3:33 PM 0 bytes Key name contains embedded nulls (*)      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\  seems to have as its sub=entries information about various communications devices,  e.g.,  a modem.  The last sub=sub=entry of each of these sub=entries is "Reinstall String."  For all the other sub=entries this is a file which seemingly provides backup for a driver.  But for the sub=entry in the discrepancy,  it is 6.14.10.6396.  This seems to be the model number of a legitimate driver.  The discrepancy has content,  so I don't understand why it is supposed to be 0 bytes.                Learning about Rootkits was on my list of good intentions.  I wasn't planning to do it this way,  tho.  There is also a rootkit detector called Black Light?        Thanks again.

I'm going to have to consult on this finding, I'm not nearly knowledgable about rks at all either.

Share this post


Link to post
Share on other sites
TeMerc

OK Red, here is what we need to do. We're trying to find the hidden file, and we're going to use HJT and a couple of tools.Also, the person helping me is Blender. She is an extraordinary analyst, especially when it comes to all sorts of trojans and viri.We need to find the infector .dll, if present.First Process:Step 1:Download Reg LiteStep 2:Run Registrar Lite and paste this key below into the Address bar, then hit the 'Go' button: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Step 3:Double-click on the AppInit_DLLs value on the right-hand side and copy and paste the file that it lists in the Value box into your next message.NOTE: Don't restart or switch users after you do this or the .DLL might change and we will have to do this over again.Next, DL Norton Backdoor AgentB ToolSave it to your desk top, go offline, and have no IE or Explorer windows open.Also, be sure and shut off your av, it may interfere.Run the tool twice, rebooting inbetween. (don't forget to turn everything offagain)Then, open HJT, click the 'Misc' Tool' button>>ADSSpy, untick 'scan windows base folder', then hit 'scan', save the log and post results of all the above tools into your next reply.Lets see what they find.EDIT: The Rootkit Revealer log find was ok.

Edited by TeMerc

Share this post


Link to post
Share on other sites
redmaledeer

Hi TeMerc - Sorry for the delay. My back has been acting up, which makes sitting at the computer risky, and standing up at the computer is awkward. I'll respond piecemeal, first about Registrar Lite. I did what was said in Steps 1 thru 3. The Value box was blank. I did the same thing earlier (Post #6, Aug. 8, about half way down). The result was the same, but I did it again. This is not in response to your post. I mentioned earlier that I had used Spyware Blaster to lock down my home page, and that my home page was not being hijacked. I speculated that since about:blank is a homepage hijacker maybe I had slowed it down by locking the home page. I unlocked the home page to see what would happen. Mostly everything came up as normal, but before too long, when I was seeking to go to www.mail2world.com (which isn't my home page), I was instead redirected to wwwwebmail.com (that's how it appeared). It didn't say anything about about:blank. The body of the page was a portal. I think I had run into that same portal a long time earlier when my home page was locked down. Despite that, its prompt appearance after unlocking makes me think there is a connection. Hidden underneath the portal page was another page with "Free Screensaver - Microsoft Internet Explorer" in the blue border at the top, and "http://dist.belnk.com/etc..." as the Address. I think the body of the page showed screensavers. Belnk is of course Claria/Gator. While I can't guarantee that I never got something from them before, again this happened soon after unlocking. Something else in this line, this time directly connected to about:blank, comes from BlogExpress Reader. I downloaded that a few days ago to handle RSS. When I press its New Web Tab button, up comes about:blank as the new web tab name and as an address. That is with my home page locked. I will work on the rest of your post. And thanks again to you and Blender.

Share this post


Link to post
Share on other sites
redmaledeer

Hi TeMerc - I followed the instructions in your last post regarding AgentB and HijackThis. Neither run of FXAgentB found anything. I don't know why there were some things it didn't scan. The two logs are at the end of this post. The times and dates were added by me. HijackThis didn't find anything either. As instructed, I unchecked Quick Scan. I left checked Ignore Safe System Streams. That seems to be the default. In looking at HijackThis I noticed that its Main Page gives about:blank as my Default Start Page. Also, I don't recognize the other three related pages given there. I set such pages using Spyware Blaster (Tools/Browser Pages). Perhaps the Spyware Blaster settings overrule the settings found by HijackThis. I could change these four pages in HijackThis, but I don't know if it would do any good. That is, I don't know whether HijackThis is actually setting these pages, or just reporting what it finds elsewhere, in which case changing what it says in HijackThis wouldn't affect anything. 4:41 AM 8/22/2005Symantec Backdoor.Agent.B Removal Tool 1.0.1.2C:\Documents and Settings\Owner: (not scanned)C:\System Volume Information: (not scanned)Backdoor.Agent.B has not been found on your computer. 5:03 AM 8/22/2005Symantec Backdoor.Agent.B Removal Tool 1.0.1.2C:\Documents and Settings\Owner: (not scanned)C:\System Volume Information: (not scanned)Backdoor.Agent.B has not been found on your computer.

