Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - Frank C


  • This topic is locked This topic is locked
9 replies to this topic

#1 Frank C

Frank C

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Boston, MA
  • Local time:09:53 AM

Posted 14 April 2005 - 02:37 PM

Hi,

I'm getting warnings from Spybot S&D that indicate attempts to change my
browser start page to about:blank. I've run Spybot S&D, AdAware SE, also
scanned with AVG but these scans don't detect the source.

Please help by reviewing the following HJT log. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 1:06:22 PM, on 4/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C2D47BA-08C0-48CE-8296-6C11422CB265}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C2D47BA-08C0-48CE-8296-6C11422CB265}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:53 AM

Posted 15 April 2005 - 05:42 PM

Hello Frank C and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please proceed with the following steps in order.

Step #1

We need to disable the TeaTimer program or it can interfere with the fixes we need to perform:
  • Run Spybot-S&D
  • Go to the Mode menu, and make sure "Advanced Mode" is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer" and OK any prompts
  • Restart your computer.
Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 64.91.255.87 www.dcsresearch.com

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

Download CleanUp! and install it. Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #4

We need to re-enable the TeaTimer program:
  • Run Spybot-S&D
  • Go to the Mode menu, and make sure "Advanced Mode" is selected
  • On the left hand side, choose Tools -> Resident
  • Check "Resident TeaTimer" and OK any prompts
  • Restart your computer.
Step #5

OK. Once you have rebooted start HijackThis and perform a new scan. Post your new log file back here along with details of any problems you encountered performing the above steps using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Frank C

Frank C
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Boston, MA
  • Local time:09:53 AM

Posted 16 April 2005 - 01:52 AM

Greetings OT,

Thanks for your help!

Please note that prior to receiving your post I'd already used HJT to delete
the 2 registry keys that you mentioned. I did follow all of your instructions to
the letter and see that all 3 items of concern have now been eliminated.

Note also that I am using a second "Browser settings monitor" in addition to
Tea-Timer. It's Intermute's "SpySubtract Pro" (The company that took over
CWShredder from Merijan). I left this enabled when I disabled Tea-Timer.

I also investigated www.dcsresearch and understand that the entry was a result
of my having demo'd a Trojan monitor called TDS-3 from Diamond Computer
Systems. They lost their domain name and planted the entry as a redirect to
their site. This was unwise and perhaps unethical but not malicious. I deleted the
entry from them as you instructed.

After following your instructions I observed that SpyBot S&D and Intermute's
SpySubtract are still sending me frequent warnings that something is attempting
to hi-jack my browser to about:blank.

I'm not getting hi-jacked because the warnings allow me to deny the
attempted change to the registry, but there is some malware in
there somewhere, that's still making the attempt.

Apology's for being so verbose, Thanks Again, What next?


Logfile of HijackThis v1.99.1
Scan saved at 2:00:16 AM, on 4/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Documents and Settings\Administrator\Desktop\Utility\HJThis\HijackThis 1.99.1 Apr 05.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:53 AM

Posted 16 April 2005 - 12:48 PM

Hi Frank C. Does the message you are receiving give you any more detail regarding what application (or website) is trying to change the settings? Also, does the message say what it is trying to change (the home page, the search assistant etc).

Post back with as much detail as you can. It might be that those settings are stored in one of the registry protection programs that you are using and that program has become "stuck" and is trying to replace them.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Frank C

Frank C
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Boston, MA
  • Local time:09:53 AM

Posted 16 April 2005 - 02:51 PM

Greetings OT,

I tried to take a screenshot of the warnings that SpyBot and SpySubtract
have been sending to me but I could not paste them into this message. I'm
a newbie when it comes to such editing. However the warnings are rather basic,
ie) not much detail.

SpySubtract indicates that the Browser setting "IE Homepage (System)" is the target of the attempted change. It then alows me to deny the attempt.

SpyBot indicates that it's detected an attempt to change the Browser page value for the "Start Page" to "about:blank". It also allows me to deny the attempt.

I been running SpyBot since version 1.3 came out and I've got its "Resident log"
going back to the time I installed it. I've marked it up by highlighting items of interest. It's appended below. I see no obvious pointers to the source of the problem. Apologies for the length.

