About:Blank is not a blank start up page... some generic search engine

[golfo]

OK, I tell you again the whole way I asked you to go



Start – run – type”regedit” – OK



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



There in windowsyou have on the right side of the windows a file called AppInit_DLLs



Do right click on it and choose the second from above “change binary datas”



Now it opens a window in which you might see the numbers

[JustMe602]

.

Okay here is a screen shot of my start menu sorry for the poor quality...

[golfo]

sorry this link doesnt open

[golfo]

sorry, here its 1:30 am and I need a sleep

previously you posted
res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%3 2%5c%64%63%6e%6f%2e%64%6c%6c/

thats a hexagonal code and means
C:\WINNT\System32\dcno.dll
try to open that file in notepad and look what it is
it might be the html-code of a unwanted page
tomorrow I want to try to get in contact with u again
try to find a way to look into your registry

[AnnMarie]

Hi JustMe602 - since I last posted in this thread, we have discovered that Hijack This does not delete the file associated with the BHO as it has in the past and this is why this parasite keeps re-appearing. Also, each time you reboot, the file morphs so it can be difficult to find. I can see that you do not feel comfortable working in your registry so we can try with Hijack This again if you wish. Post a new log but this time, try not to reboot until after I have replied.

[AnnMarie]

CWShredder has just been updated to remove new variants of this parasite. Go here and download and run CWShredder (close IE first and click on Fix). Reboot afterwards and post back a new Hijack This log. Also let us know if you still have a problem.

[JustMe602]

Okay I have posted a new log. I did as instructed. I have downloaded the newest verstion of Shredder and I ran fix and then ran Hijack this and this is the latest log. I presume the you will ask me to remove sp.html (obfuscated) related lines and then ipfpaaa.dll I will wait to here also I have hopefully posted a link that will work with a screen shot of my startup menu..

http://f2.pg.photos.yahoo.com/ph/bio...&.dnm=9180.jpg


Well again I thanks for all the input on this matter....

JustMe.


Logfile of HijackThis v1.97.7
Scan saved at 9:34:42 AM, on 4/25/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\WINNT\System32\ccsrvc.exe
C:\PROGRA~1\Altiris\CARBON~1\shellker.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Command Software\Command AntiVirus\dvpinit.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\DesktopAuthority\RaMaint.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\goff.exe
C:\Program Files\RightFAX\FaxCtrl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\sdewey\My Documents\shredder\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 199.231.129.165 www.fclaw.com # Necessary to access site since AD Domain is fclaw.com
O1 - Hosts: 199.231.129.165 reports.fclaw.com # Necessary to access site since AD Domain is fclaw.com
O1 - Hosts: 199.231.129.165 fclaw.com # Necessary to access FTP site since AD Domain is fclaw.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\DOCUME~1\sdewey\LOCALS~1\Temp\WorkShare Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6B0695D2-3EBB-4171-91A3-EDB59041D785} - C:\WINNT\System32\ipfpaaa.dll
O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [cuagentExe] C:\PROGRA~1\COMMAN~1\COMMAN~1\cuagent.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [DesktopAuthority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Kernel.] C:\WINNT\goff.exe
O4 - Startup: BHO Cop.lnk = C:\Program Files\BHOCop\BHOCop.exe
O4 - Startup: Calculator.lnk = C:\WINNT\system32\calc.exe
O4 - Startup: Procomm Plus.lnk = C:\Program Files\Procomm Plus\programs\PW4.EXE
O4 - Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe
O4 - Global Startup: MCategory.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...040.5323842593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D6A6A09C-C43C-4BCC-90B0-349B71239328} (AXfco Control) - http://workflow.fclaw.com/AXfco.cab
O16 - DPF: {D6FB2DA3-A767-4D27-9926-B5F0528B0A08} (UAttach Control) - http://workflow.fclaw.com/UAdvCtls2.ocx
O16 - DPF: {DA018E54-7561-4AB5-A893-A3388C0F511C} (UltSignature Control) - http://workflow.fclaw.com/UAdvCtls2.ocx
O16 - DPF: {E09150AF-9388-450B-8098-0B4F6BBE1419} (Ultimus) - http://workflow.fclaw.com/UltAxClientMin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fclaw.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fclaw.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fclaw.com

[AnnMarie]

Hi JustMe602 - Close IE and all open windows and run Hijack This again. Check the below entries and click on Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {6B0695D2-3EBB-4171-91A3-EDB59041D785} - C:\WINNT\System32\ipfpaaa.dll

O4 - HKLM\..\Run: [Kernel.] C:\WINNT\goff.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts), make sure that you can view hidden files and folders and run a search for and delete the below folders/files in bold.

C:\WINNT\System32\ipfpaaa.dll
C:\WINNT\goff.exe

Reboot. If you have restarted your PC since posting your log, the filename will have changed. You will notice in the R1 and O2 entries, the filename is the same (ipfpaaa.dll). You will have to fix the R1 entries and O2 entry again and then delete the new dll in Safe Mode. If you are not sure what to do, post back and we will help you. Post back a new Hijack This log anyway.

Re no Run box, I dont know about Win2K but showing this is an option in WinXP. Rightclick on your Start button and choose Properties > Start Menu > Customize or Adjust > Advanced. Is there a check box for Run? If so, check it and reboot. If not, what happens when you depress the Win key + R?

[JustMe602]

The system admin doesn't give us peons the access rights to the run command I found out that's why I don't have access rights or that's why it is not in the windows start button.... Well here is the log from my most recent attempt to rectify this situation.

Logfile of HijackThis v1.97.7
Scan saved at 7:57:10 AM, on 4/28/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\WINNT\System32\ccsrvc.exe
C:\PROGRA~1\Altiris\CARBON~1\shellker.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Command Software\Command AntiVirus\dvpinit.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\DesktopAuthority\RaMaint.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\calc.exe
C:\Program Files\Procomm Plus\programs\PW4.EXE
C:\Program Files\RightFAX\FaxCtrl.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\sdewey\My Documents\shredder\HijackThis.exe
O1 - Hosts: 199.231.129.165 www.fclaw.com # Necessary to access site since AD Domain is fclaw.com
O1 - Hosts: 199.231.129.165 reports.fclaw.com # Necessary to access site since AD Domain is fclaw.com
O1 - Hosts: 199.231.129.165 fclaw.com # Necessary to access FTP site since AD Domain is fclaw.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0 .dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\DOCUME~1\sdewey\LOCALS~1\Temp\WorkShare Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0 .dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [cuagentExe] C:\PROGRA~1\COMMAN~1\COMMAN~1\cuagent.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [DesktopAuthority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - Startup: BHO Cop.lnk = C:\Program Files\BHOCop\BHOCop.exe
O4 - Startup: Calculator.lnk = C:\WINNT\system32\calc.exe
O4 - Startup: Procomm Plus.lnk = C:\Program Files\Procomm Plus\programs\PW4.EXE
O4 - Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe
O4 - Global Startup: MCategory.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...040.5323842593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D6A6A09C-C43C-4BCC-90B0-349B71239328} (AXfco Control) - http://workflow.fclaw.com/AXfco.cab
O16 - DPF: {D6FB2DA3-A767-4D27-9926-B5F0528B0A08} (UAttach Control) - http://workflow.fclaw.com/UAdvCtls2.ocx
O16 - DPF: {DA018E54-7561-4AB5-A893-A3388C0F511C} (UltSignature Control) - http://workflow.fclaw.com/UAdvCtls2.ocx
O16 - DPF: {E09150AF-9388-450B-8098-0B4F6BBE1419} (Ultimus) - http://workflow.fclaw.com/UltAxClientMin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fclaw.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fclaw.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fclaw.com

[Meangean]

what are these?

O1 - Hosts: 199.231.129.165 www.fclaw.com # Necessary to access site since AD Domain is fclaw.com
O1 - Hosts: 199.231.129.165 reports.fclaw.com # Necessary to access site since AD Domain is fclaw.com
O1 - Hosts: 199.231.129.165 fclaw.com # Necessary to access FTP site since AD Domain is fclaw.com

do u know???

[AnnMarie]

Please read the thread Meangean. That question was asked quite some posts ago.

That's a clean log JustMe602. What method did you use to resolve the issue and have you had any further problems?

[JustMe602]

I didn't get to excited about it, and for good reason about an hour or so I was able to log in and out of IE without having to worry about it however to no avail I still keeps coming back..... :confused:

[AnnMarie]

Darn, I was hoping that the updated version of CWShredder would get rid of the problem.

Go here and download pv.zip. Extract the folder to the desktop and open it up.

Make sure that you have at least one Internet Explorer window open. Double click on the runme.bat and Type 1 for explorer dll's. Hit return. Notepad will open with a log in it. Please copy and paste the log into this post.

[JustMe602]

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 400000 253952 C:\WINNT\Explorer.EXE 5.00.3502.5321 Windows Explorer
ntdll.dll 77f80000 499712 C:\WINNT\system32\ntdll.dll 5.00.2195.6685 NT Layer DLL
ADVAPI32.DLL 77db0000 380928 C:\WINNT\system32\ADVAPI32.DLL 5.00.2195.5385 Advanced Windows 32 Base API
KERNEL32.DLL 77e80000 745472 C:\WINNT\system32\KERNEL32.DLL 5.00.2195.5400 Windows NT BASE API Client DLL
RPCRT4.DLL 77d30000 450560 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6802 Remote Procedure Call Runtime
GDI32.DLL 77f40000 245760 C:\WINNT\system32\GDI32.DLL 5.00.2195.5252 GDI Client DLL
USER32.DLL 77e10000 413696 C:\WINNT\system32\USER32.DLL 5.00.2195.4314 Windows 2000 USER API Client DLL
SHLWAPI.DLL 70bd0000 413696 C:\WINNT\system32\SHLWAPI.DLL 6.00.2800.1106 Shell Light-weight Utility Library
msvcrt.dll 78000000 286720 C:\WINNT\system32\msvcrt.dll 6.10.9359.0 Microsoft (R) C Runtime Library
COMCTL32.DLL 71710000 540672 C:\WINNT\system32\COMCTL32.DLL 5.81 Common Controls Library
shim.dll 732e0000 151552 C:\WINNT\System32\shim.dll 5.00.2195.5308 Shim Engine DLL
AcLayers.DLL 23000000 352256 C:\WINNT\AppPatch\AcLayers.DLL 5.00.2195.5308 Windows 2000 Shim Accessory DLL
hlpiigf.dll 61c00000 61440 c:\winnt\system32\hlpiigf.dll
SHELL32.dll 782f0000 2383872 C:\WINNT\system32\SHELL32.dll 5.00.3502.5436 Windows Shell Common Dll
OLE32.DLL 77a50000 966656 C:\WINNT\system32\OLE32.DLL 5.00.2195.6810 Microsoft OLE for Windows
CLBCATQ.DLL 775a0000 544768 C:\WINNT\System32\CLBCATQ.DLL 2000.2.3497.0
OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4518
cscui.dll 77840000 249856 C:\WINNT\System32\cscui.dll 5.00.2195.4104 Client Side Caching UI
CSCDLL.DLL 770c0000 143360 C:\WINNT\System32\CSCDLL.DLL 5.00.2195.5434 Offline Network Agent
SHDOCVW.DLL 71000000 1347584 C:\WINNT\System32\SHDOCVW.DLL 6.00.2800.1106 Shell Doc Object and Control Library
browseui.dll 71160000 1036288 C:\WINNT\System32\browseui.dll 6.00.2800.1106 Shell Browser UI Library
USERENV.DLL 77c10000 385024 C:\WINNT\System32\USERENV.DLL 5.00.2195.5425 Userenv
WININET.dll 70200000 610304 C:\WINNT\system32\WININET.dll 6.00.2800.1106 Internet Extensions for Win32