Share this post


Link to post
Share on other sites
TeMerc

OK, lets do the folowing:Reset your homepage in Internet Options to something generic, like Google or YaHoo!.Allow all your other apps, which may monitor the change, to accept the new settings. Uninstall the Blog app you DLed, and, just for giggles-n-grins, check the EULA, see if there is something about any third party apps. Sounds as tho they may be sneaking in something with Claria\Gator, which, is not too unusal. The same goes for the webmail site, could be something they are serving something up.Once all your homepage apps have benn set to the same thing, lets see if any changes occur. Its a funny thing, this happens occasionally to some users. You have so many apps watching your homepage, that alerts that popup, and can sometimes get confusing. And you certainly seem to ahve quite a bit in regards to prevention.I'm going to hit that webmail site to see what happens on my test box.

Share this post


Link to post
Share on other sites
redmaledeer

Hi TeMerc - I guess my main question would be how to know which applications monitor my home page setting. Google is what I've been using as home page (and search page) all along. This appears in Tools/Internet Options/General/Home Page. I have this entry locked (grayed out) using Spyware Blaster (Tools/Misc. IE Settings). Home and search pages can also be set in Spyware Blaster (Tools/Browser Pages). These have also been set to Google all along.New is that I've set Google as home and search pages in HijackThis (Misc Tools/Main/Default Start and Search Pages). I was a bit surprised that I could do this. The start page originally was about:blank. Earlier when I tried to change this it reverted to about:blank. If there are any other applications which monitor my home page, I don't know what they are. I will uninstall BlogExpress. I think it's legitimate, tho it had no EULA or comments about adware or spyware. I also went to wwwwebmail.com. On some site dealing with about.blank, I earlier saw a picture of the website to which about:blank hijacks you. This looked like it. Again, hidden underneath wwwwebmail.com was an ad from belnk (=Claria/Gator). I will uninstall BlogExpress, and we can see what happens then. Thanks again.

Share this post


Link to post
Share on other sites
TeMerc
Hi TeMerc -          I guess my main question would be how to know which applications monitor my home page setting.    Google is what I've been using as home page (and search page) all along.  This appears in Tools/Internet Options/General/Home Page.  I have this entry locked  (grayed out) using Spyware Blaster (Tools/Misc. IE Settings).    Home and search pages can also be set in Spyware Blaster (Tools/Browser Pages).  These have also been set to Google all along.New is that I've set Google as home and search pages in HijackThis (Misc Tools/Main/Default Start and Search Pages).  I was a bit surprised that I could do this.  The start page originally was about:blank.  Earlier when I tried to change this it reverted to about:blank.    If there are any other applications which monitor my home page,  I don't know what they are.
I'm unsure what other apps you have may be able to have homepage protection. If the ones you currently are all set to the same, Google.com, and nothing has tried to make any chages, thats good.
I will uninstall BlogExpress.  I think it's legitimate,  tho it had no EULA or comments about adware or spyware.
I'd be surprised if this actually fixes or changes anything, but, just in case.
I also went to wwwwebmail.com.  On some site dealing with about.blank,  I earlier saw a picture of the website to which about:blank hijacks you.  This looked like it.  Again,  hidden underneath wwwwebmail.com was an ad from belnk (=Claria/Gator).
I'm somewhat confused about this last statement. Are you saying you saw a screenshot of a hijacked homepage someplace, and it looked similar?OK, I just hit the wwwwebmail.com site. I had gone towebmail.com, not realising the site name was WWWwebmail.comThe site you refer to is some sort of search type site, for email lists to purchase and so forth. I got 2 popups, one as you described, and another, which I could only make popup the first time I went there.Stay away from that site, would be my recommendation. Or, install popup blockers, cuz between my Google bar and XP SP 2 popup blocker, they were all blocked.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...