Many Thank's, Please advise further,


10/12/2004 5:06:37 PM Allowed value "CZFMDKsk" (new data: "C:\PROGRA~1\FDD_FM~1\CZFMDKsk.exe") added in System Startup global entry!
10/12/2004 6:49:03 PM Allowed value "LUSETUP-LT" (new data: "C:\PROGRA~1\Symantec\LIVEUP~1\LUSETU~1.EXE -s -a -q -log") added in System Startup global entry!
10/19/2004 1:40:46 AM Allowed value "Symantec NetDriver Monitor" (new data: "") deleted in System Startup user entry!
10/19/2004 7:27:57 PM Denied value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
10/19/2004 7:28:10 PM Allowed value "MSConfig" (new data: "C:\Documents and Settings\Administrator\Desktop\Utility\msconfig.exe /auto") added in System Startup global entry!
11/13/2004 1:48:06 PM Denied value "Search Page" (new data: "http://www.superwebsearch.com/ie/") changed in Browser page!
11/13/2004 1:48:23 PM Denied value "SearchAssistant" (new data: "http://www.superwebsearch.com/ie/") changed in Browser page!
11/13/2004 2:15:35 PM Allowed value "SearchURL" (new data: "http://www.google.com") changed in Browser page!
11/13/2004 2:15:45 PM Allowed value "Search Bar" (new data: "about:blank") changed in Browser page!11/16/2004 11:29:31 PM Allowed value "CleanUp!" (new data: "C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart") added in System Startup user entry!
11/17/2004 6:14:09 PM Allowed value "C-Media Mixer" (new data: "Mixer.exe /startup") added in System Startup global entry!
11/17/2004 6:14:14 PM Allowed value "InCD" (new data: "C:\Program Files\Ahead\InCD\InCD.exe") added in System Startup global entry!
11/17/2004 6:14:18 PM Allowed value "NeroCheck" (new data: "C:\WINNT\system32\\NeroCheck.exe") added in System Startup global entry!
11/18/2004 10:15:43 PM Denied value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
11/19/2004 8:00:47 PM Denied value "" (new data: "") added in Browser page!
11/19/2004 8:00:57 PM Denied value "" (new data: "") added in Browser page!
11/20/2004 4:35:18 PM Denied value "Synchronization Manager" (new data: "") deleted in System Startup global entry!
11/20/2004 4:36:10 PM Allowed value "Synchronization Manager" (new data: "") deleted in System Startup global entry!
12/9/2004 8:46:07 PM Allowed value "AVG7_Run" (new data: "C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE") added in System Startup user entry!
12/9/2004 8:46:15 PM Allowed value "AVG7_CC" (new data: "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP") added in System Startup global entry!
12/9/2004 8:46:24 PM Allowed value "AVG7_EMC" (new data: "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe") added in System Startup global entry!
12/17/2004 1:18:23 PM Allowed value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!
1/21/2005 8:51:07 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 8:54:47 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 10:09:23 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 10:31:15 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 11:05:06 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 11:10:05 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 11:10:43 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 11:19:40 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 11:28:36 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 11:33:41 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 11:36:16 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 11:56:59 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 12:01:46 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 12:22:01 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 12:33:29 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 12:35:20 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 3:33:16 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/21/2005 3:53:24 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/25/2005 3:18:56 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/25/2005 3:31:33 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/25/2005 3:39:48 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/25/2005 5:01:28 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/25/2005 5:04:23 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/25/2005 5:25:21 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 8:30:12 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 9:00:02 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 10:37:42 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 11:00:56 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 11:02:35 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 11:09:47 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 11:52:52 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 11:57:58 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 11:59:31 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 12:02:34 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 7:29:43 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 7:32:41 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 7:35:51 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 7:38:31 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 7:41:33 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/26/2005 7:45:29 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/26/2005 7:48:06 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/27/2005 9:40:30 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/27/2005 9:42:04 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/27/2005 10:07:14 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/27/2005 10:08:37 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/27/2005 10:49:54 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/27/2005 11:13:23 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/27/2005 11:20:13 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/29/2005 10:37:01 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/29/2005 10:38:40 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/29/2005 2:55:11 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/29/2005 3:23:46 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/29/2005 6:04:07 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/29/2005 6:26:39 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/29/2005 6:29:54 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/29/2005 7:17:36 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 11:34:26 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 11:35:48 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 11:38:48 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 11:57:52 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 12:00:35 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 12:05:04 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 1:49:57 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 1:50:50 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 4:57:37 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 4:59:54 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 5:03:09 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 5:44:54 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 5:51:22 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 6:09:11 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 8:13:34 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 8:16:39 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 8:18:00 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 8:20:52 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 8:23:56 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 8:38:29 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 8:44:31 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 8:44:54 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 8:48:48 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 8:52:12 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 8:56:28 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 8:57:13 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 9:01:42 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 9:02:59 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 9:06:02 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 9:09:23 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 9:12:25 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 9:15:03 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 9:17:49 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
1/31/2005 9:39:44 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/1/2005 11:37:48 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/1/2005 11:38:53 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/1/2005 11:54:33 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/1/2005 2:23:27 PM Allowed value "Start Page" (new data: "about:blank") changed in Browser page!
2/2/2005 3:05:34 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/2/2005 4:10:03 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/2/2005 4:12:51 PM Allowed value "Start Page" (new data: "about:blank") changed in Browser page!
2/7/2005 9:49:18 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/7/2005 11:21:16 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/9/2005 10:46:42 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/9/2005 10:47:20 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/9/2005 11:36:18 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/9/2005 11:39:22 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/9/2005 11:42:30 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
2/9/2005 6:34:11 PM Denied value "NetFxUpdate_v1.0.3705" (new data: ""C:\WINNT\Microsoft.NET\Framework\v1.0.3705\netfxupdate.exe" 0 v1.0.3705 GAC + NI NID") added in System Startup global entry!
2/9/2005 7:04:07 PM Allowed value "Start Page" (new data: "about:blank") changed in Browser page!
2/21/2005 5:53:36 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
3/14/2005 11:26:08 AM Denied value "CleanUp!" (new data: "C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart") added in System Startup user entry!
3/30/2005 10:27:34 AM Allowed value "CleanUp!" (new data: "C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart") added in System Startup user entry!
4/7/2005 6:47:18 PM Allowed value "SpySubtractInst_0" (new data: "regsvr32 /s "c:\Program Files\interMute\SpySubtract\ssengine.dll"") added in System Startup global entry!
4/7/2005 6:47:24 PM Allowed value "SpySubtractInst_1" (new data: "regsvr32 /s "c:\Program Files\interMute\SpySubtract\sshook.dll"") added in System Startup global entry!
4/7/2005 7:07:02 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/7/2005 7:21:45 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/7/2005 8:56:32 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/7/2005 9:04:36 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/8/2005 12:01:36 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/8/2005 1:09:30 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/8/2005 9:57:12 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/8/2005 9:59:46 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/8/2005 10:32:46 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/8/2005 10:38:54 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/8/2005 10:42:53 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/8/2005 7:51:27 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/8/2005 7:55:44 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/8/2005 7:56:39 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/8/2005 7:59:52 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/12/2005 3:23:40 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/12/2005 3:36:28 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/12/2005 11:06:06 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 1:56:16 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 8:08:51 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 11:48:21 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 3:32:56 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 4:58:30 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 4:59:29 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 5:02:33 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 5:05:25 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 5:11:30 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 5:15:22 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 5:37:23 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 5:38:42 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 5:42:17 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 5:46:15 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 5:48:08 PM Denied value "CleanUp!" (new data: "C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart") added in System Startup user entry!
4/13/2005 5:48:16 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 5:59:55 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 6:01:38 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 6:45:59 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 6:47:43 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/13/2005 8:59:55 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 9:28:45 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 9:39:24 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 10:11:50 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 11:03:16 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 11:13:39 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 11:24:17 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 11:27:11 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 12:43:54 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 12:45:52 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 12:48:51 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 12:51:39 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 12:54:20 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 12:58:42 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 1:02:01 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 1:03:24 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 1:08:20 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 1:51:10 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 1:54:18 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 2:05:11 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 3:44:47 PM Denied value "SearchAssistant" (new data: "") deleted in Browser page!
4/14/2005 3:54:29 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 3:58:51 PM Denied value "SearchAssistant" (new data: "") deleted in Browser page!
4/14/2005 3:59:48 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 4:01:38 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 4:06:40 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 4:09:05 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 4:29:06 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 4:53:12 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 5:00:40 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 5:03:26 PM Denied value "CleanUp!" (new data: "C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart") added in System Startup user entry!
4/14/2005 5:03:31 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 5:04:54 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 5:24:09 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 5:34:31 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 5:47:09 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 5:51:42 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 7:14:47 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 7:28:16 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 7:47:40 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 7:51:02 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 7:56:42 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 8:08:07 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 8:13:08 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 8:21:37 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 8:22:49 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 8:25:48 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 8:28:49 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 8:31:49 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 8:35:14 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 8:44:44 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 8:53:35 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 8:58:01 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 8:58:45 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 9:37:09 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 9:41:39 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 10:26:47 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 10:32:01 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 10:34:58 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 10:38:04 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 10:42:17 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/14/2005 10:49:21 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/15/2005 12:24:38 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/15/2005 12:27:30 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/15/2005 9:31:21 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/15/2005 12:49:48 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/15/2005 12:52:43 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/15/2005 12:54:15 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/15/2005 12:57:31 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/15/2005 1:00:15 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/15/2005 10:42:12 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/15/2005 11:32:12 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 1:17:19 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 1:20:25 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 1:51:44 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 2:02:52 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 2:04:51 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 2:16:16 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 2:38:59 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 2:57:21 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 3:18:55 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 3:27:56 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 3:33:11 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 3:42:33 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 4:33:23 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 5:18:08 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 5:30:48 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 5:34:21 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 1:07:34 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 1:11:05 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
4/16/2005 1:13:45 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!


#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:53 AM

Posted 16 April 2005 - 08:41 PM

Hi Frank C. Well, there is nothing in the logs that tell us what file or program is attempting to make the change. There are cases where about:blank is legitimate if there is no value assigned to the registry key for that particular entry and so it becomes the default value. In many of the cases where about:blank is put into the registry values by malicious programs it is due to a CWS infection so let's check for that once even though there is no sign of that in your HijackThis log.

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it.

Make sure that all browser windows are closed, start CWShredder and click on the Fix-> button.

Now reboot your computer to finish the fix.

Run your computer normally for a day or so and see what happens and then post your results back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Frank C

Frank C
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Boston, MA
  • Local time:09:53 AM

Posted 16 April 2005 - 09:48 PM

Hi OT,

I already had CWShredder installed. It is the latest version ( v2.14 ).
I scanned with it again and no fault was found.

Note: I just ran another scan of Intermute's SpySubtract Pro ( v.2.64 with the latest definitions v.2.67 ). No faults were found, but as it was scanning, I noticed that it looked at HKCU\software\kazaa\promotions\cydoor\adwr_xxxx.

I've never downloaded any music or file sharring programs !

I then tried searching the Regisrty for: "HKCU\software\kazaa\promotions\cydoor\adwr_xxxx" and could not find it !

How come the scanner sees it but I can't ?

I'll try to see if I can observe this registry key as I run a SpyBot S&d scan.

Also, I'll try disabling SpySubtract Pro and waiting to see if Spybot still alerts
me. The warnings are increasingly frequent.

Perhaps, if I allow the Registry change to let the "about:blank" install, I can then
run the SpyBot or HJT or SPSeHjFix to detect and flush it out, but I'm wary of this
approach.

What are your thoughts, most patient and wise OT ?

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:53 AM

Posted 16 April 2005 - 09:59 PM

Hmmm. That's very interesting. Try this:

Download and install the Microsoft AntiSpyware Beta. Update the program and let it do a complete scan. This may take a little while so be patient. Perform the fixes that it suggests.

I ran that a couple of weeks ago after they made a few changes. It found a number of registry entries for kazaa and I had never install kazaa before either (60+ to be exact). I run a number of different registry scanning tools and not one of them ever came across those entries before either.

I am interested in seeing what your results are.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 Frank C

Frank C
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Boston, MA
  • Local time:09:53 AM

Posted 19 April 2005 - 01:13 PM

Greetings OT,

Good news. I disabled Intermute's SpySubtract Pro and waited for
more warnings from Spybot S&D. Since I disabled SpySubtract, the warnings
have stopped. Either SpySubtract was detecting false positives and also triggering
Spybot to detect the attempted changes, or Spysubtract had some code that was
attempting to make the change to my browser settings.

Also, after waiting some time, to see if the attempted hijack warnings would come back,
I took your suggestion and downloaded the MS Anti Spyware Beta.
It looks like a very good product, however it did not detect any malicious processes,
files or registry keys. I guess that's a good thing, but it leaves me
wondering why it did not see the Kazaa entry I mentioned in my last post.

Thankyou very much for your help. You and the HJT team are a great resource.
I'll check back under this topic to see if there are any follow up questions or observations.
I believe it's OK to close out the topic. :thumbsup:

Thanks again, Frank

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:53 AM

Posted 19 April 2005 - 02:12 PM

Hey Frank C. Glad to hear that you have it figured out. Sometimes you do get false positives or complications between programs. It's hard to say.

I will close this topic out. If you need it reopened then just drop me a PM and I will do so.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users