CRYPT32.dll 77440000 487424 C:\WINNT\system32\CRYPT32.dll 5.131.2195.4558 Crypto API32
MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6823 ASN.1 Runtime APIs
mydocs.dll 76df0000 69632 C:\WINNT\System32\mydocs.dll 5.00.3315.4065 My Documents Folder UI
ntshrui.dll 76fa0000 61440 C:\WINNT\System32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing
ATL.DLL 773e0000 86016 C:\WINNT\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
NETAPI32.DLL 75170000 323584 C:\WINNT\System32\NETAPI32.DLL 5.00.2195.5427 Net Win32 API DLL
SECUR32.DLL 77be0000 61440 C:\WINNT\System32\SECUR32.DLL 5.00.2195.4587 Security Support Provider Interface
NETRAP.DLL 751c0000 24576 C:\WINNT\System32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL
SAMLIB.DLL 75150000 65536 C:\WINNT\System32\SAMLIB.DLL 5.00.2195.4827 SAM Library DLL
WS2_32.DLL 75030000 77824 C:\WINNT\System32\WS2_32.DLL 5.00.2195.4874 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\System32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.5400 Win32 LDAP API DLL
DNSAPI.DLL 77980000 147456 C:\WINNT\System32\DNSAPI.DLL 5.00.2195.5354 DNS Client API DLL
WSOCK32.DLL 75050000 32768 C:\WINNT\System32\WSOCK32.DLL 5.00.2195.4874 Windows Socket 32-Bit DLL
CRTDLL.DLL 74fa0000 159744 C:\WINNT\System32\CRTDLL.DLL 4.00 Microsoft C Runtime Library
MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.3649 Multiple Provider Router DLL
ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2195.5428 Microsoft® Lan Manager
NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2195.4874 NT LM UI Common Code - GUI Classes
NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes
NETSHELL.dll 76f20000 479232 C:\WINNT\system32\NETSHELL.dll 5.00.2195.5431 Network Connections Shell
stobject.dll 766d0000 98304 C:\WINNT\System32\stobject.dll 5.00.2195.4455 Systray shell service object
BATMETER.DLL 76740000 32768 C:\WINNT\System32\BATMETER.DLL 5.00.3502.5305 Battery Meter Helper DLL
SETUPAPI.DLL 77880000 577536 C:\WINNT\System32\SETUPAPI.DLL 5.00.2195.5400 Windows Setup API
POWRPROF.DLL 766f0000 28672 C:\WINNT\System32\POWRPROF.DLL 5.00.3502.5305 Power Profile Helper DLL
WINMM.DLL 77570000 196608 C:\WINNT\System32\WINMM.DLL 5.00.2161.1 MCI API DLL
webcheck.dll 70340000 266240 C:\WINNT\System32\webcheck.dll 6.00.2800.1106 Web Site Monitor
MSI.DLL 770f0000 2084864 C:\WINNT\System32\MSI.DLL 2.0.2600.1 Windows Installer
wdmaud.drv 77560000 36864 C:\WINNT\System32\wdmaud.drv 5.00.2195.3649 WDM Audio driver mapper
LINKINFO.DLL 76710000 36864 C:\WINNT\System32\LINKINFO.DLL 5.00.2134.1 Windows Volume Tracking
msacm32.drv 77400000 32768 C:\WINNT\System32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
MSACM32.dll 77410000 77824 C:\WINNT\System32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
SLAgent.dll 10000000 53248 C:\DOCUME~1\sdewey\LOCALS~1\Temp\SLAgent.dll 5, 5, 0, 0 SLAgentDll Dynamic Link Library
CfgMgr32.dll 770b0000 28672 C:\WINNT\System32\CfgMgr32.dll 5.00.2134.1 Configuration Manager Forwarder DLL
docprop2.dll 71f00000 315392 C:\WINNT\System32\docprop2.dll 5.00.2178.1 DocProp2
MSVFW32.DLL 6a8f0000 131072 C:\WINNT\System32\MSVFW32.DLL 5.00.2134.1 Microsoft Video for Windows DLL
AVIFIL32.DLL 74870000 90112 C:\WINNT\System32\AVIFIL32.DLL 5.00.2134.1 Microsoft AVI File support library
faxshell.dll 70020000 20480 C:\WINNT\system32\faxshell.dll 5.00.2134.1 Fax Tiff Data Column Provider
shdoclc.dll 718c0000 540672 C:\WINNT\System32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library
actxprxy.dll 703d0000 110592 C:\WINNT\System32\actxprxy.dll 6.00.2800.1106 ActiveX Interface Marshaling Library
browselc.dll 71960000 73728 C:\WINNT\System32\browselc.dll 6.00.2800.1106 Shell Browser UI Library
version.dll 77820000 28672 C:\WINNT\system32\version.dll 5.00.2134.1 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2134.1 LZ Expand/Compress API DLL
clreg.dll 28b0000 126976 C:\Program Files\West Group\Common\clreg.dll 2.2.0.1 WestCiteLink Registry
urlmon.dll 702b0000 499712 C:\WINNT\system32\urlmon.dll 6.00.2800.1106 OLE32 Extensions for Win32
RASAPI32.DLL 774e0000 204800 C:\WINNT\System32\RASAPI32.DLL 5.00.2195.5438 Remote Access API
RASMAN.DLL 774c0000 69632 C:\WINNT\System32\RASMAN.DLL 5.00.2195.5292 Remote Access Connection Manager
TAPI32.DLL 77530000 139264 C:\WINNT\System32\TAPI32.DLL 5.00.2182.1 Microsoft® Windows(TM) Telephony API Client DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\System32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
sensapi.dll 75ab0000 20480 C:\WINNT\System32\sensapi.dll 5.00.2163.1 SENS Connectivity API DLL
WZSHLSTB.DLL 16200000 24576 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL 4.1 (32-bit) WinZip Shell Extension DLL
MSONSEXT.DLL 379b0000 573440 C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L
ycomp5_3_16_0.dll 68000000 315392 C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0 .dll 2004, 2, 9, 1 Yahoo! Companion 5.3 for Internet Explorer
AcroIEHelper.ocx 47b0000 32768 C:\DOCUME~1\sdewey\LOCALS~1\Temp\WorkShare Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
ljpkpf.dll 4800000 53248 C:\WINNT\System32\ljpkpf.dll
SDHelper.dll 4810000 733184 C:\PROGRA~1\SPYBOT~1\SDHelper.dll
olepro32.dll 695e0000 167936 C:\WINNT\System32\olepro32.dll 5.0.4518
clie.dll 4df0000 237568 C:\Program Files\West Group\CiteLink\clie\clie.dll 2.2.0.1 WestCiteLink for Microsoft Internet Explorer
MFC42.DLL 103a0000 991232 C:\WINNT\System32\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version
MSVCP60.dll 780c0000 397312 C:\WINNT\System32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library

[mike]

Hi justme602,

Sorry, but need a new HJT log too, in case of file name change from running CWShredder.
Need to see a line similar to this when About:blank is present in HJT:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\ipfpaaa.dll/sp.html (obfuscated)


4 things ,please.

1. New HJT log.( with about:blank present)
2. Download TheKillbox from: http://download.broadbandmedic.com/VbStuff/KillBox.zip
3.Download " Xfind.zip" from:
http://www10.brinkster.com/expl0iter...ast/PVtool.htm
4. New log from PV (same steps as you did before):
Make sure that you have at least one Internet Explorer window open. Double click on the runme.bat and Type 1 for explorer dll's. Hit return. Notepad will open with a log in it. Please copy and paste the log into this post.

Post back the new PV log, along with a new HJT log.

Save Killbox and Xfind in a new folder, please,
Don`t do anything with them just yet.

What Firewall do you have?.

Cheers