Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 27 Posts

·
Registered
Joined
·
10 Posts
Discussion Starter · #1 ·
My Microsoft Internet Explorer ("MIE") address page opens with "about:blank". I tried going into MIE Tools/Internet Options/Advanced/ and clicking off "enable 3rd party browsers extensions" and rebooted.

Same result when I open MIE = about:blank.

I ran "Hijackthis" and "Stinger" but without success.

It appears that some of my Doc files are missing that contained procedures to turn off the Windows XP backup file system

HELP !!!!

Paul K. aka "AvengerII"
 

·
Registered
Joined
·
46,353 Posts
Post your Hijack This log and we'll see if we can determine the source of the problem.
 

·
Registered
Joined
·
15 Posts
ogfile of HijackThis v1.97.7
Scan saved at 10:30:36 PM, on 4/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINDOWS\System32\PELMICED.EXE
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSBasic.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Basic\CCHelper.dll
O2 - BHO: (no name) - {48918FB4-1FD5-4DF3-87F0-12C36350039D} - C:\WINDOWS\System32\gfmnaaa.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Basic\psbasic.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperBasic] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSBasic.exe"
O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRA~1\SPYWAR~1\Spyware-Cop.exe" /s
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,74/mcinsctl.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

·
Registered
Joined
·
46,353 Posts
This looks like it may be a new variant of a CWS hijack, but it is possible that it is in the CWShredder database. Let's try running CWShredder. If it doesn't remove it we'll remove it manually.

Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

When it is finished restart your computer.

IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"

Come back here and post another Hijack This log and we'll get rid of what's left.
 

·
Registered
Joined
·
46,353 Posts
First please do this:

Navigate to the C:\WINDOWS\system32 folder and locate the gfmnaaa.dll file. Right click it and choose "Send to compressed (zipped) folder". The zipped folder will appear there in the System32 folder. Attach a copy of that zipped folder and send it to me here. Please include a link to this thread so I'll remember where it came from.

This file may be hidden so click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {48918FB4-1FD5-4DF3-87F0-12C36350039D} - C:\WINDOWS\System32\gfmnaaa.dll

O4 - HKLM\..\Run: [Services] C:\WINDOWS\svchost.exe


Restart to safe mode and delete:

The C:\WINDOWS\System32\gfmnaaa.dll file
The C:\WINDOWS\svchost.exe file

*Note: Do Not delete the svchost.exe file that is located in the C:Windows\System32 folder. It is a legitimate windows file.

How to start your computer in safe mode
 

·
Registered
Joined
·
10 Posts
Discussion Starter · #8 ·
This is what I found

Logfile of HijackThis v1.97.7
Scan saved at 3:46:15 PM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
E:\WINDOWS\System32\atiptaxx.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
E:\Program Files\ATI Multimedia\main\launchpd.exe
E:\Program Files\Palm\AlarmApp.exe
E:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
E:\Program Files\QUICKENW\QWDLLS.EXE
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Palm\HOTSYNC.EXE
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Command Software\dvpapi.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - E:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - E:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - E:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - E:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - E:\WINDOWS\DOWNLO~1\mqgold1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - E:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Smapp] E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "E:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [B'sCLiP] E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\RunServices: [Windows Update] mplupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Freedom] E:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [ATI Launchpad] "E:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [RealUpdater] E:\WINDOWS\System32\realupd.exe
O4 - Startup: HotSync Manager.lnk = E:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: NetAst.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alarm Manager.LNK = E:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: eBay Toolbar.LNK = E:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = E:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: eBay Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: eBay Toolbar (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\update.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.6054861111
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {D232CDB6-0000-0000-0000-000000000000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
 

·
Registered
Joined
·
46,353 Posts
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\update.exe

Restart your computer.

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
 

·
Registered
Joined
·
10 Posts
Discussion Starter · #10 ·
deleted the 16 - dpf {1000000 etc and ran Hijack as instructed and rebooted machine - sorry it didn't fix the problem - ran hijack again and here is the latest log:

Logfile of HijackThis v1.97.7
Scan saved at 4:21:01 PM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
E:\WINDOWS\System32\atiptaxx.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
E:\Program Files\Zero Knowledge\Freedom\Freedom.exe
E:\Program Files\ATI Multimedia\main\launchpd.exe
E:\Program Files\Palm\AlarmApp.exe
E:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
E:\Program Files\QUICKENW\QWDLLS.EXE
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Palm\HOTSYNC.EXE
E:\Program Files\Common Files\Command Software\dvpapi.exe
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
E:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - E:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - E:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - E:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - E:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - E:\WINDOWS\DOWNLO~1\mqgold1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - E:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Smapp] E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "E:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [B'sCLiP] E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\RunServices: [Windows Update] mplupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Freedom] E:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [ATI Launchpad] "E:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [RealUpdater] E:\WINDOWS\System32\realupd.exe
O4 - Startup: HotSync Manager.lnk = E:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: NetAst.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alarm Manager.LNK = E:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: eBay Toolbar.LNK = E:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = E:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: eBay Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: eBay Toolbar (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.6054861111
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {D232CDB6-0000-0000-0000-000000000000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
 

·
Registered
Joined
·
46,353 Posts
Thanks Derek. I'm still having a hard time with the new look of the forum.

