Infected with About:Blank?

Hello,

Could I please see an uninstall list?

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Regards,
tea
 
HJT Uninstall & GMER Log

Logs as requested follows -

HJT Uninstall list -
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.8
Adobe® Photoshop® Album Starter Edition 3.0.1
ALPS Touch Pad Driver
America Online (Choose which version to remove)
AVG Anti-Spyware 7.5
BUM
CD/DVD Drive Acoustic Silencer
Cda Product Service - shared component
DeductionPro 2004-05
DeductionPro 2005-06
DVD-RAM Driver
Form Fill (Windows Live Toolbar)
Google Earth
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
hp officejet d series
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 9
KODAK EASYSHARE Gallery Upload ActiveX Control
Learn2 Player (Uninstall Only)
Macromedia Flash Player 8
Macromedia Shockwave Player
McAfee Privacy Service
McAfee SecurityCenter
McAfee SiteAdvisor for Internet Explorer
McAfee VirusScan
mCore
mDriver
mDrWiFi
mEoU.msi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Baseline Security Analyzer 2.0
Microsoft Money 2006
Microsoft Office XP Professional with FrontPage
Microsoft Phishing Filter Add-in
Microsoft Publisher 2002
Microsoft Works
mIWA
mIWCA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB925672)
mWlsSafe
mXML
mZConfig
Notebook Maximizer
Palm Desktop
Panda ActiveScan
QuickTime
RealArcade
RealPlayer
Realtek AC'97 Audio
Rhapsody Player Engine
Roxio Burn Engine
sat_screensaver_30mb
SD Secure Module
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Sonic DLA
Sonic RecordNow!
Spybot - Search & Destroy 1.4
Tabbed Browsing (Windows Live Toolbar)
TaxCut Deluxe 2005
Texas Instruments PCIxx21/x515 drivers.
TOSHIBA Accessibility
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Fn-esse
TOSHIBA Hardware Setup
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration and Metamail Trust Architecture
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
Toshiba Tbiosdrv Driver
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
TouchPad On/Off Utility
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Safety Scanner
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Live Toolbar MSN Extension (Windows Live Toolbar)
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888240
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
XoftSpy

GMER Log -
GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-16 21:16:15
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.11 ----

Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_FILE_SYSTEM_CONTROL [AA6D8C3D] tfsnifs.sys
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_FILE_SYSTEM_CONTROL [AA6D8C3D] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [AA6D8AA6] tfsnifs.sys

---- Files - GMER 1.0.11 ----

ADS C:\Documents and Settings\Ann K. Whitsett\Desktop\homes:SummaryInformation
ADS C:\Documents and Settings\Ann K. Whitsett\Desktop\homes:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...

---- EOF - GMER 1.0.11 ----
 
Hi Ann,

I have some research to do here for you, plus a few things to check on from your logs. Don't wait around for me, as it might not be until morning when I get something for you.

Thanks for your patience. :)

tea
 
Thanks

Okay - thank you for your patience and perseverance in helping me! :bigthumb: Will check tomorrow after work (guess I had better go in tomorrow). Thanks again. Later, Ann
 
Hi Ann......hope your first day back to work was an easy one. ;)

First thing for you to do here today is this, please:

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\WINDOWS\McAfee.com

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

Please do the same for this file : C:\Documents and Settings\Ann\Application Data\GDIPFONTCACHEV1.DAT

tea
 
Can't get Virusscan.Jotti to work

Must be doing something wrong – when I go to “Browse” and find C:\Windows\McAfee.com – it doesn’t let me choose only that file. McAfee.com has a folder “Free Scan” which when opened has the following files:
Avdat, AvDAT Module, Network Associates, Inc.
Mcfscan.dll, 2.1.0.4856, McAfee Free Virus Scan
Mcscan32.dll, 4.4.0.0, AV Scanning Engine
Names, DAT file, 718 KB
Rwabs16.dll, 1.0.0.0, nwabs thunking layer – 16 bit side
Rwabs32.dll, 1.0.0.0, nwabs thunking layer – 32 bit side
Scan, DAT file, 7,517 KB
Signlic, Text Document, 6 KB
It wants me to choose one of the above files. I tried typing in only C:\Windows\McAfee.com, but it comes back with “The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.”

