Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

old & new about:blank

Started by DigitalHerb , Mar 23 2005 05:58 PM

  • Please log in to reply

#1
DigitalHerb
Posted 23 March 2005 - 05:58 PM

DigitalHerb

    New Member

  • Member
  • Pip
  • 4 posts
The scenario goes like this:
When clicking on a link that is in an email (I use Eudora) on some occasions, not all, an Internet Explorer window (I use Firefox) will open. That window will contain "about:blank" in the address field and is completely blank in the body portion of that window. Nothing else happens and my Firefox browser opens and takes me to the actual link shown in the email. I click on the X and shut it down. This has been occurring for several months. But now something new happened.

Exactly the same as described above except that the browser address is now "about:blank#section5" and the body contains "blank#section5" - this is the first time that this has occurred.

The other page that I described above is also still on the system.

Below is the HijackThis 199 log. I do not see any references to either of these problems in this log. An analysis by www.hijackthis.de shows no references to either of the problems.

I've tried most of the programs that advertise that they can solve this problem but all I've got as a result is frustration.

Any help would be most appreciated. This one is driving me nuts.

Logfile of HijackThis v1.99.1
Scan saved at 4:04:16 PM, on 3/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Herb\Desktop\hijackthis 1.99\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.iomegareg.....50 &CTRY=USA
N3 - Netscape 7: user_pref("browser.startup.homepage", "http:/my.yahoo.com/"); (C:\Documents and Settings\Herb\Application Data\Mozilla\Profiles\default\57v7egj0.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\Documents and Settings\Herb\Application Data\Mozilla\Profiles\default\57v7egj0.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Check for OneTouch Updates.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: ppctlcab - http://69.44.122.156...er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156...r/axscanner.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{D982DAFA-00C5-4A7A-B24E-485FFCFEE50C}: NameServer = 207.69.188.185 207.69.188.186
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

Advertisements

#2
njustice
Posted 08 April 2005 - 03:47 AM

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
Hello and welcome to GTG!
We are sorry for the late reply,
If you’re still looking to resolve this issue, please run through the steps outlined in this Topic.

Post back a fresh HijackThis log when done.

If you have resolved this issue please let us know,
Thank you and again sorry for the late reply.
  • 0

#3
DigitalHerb
Posted 12 April 2005 - 02:10 PM

DigitalHerb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Sorry for the delay and thanks for responding.
I ran all of the programs with the following results:
Ad-Aware se - nothing found

CW Shredder - nothing found

Spybot S&D - found & removed "MYSOFT" (kazaa item)

AV - used NOD32 - found nothing (this is my regular AV program)

Trend Housecall - unable to run / java problem / tried twice w/same result

Panda Activescan - works only w/IE - I use Firefox 1.0.2

CounterSpy - found & removed "com.com" cookie (this is my regular spyware)

TDS-3 - showed 12 items but I didn't do anything with them (except print the results) because I didn't know what to do with them.

HijackThis log folows:

Logfile of HijackThis v1.99.1
Scan saved at 2:45:38 PM, on 4/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\PrintKey-Pro\PKey_Pro.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\DOCUME~1\Herb\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.iomegareg.....50 &CTRY=USA
N3 - Netscape 7: user_pref("browser.startup.homepage", "http:/my.yahoo.com/"); (C:\Documents and Settings\Herb\Application Data\Mozilla\Profiles\default\57v7egj0.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\Documents and Settings\Herb\Application Data\Mozilla\Profiles\default\57v7egj0.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [fontnav] "A:\Bitstream Font Navigator\FontNav.exe" *1
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - Startup: PrintKey-Pro.lnk = C:\Program Files\PrintKey-Pro\PKey_Pro.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: ppctlcab - http://69.44.122.156...er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156...r/axscanner.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

I want to stress that about:blank is not hijacking my browser. It acts as follows:
I open Eudora and retrieve my email.
Sometimes, but not always, when I click on a hyperlink in an email message, instead of opening my Firefox browser it first opens a blank Internet Explorer screen and shows an address of about:blank (or a variant of that-see first message). Immediately after opening the IE screen Firefox opens and the URL from the email hyperlink is activated. The IE screen just sits in the background doing nothing. It doesn't seem so cause any problem but it sure is a pain to close all the time. Also, I really don't want to use IE for anything - too many security holes.

