Jump to content


Photo

my home page is crazy...help!


  • Please log in to reply
5 replies to this topic

#1 CommanderBrad

CommanderBrad

    Member

  • New Member
  • Pip
  • 3 posts

Posted 25 June 2004 - 02:07 PM

My homepage has been hijacked. I run Hijack This and CWShredder but they don't help. I ran Hijack This in safe mode once and that helped for a while but it came back again. My homepage keeps being set to about:blank. But it's not blank at all. It is a goofy search engine thing and a pop-up always comes with it that says different things but usually, "Your computer has been infected with adware or spyware. Click here to scan u're computer." It is some sort of stupid ad. Can anyone help me?

#2 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 25 June 2004 - 10:38 PM

Hi CommanderBrad
Go here for Hijack This
Unzip,update and scan. The scan button will turn into a save log button. Save it,copy and paste it back into this thread. Don't fix anything yet because most of it is needed.Make sure you place HJT into a folder of itís own. You may need to restore an item and you will not be able to from a temp. dir

#3 CommanderBrad

CommanderBrad

    Member

  • New Member
  • Pip
  • 3 posts

Posted 26 June 2004 - 03:59 PM

Logfile of HijackThis v1.97.3
Scan saved at 4:55:30 PM, on 6/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\TBPanel.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {124CE450-4321-42ED-9B1F-9E7237F00F5F} - C:\WINNT\system32\emipj.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

#4 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 26 June 2004 - 11:14 PM

Hi CommanderBrad
Unfortunately you have contracted the newest CW baddie. There is a fix by RubberDuckY that seems to work pretty well.It is important that you follow the directions on which items to fix and in what order.

Close all browsers and rerun HJT. Check and click fix checked for the following-

O2 - BHO: (no name) - {124CE450-4321-42ED-9B1F-9E7237F00F5F} - C:\WINNT\system32\emipj.dll
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
Now do not restart your computer but find and delete-
C:\Program Files\Common Files\CMEII <=Folder
C:\Program Files\Common Files\GMT <=Folder

Now you need to restart your computer. Download About:Buster by RubberDuckY from either of these sites. Save it to your desktop.
http://tools.zerosre...AboutBuster.zip
http://www.downloads...AboutBuster.zip
Unzip and start the program. Read the directions that pop up. Hit Start . Start Internet Explorer and copy ALL of the text in the address bar. Paste that text into the white box and hit OK.
Restart again and post a fresh HJT log.

#5 CommanderBrad

CommanderBrad

    Member

  • New Member
  • Pip
  • 3 posts

Posted 28 June 2004 - 12:14 PM

bummer. it didn't work. here's the new log.

Logfile of HijackThis v1.97.3
Scan saved at 1:09:59 PM, on 6/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\TBPanel.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {C90BB402-CD99-491D-B05D-B0C183C4FFFF} - C:\WINNT\system32\emipj.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

#6 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 28 June 2004 - 01:59 PM

I heard this morning that Adaware is now having success. Make sure you download a new one.
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.
Then post another log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button