Even worse with the C:\\Documents & Settings\Ann\Application Data\GDIPFONTCACHEV1.DAT
I find the file you are refering to on the ComboFix.Log, but when I browse I can't find it at all. :scratch:

Can you explain to me one more time (sorry for being so "dense" today) what to do and I will try again.

Thanks, Ann
 
Hello,

Don't worry about the McAfee. I just wanted to be sure. ;)

Do have your settings to show hidden files and folders? Maybe that's why you couldn't find the other one.

Please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

Rehide them when you're done. :)
 
Virusscan.Jotti Completed

Ah - that's what it was - the hidden files :) Jotti's malware scan results for GDIPFONTCACHEV1.DAT follows -
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 35cfce7929c60e8a98450de7f7cb2f02
Scanner results - "Found nothing" for all scans
I guess it scanned the file when I typed it in since the "Status" seems to indicate such. Does it mean anything if I run in "Safe Mode with Networking" and have no problems with MIE?

Thanks, Ann
 
Hello Ann,

Sorry for my delayed reply. :(

Are there any other user accounts on this PC?

As for your question, there has to be something there that starts up to cause this in normal mode.

Create a Startup List

  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from the notepad into your next post

Regards,
tea
 
Last edited:
HJT StartupList Report

Tea: No prob with the delay - hope there are no probs and you are okay. I am the culprit :sick: no one else uses this laptop. Startup report follows -

StartupList report, 10/19/2006, 8:07:00 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Ann K. Whitsett\My Documents\HJT\DudesToy.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~1.EXE
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Documents and Settings\Ann K. Whitsett\My Documents\HJT\DudesToy.exe
c:\program files\mcafee.com\agent\mcupdate.exe
c:\program files\mcafee.com\vso\mcvsmap.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
Metamail Trust Manager.lnk = C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
TCtryIOHook = TCtrlIOHook.exe
TFncKy = TFncKy.exe
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
AGRSMMSG = AGRSMMSG.exe
NDSTray.exe = NDSTray.exe
HWSetup = C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
SVPWUTIL = C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
TOSHIBA Accessibility = C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
CeEKEY = C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
TPSMain = TPSMain.exe
PadTouch = C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
ZoomingHook = ZoomingHook.exe
SmoothView = C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
TPNF = C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
VSOCheckTask = "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe = c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
Tvs = C:\Program Files\Toshiba\Tvs\TvsTray.exe
Pinger = C:\toshiba\ivp\ism\pinger.exe
VirusScan Online = C:\Program Files\McAfee.com\VSO\mcvsshld.exe
Notebook Maximizer = C:\Program Files\Notebook Maximizer\maximizer_startup.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
IntelZeroConfig = C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
(Default) =
IntelWireless = C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
EOUApp = C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
OASClnt = C:\Program Files\McAfee.com\VSO\oasclnt.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
MPSExe = c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
IVPServiceMgr = C:\toshiba\ivp\ism\ivpsvmgr.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssbezier.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SiteAdvisor\SiteAdv.dll - {089FD14D-132B-48FC-8861-0048AE113215}
(no name) - c:\program files\mcafee.com\mps\mcbrhlpr.dll - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E}
McAfee PopupKiller - c:\program files\mcafee.com\mps\popupkiller.dll - {3EC8255F-E043-4cae-8B3B-B191550C2A22}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Windows Live Toolbar\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
(no name) - C:\PROGRA~1\METAMA~1\METAMA~1\IEPlugIn.dll - {C09C9904-FD44-11D6-A711-00105AC8F168}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Check Updates for Windows Live Toolbar.job
McAfee.com Scan for Viruses - My Computer (TOSHIBA-USER-Ann K. Whitsett).job
MP Scheduled Scan.job
XoftSpy.job

--------------------------------------------------

Enumerating Download Program Files:

[StagingUI Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\StagingUI.ocx
CODEBASE = http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Musicnotes Viewer]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\mnviewer.dll
CODEBASE = http://www.musicnotes.com/download/mnviewer.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?LinkID=39204

[ewidoOnlineScan Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
CODEBASE = http://download.ewido.net/ewidoOnlineScan.cab

[ZoneBuddy Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZBuddy.ocx
CODEBASE = http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

[{3DA5D23B-EFE1-4181-ADB7-7D457567AACA}]
CODEBASE = http://zone.msn.com/bingame/pacz/default/pandaonline.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[WebGameLoader Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ReflexiveWebGameLoader.dll
CODEBASE = http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab

[Malicious Software Removal Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WebCleaner.dll
CODEBASE = http://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab

[PSFormX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\PESTSC~1.OCX
CODEBASE = http://www3.ca.com/securityadvisor/pestscan/pestscan.cab

[ZonePAChat Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPAChat.ocx
CODEBASE = http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll
CODEBASE = http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122847104343

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124154248656

[Ofoto Upload Manager Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\axofupld.dll
CODEBASE = http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

[ZPA_DMNO Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\zpa_dmno.ocx
CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_dmno.cab42341.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

[StadiumProxy Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\StProxy.dll
CODEBASE = http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

[SCEWebLauncherCtl Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SCEWebLauncher.Ocx
CODEBASE = http://sympatico.zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab

[CPlayFirstDinerDashControl Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80.dll
CODEBASE = http://comcast.oberon-media.com/online2/diner_dash/DinerDash.1.0.0.80.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

[Playtime Games Launcher]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PTGameLauncher.dll
CODEBASE = http://playgames.comcast.net/online2/mahjong_escape_ancient/PTGameLauncher.cab

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4856/mcfscan.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 14,521 bytes
Report generated in 5.046 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Hi Ann,

Whatever this is, it's hiding really well. All these scans have turned up very little...but there are still options, so I'm game if you are!

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Double-click sspsetup1.exe to install it.
  • Before installation it may ask you to check for program updates. Click YES.
    Then finish installation leaving all the default options.
  • Once the program is installed, it will ask if you wish to reboot now choose YES.
    We need to go into Safe Mode from here. To get into Safe Mode, while your computer is restarting continually tap the F8 key until a menu appears. User your up arrow key to highlight Safe Mode then hit enter.
  • Open SpySweeper, by double-clicking the icon on your desktop.
  • If will ask you if you want to run the Diagnostic version of SpySweeper click YES.
  • You will receive a prompt telling you it's running in Diagnostic version. Click OK.
  • Click Options on the left side (towards the bottom).
  • Click the Sweep tab.
  • Under Items to Sweep make sure the following are checked:
    • Windows registry
      [*]Memory objects
      [*]Cookies
      [*]Compressed Files
      [*]System Restore Folder
  • Under Other Options make sure the following are checked:
    • Sweep all user accounts
      [*]Enable Direct Disk Sweeping
      [*]Sweep for rootkits
  • Click OK. Click Start.
  • When it's done scanning, it will list any items found. Click Next.
  • Make sure everything found has a check next to it and click Next.
  • It will quarantine all items found.
  • Click Session Log in the lower left corner.
  • Click Save to File and save it on your desktop.
  • Close SpySweeper.
  • Restart your computer into normal Windows.
  • Paste the contents of the session log you saved into your next reply (Spy Sweeper Session Log.txt).
  • If for some reason you didn't save the log you can get to it by clicking Options on the left. Then, View Session Log will be listed under Other Options.

tea
 
Addition Ann,

Could you please go back and run Trend Micro again and post the report so I can see a full path to what it found? I have some more eyes on this, so more ideas of what's causing it are coming in.:D:

tea
 
Spy Sweeper Log & TrendMicro Housecalls

Tea:
Long as you are game, I am too! :) Ran Spy Sweeper several times in “safe” mode. First time found “Webtrends cookie”, did the next/next procedure and it put it in quarantine where it still sits. Was not sure how to get the "session log file too large for display" to display. Let me know and I will try again. Ran TrendMicro again also.

TrendMircor Housecall Results:
Scanning and Cleaning Complete
HouseCall did not find any potential threats on your computer. Make sure you run HouseCall once a week to keep your PC clean and malware free.

Spy Sweeper Log follows:
**** ERROR: Session log file 061020013720.ses too large for display *****

1:33 AM: Traces Found: 0
1:33 AM: File Sweep Complete, Elapsed Time: 00:26:41
1:33 AM: Sweep Canceled
1:32 AM: Warning: Failed to access drive D:
1:06 AM: Starting File Sweep
1:06 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:06 AM: Starting Cookie Sweep
1:06 AM: Registry Sweep Complete, Elapsed Time:00:00:15
1:06 AM: Starting Registry Sweep
1:06 AM: Memory Sweep Complete, Elapsed Time: 00:01:36
1:04 AM: Starting Memory Sweep
1:04 AM: Sweep initiated using definitions version 691
1:04 AM: Spy Sweeper 5.0.5.1286 started
1:04 AM: | Start of Session, Friday, October 20, 2006 |
********

**** ERROR: Session log file 061019235520.ses too large for display *****

1:33 AM: Traces Found: 0
1:33 AM: File Sweep Complete, Elapsed Time: 00:26:41
1:33 AM: Sweep Canceled
1:32 AM: Warning: Failed to access drive D:
1:06 AM: Starting File Sweep
1:06 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:06 AM: Starting Cookie Sweep
1:06 AM: Registry Sweep Complete, Elapsed Time:00:00:15
1:06 AM: Starting Registry Sweep
1:06 AM: Memory Sweep Complete, Elapsed Time: 00:01:36
1:04 AM: Starting Memory Sweep
1:04 AM: Sweep initiated using definitions version 691
1:04 AM: Spy Sweeper 5.0.5.1286 started
1:04 AM: | Start of Session, Friday, October 20, 2006 |
********
11:55 PM: | End of Session, Thursday, October 19, 2006 |
11:54 PM: Program Version 5.0.5.1286 Using Spyware Definitions 691
11:54 PM: Spy Sweeper 5.0.5.1286 started
11:54 PM: | Start of Session, Thursday, October 19, 2006 |
********
 
MetaMail

Tea:
No, I don't think I use MetaMail - hotmail, outlook and comcast. I am not sure what MetaMail is really, but I see it in my tray (I guess it is call the tray? The area on the right hand side lower bar). Not sure when it showed up (I think it has been there a while) either.
Ann
 
HHmm...

I see 3 instances of it running in running processes :

C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~1.EXE
C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE

You said the problem doesn't happen in safe mode.

I'd like to see what this does, please.

Click start>run> type in msconfig click the startup tab and uncheck all the instances of Meta Mail. Apply/OK out and reboot. Let me know if this makes any difference.

tea
 
Last edited:
MetaMail

Tea:
I did as instructed (Stopped MetaMail from starting up). No difference. I did find out, however, that MetaMail is used for Outlook Express Mail.
Ann
 
Tea:
Not sure if this was a good idea or not, but I downloaded MIE 7. All problems have stopped. Do you think MIE7 over wrote whatever was causing the problem with MIE 6? Or is it still lurking somewhere ready to spring out again?
Ann
 
Hi Ann,

How is it running now after a few days? Heh, if all is well, I'm not going to look a gift horse in the mouth after all we've been through.:laugh:

Regards,
tea
 
You must log in or register to reply here.
Back
Top