Thanks for listening and your help.
  • 0

#4
njustice
Posted 12 April 2005 - 03:23 PM

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
Hello,
Please put HiJackThis in it's own permanent folder....for storing important backups!!!

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which while highlighted you can rename to "HJT". Now you have C:\HJT\ folder.
Please put your HijackThis.exe there and post a new Hijackthis log.
  • 0

#5
DigitalHerb
Posted 12 April 2005 - 07:41 PM

DigitalHerb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
New Log file-
Also, on previous message under TDS-3, I have the location and name of each of the 12 items that I didn't know how to handle, if you need them.
Sorry about the previous send. I think I understand now.
Thanks!!


Logfile of HijackThis v1.99.1
Scan saved at 8:33:19 PM, on 4/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\PrintKey-Pro\PKey_Pro.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.iomegareg.....50 &CTRY=USA
N3 - Netscape 7: user_pref("browser.startup.homepage", "http:/my.yahoo.com/"); (C:\Documents and Settings\Herb\Application Data\Mozilla\Profiles\default\57v7egj0.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\Documents and Settings\Herb\Application Data\Mozilla\Profiles\default\57v7egj0.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [fontnav] "A:\Bitstream Font Navigator\FontNav.exe" *1
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - Startup: PrintKey-Pro.lnk = C:\Program Files\PrintKey-Pro\PKey_Pro.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: ppctlcab - http://69.44.122.156...er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156...r/axscanner.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
  • 0

#6
njustice
Posted 13 April 2005 - 04:11 PM

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
Hello DitigalHerb, your log is clean. On doing some searching I found a few topics at Eudora Forums? where other users are experiencing the same symptoms. One member suggested to:

Go tools\options\viewing mail

Turn off allow Executables in HTML content

You may want to post your problem over there and someone I'm sure can help with this problem better than I. Good luck and thanks for using our forums for your spyware issues.

P.S. if you want to post the "location and name of each of the 12 items" from TDS-3 scan I'll be glad to take a look.
  • 0

#7
DigitalHerb
Posted 13 April 2005 - 06:49 PM

DigitalHerb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello again, njustice -
The Eudora item mentioned was already turned off. No help there.

Below are the log items from the TDS-3 run. They don't mean much to me so I appreciate your taking the time to look them over. All suggestions are welcome.
The column headings are those shown in the program.
Thanks again for your help.


ALARM NAME FILE (shown on 2nd line of each entry)

NTFS Alternate Data Stream ADS Hidden Stream Detected 493 bytes
c:\documents & settings\all users\application data\symantec\hpc:1780292171

Suspicious Filename Dual extensions
c:\documents & settings\herb\desktop\dvd program & guides\setupdvddecryptr_3.5.2.0.exe

Positive identification Riskware.ProcessRestart
c:\program files\kodak\kodak software updater\7288971\6.3.2.62-7288971\program\restart.exe

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0101947.hta

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0101948.hta

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0101949.hta

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0102147.hta

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0102148.hta

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0102149.hta

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0104616.hta

Positive identification Adware Catalog.a
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0104630.exe

Positive identification Adware Catalog.a
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0104632.exe
  • 0

#8
njustice
Posted 13 April 2005 - 07:24 PM

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
I believe this is where Norton stores the live update information :

NTFS Alternate Data Stream ADS Hidden Stream Detected 493 bytes
c:\documents & settings\all users\application data\symantec\hpc:1780292171

===============


Cannot find any info these:

You can go HERE and browse to each file and Submit for analysis.

Suspicious Filename Dual extensions
c:\documents & settings\herb\desktop\dvd program & guides\setupdvddecryptr_3.5.2.0.exe

Positive identification Riskware.ProcessRestart
c:\program files\kodak\kodak software updater\7288971\6.3.2.62-7288971\program\restart.exe

===============


These here are in your System Restore:

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. Go back and uncheck the box for Turn off System Restore and create a new restore point.

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0101947.hta

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0101948.hta

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0101949.hta

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0102147.hta

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0102148.hta

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0102149.hta

Suspicious Filename HTA file in suspicious location
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0104616.hta

Positive identification Adware Catalog.a
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0104630.exe

Positive identification Adware Catalog.a
c:\system volume information\_restore{b37680b2-baOa-4e5d-bf30-83e44c588624}a0104632.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP