Jump to content


Photo

SMART SEARCH -about blank-HELP!hijack this LOG


  • Please log in to reply
3 replies to this topic

#1 lizq

lizq

    Member

  • New Member
  • Pip
  • 2 posts

Posted 01 July 2004 - 08:30 AM

Hi. Here I go, another About blank victim: my browser IE keep starting at SMART SEARCH
Ad my system randomly crashes(canít run mouse and the modem shut down). Iíve read all the posts and tried everithing suggested...please help!

THANX IN ADVANCE

Lizq


Iíve used:

- Norton Internet Security (web updated)

-Spybot Search & Destroy 1.3(updated): found: BDE projector
DSO exploit


When I open Spybot the following error message appear:ĒFehler bei Einfugen von RichEdit-ZeileĒ
click ok, and spybot starts. IS IT BAD or WHAT?
Then in the IMMUNIZE feature I canít click ďEnable permanent blocking of bad addresses in
Internet Explorer.

-Ad-Aware 6.0 (updated): found: 3RegistryData: Possible hijack browser attempt

-CW Shredder Ėfound nothing

-Bazooka Ė found MS Media Player Guid

-Hijack This- v.1.97.7 : MY LOG:

Logfile of HijackThis v1.97.7
Scan saved at 15.22.09, on 01/07/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAMMI\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAMMI\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAMMI\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAMMI\NORTON INTERNET SECURITY\ATRACK.EXE
C:\PROGRAMMI\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAMMI\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAMMI\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAMMI\MICROANGELO\MUAMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAMMI\GETRIGHT\GETRIGHT.EXE
C:\PROGRAMMI\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Programmi\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [MOD] C:\PROGRAMMI\MICROANGELO\muamgr.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [SpyStopper] C:\PROGRAMMI\SPYSTOPPER\spystopper.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmi\File comuni\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [WinGear] C:\WINDOWS\SYSTEM\WinGear.exe
O4 - Startup: GetRight - Tray Icon.lnk = C:\Programmi\GetRight\getright.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Quotation of the Day.lnk = C:\Programmi\cybernation.com\Your Ultimate Success Quotation Library\quoteaday.exe
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...RdxIE601_it.cab
O16 - DPF: {02607DF4-D40B-4FFB-B054-1CAC03468E28} (DNLCertificate Control) - http://www.fmn-media...Certificate.ocx
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd....CAB?38148.4175

#2 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 01 July 2004 - 09:06 AM

Follow the instructions posted Here. Let me know if you have any difficulties.


The Fist
:thumbsup:

#3 lizq

lizq

    Member

  • New Member
  • Pip
  • 2 posts

Posted 02 July 2004 - 03:07 PM

Hi, I've followed the procedure but can't find the dll

I'M DESPERATE 'cos my system crashes when I'm not online and I 've to
reset every time!

Moreover FINd'N FIX does not work!



Logfile of HijackThis v1.97.7
Scan saved at 22.04.17, on 02/07/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAMMI\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAMMI\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAMMI\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAMMI\NORTON INTERNET SECURITY\ATRACK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAMMI\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMI\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAMMI\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAMMI\MICROANGELO\MUAMGR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAMMI\GETRIGHT\GETRIGHT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Programmi\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [MOD] C:\PROGRAMMI\MICROANGELO\muamgr.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [SpyStopper] C:\PROGRAMMI\SPYSTOPPER\spystopper.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmi\File comuni\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [WinGear] C:\WINDOWS\SYSTEM\WinGear.exe
O4 - Startup: GetRight - Tray Icon.lnk = C:\Programmi\GetRight\getright.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Quotation of the Day.lnk = C:\Programmi\cybernation.com\Your Ultimate Success Quotation Library\quoteaday.exe
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...RdxIE601_it.cab
O16 - DPF: {02607DF4-D40B-4FFB-B054-1CAC03468E28} (DNLCertificate Control) - http://www.fmn-media...Certificate.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd....CAB?38148.4175
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab

#4 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 02 July 2004 - 04:42 PM

lizq:

1. Was your notepad.exe renamed notepad.exe.bak? If so, what is the date / time of the file?

2. Were you able to find any .dlls that were 57,334? If not, make sure that you were at a MSDos prompt at the c:\windows\system directory. If so, what were the names and times of the .dll files that were 57,334?

3. Look for a sp.html file from your Windows/Temp directory. Delete it if it is there.

4. Run HijackThis and delete the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

5. From CONTROL PANEL select SYSTEM click on the PERFORMANCE tab, click on the FILE SYSTEM button and then the TROUBLESHOOTING TAB. Check DISABLE SYSTEM RESTORE and then click on APPLY. Then uncheck DISABLE SYSTEM RESTORE and then click on APPLY. Click on OK and then OK again. You will be asked if you want to reboot your system now. Click on OK. Don't be concerned if the DISABLE SYSTEM RESTORE box is checked. I think that the hijacker does that to prevent you from restoring your system to a point prior to the hijacking. If the box is already checked, just uncheck the box and reboot.

6. Run HijackThis and post your logfile.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button