Not only did I miss that one. I missed this one too:

O4 - HKCU\..\Run: [RealUpdater] E:\WINDOWS\System32\realupd.exe

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O4 - HKLM\..\RunServices: [Windows Update] mplupdate.exe

O4 - HKCU\..\Run: [RealUpdater] E:\WINDOWS\System32\realupd.exe


Restart to safe mode and delete:

The E:\WINDOWS\System32\realupd.exe file

And the mplupdate.exe file. It will probably be in the E:\WINDOWS\System32 folder as well.

They may be hidden so be sure and set the folder options as I showed you before.
 

·
Registered
Joined
·
10 Posts
Discussion Starter · #14 ·
I'm not sure if my last message got to u - to make a long story short I had to redo all the instructions in ur threads. Being a novice at this and having a life time membership in the "Village Idiot" Club I didn't realize where the "log" was so I may have screwed up the procedure.

However the files u mentioned in ur 1st thread had disappeared on their own after applying the last 2 thread instructions . After the last reboot MIE is still showing about:blank as the home page after i had changed it via Tools and rebooted.

Here is the current log:

Logfile of HijackThis v1.97.7
Scan saved at 11:37:02 PM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
E:\WINDOWS\System32\atiptaxx.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
E:\Program Files\ATI Multimedia\main\launchpd.exe
E:\Program Files\Palm\AlarmApp.exe
E:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
E:\Program Files\QUICKENW\QWDLLS.EXE
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Palm\HOTSYNC.EXE
E:\Program Files\Common Files\Command Software\dvpapi.exe
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
E:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - E:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - E:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - E:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - E:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - E:\WINDOWS\DOWNLO~1\mqgold1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - E:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Smapp] E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "E:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [B'sCLiP] E:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Freedom] E:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [ATI Launchpad] "E:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Startup: HotSync Manager.lnk = E:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: NetAst.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alarm Manager.LNK = E:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: eBay Toolbar.LNK = E:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = E:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: eBay Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: eBay Toolbar (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.6054861111
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {D232CDB6-0000-0000-0000-000000000000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
 

·
Registered
Joined
·
46,353 Posts
Your log looks fine now. Are you still getting the About:Blank page?
 

·
Registered
Joined
·
10 Posts
Discussion Starter · #17 ·
Still getting About:blank- did u get my previous message about the site that l found that indicates it may be a .dll file problem ?

If not here it is along with an out take that points to a possible other cause. I can get a list of the files they point out form my machine but I'm not sure how to copy same which would include the dates

http://www.dbforums.com/t705228.html

From: Stoom
Date: 03-09-04 04:07
Subject: About:Blank

--------------------------------------------------------------------------------
I HAD THE SAME PROBLEM WITH THAT ABOUT:BLANK Page. I tried what previous post said found a file named msxmlpp.dll , It was a different date and was not a microsoft created file i deleted i now have my origional home page back. I also went into systen registry and clicked on edit then find and typed in about:blank there aswell and deleted whatever came up in there aswell.
 

·
Registered
Joined
·
46,353 Posts
You can locate that file and right click it and choose "Properties" and check out all the info on the file.
 

·
Registered
Joined
·
12 Posts
I have a problem. My internet explorer main page is about:blank
My hijak this log is:

Logfile of HijackThis v1.97.7
Scan saved at 20:24:59, on 15/4/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\htpatch.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINNT\System32\internat.exe
C:\Arquivos de programas\Sony Corporation\Image Transfer\SonyTray.exe
C:\Arquivos de programas\Microsoft Office\Office\OSA.EXE
C:\Arquivos de programas\WinZip\WZQKPICK.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Outlook Express\msimn.exe
C:\Arquivos de programas\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [PCI Audio Applications] D:\Sound\C-Media\W2K-ME\app\Setup.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\ARQUIV~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Ares] c:\arquivos de programas\ares\ares.exe -h
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ares] "C:\arquivos de programas\ares\ares.exe" -h
O4 - HKCU\..\Run: [SpySweeper] C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Microsoft Outlook.lnk = C:\Arquivos de programas\Microsoft Office\Office\OUTLOOK.EXE
O4 - Startup: Reboot.exe
O4 - Global Startup: Image Transfer.lnk = C:\Arquivos de programas\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Inicialização do Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Localização acelerada da Microsoft.lnk = C:\Arquivos de programas\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38013.531099537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D427EF9-56A9-47A3-BF00-6D9457CEADA3}: NameServer = 200.198.176.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D427EF9-56A9-47A3-BF00-6D9457CEADA3}: NameServer = 200.198.176.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D427EF9-56A9-47A3-BF00-6D9457CEADA3}: NameServer = 200.198.176.2

Somebody cam help me???

(sorry, but i don´t speak english very well....)
 

·
Registered
Joined
·
10 Posts
Having some trouble with about:blank at IE startup...Following is current log

Logfile of HijackThis v1.97.7
Scan saved at 9:22:33 PM, on 4/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ron\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
O2 - BHO: (no name) - {49E175C1-5A4E-4781-8764-A4AE514AB1B8} - C:\WINDOWS\System32\eicn.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [njgao59s57] C:\WINDOWS\rh8rt7xp83.exe
O4 - HKCU\..\Run: [ltaw440tbv] C:\WINDOWS\xxejrzj9b6.exe
O4 - HKCU\..\Run: [wf76ilf54d] C:\WINDOWS\phpb1lehau.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EA18810-17F2-4DBE-8D10-C7B8FBB8E468}: NameServer = 204.127.202.4,216.148.227.68

Any help or ideas?...everytime I think I have this thing licked, it rears its ugly head!

Thanks
ron
 
1 - 20 of 27 Posts
Status
Not open for further replies.
Top