• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
stockcharlie

About:blank

7 posts in this topic

Not to complain but I posted this problem two weeks ago and did not get any help. I have tried many things to fix this with no luck. I know that my log files may have changed. So I am posting this as a new topic. Please forgive me if this is not acceptable. I am new to this type of forum.

 

My homepage has been hijacked by About:blank. I have read your FAQ's

and other posts about fixing this. Also I have tried some things from

the Symantec site and it appeared to be gone for about a week. I have

run the latest AdAware, CW Shredder, Spybot S&D, Hijack This, fixMTX from

Symantec and other things. I can get my homepage back to the defult after running these programs and rebooting. However after a short time my homepage will change back to about:blank. Also Notpad will not work and I have to keep reinstalling WMP

I think I may not be removing something in the log file. Please help. I have

Many hours wasted on this virus and would like to get my hands on the person responsible for this. Here are the entries that AdAware removes that keep coming back to my Hijack This log.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

Below is my Hijack This log file after running these programs and before it has added these files back to my Hijack This log. The last one I had to remove with Hijack This.

 

Logfile of HijackThis v1.97.7

Scan saved at 9:28:25 PM, on 7/8/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\UMSD TOOLS2.33\UMSD.EXE

C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE

C:\PROGRAM FILES\MICROSOFT WORKS\MSWORKS.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

O2 - BHO: (no name) - {CBA8B751-3A44-4FB7-861F-F9C2BD488B54} - C:\WINDOWS\SYSTEM\MGIMD.DLL

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE

O4 - HKLM\..\Run: [symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE

O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\PROGRAM FILES\UMSD TOOLS2.33

O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Fill from &Identity - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillIdent.html

O8 - Extra context menu item: Fill from &Passcard - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillPass.html

O9 - Extra button: RoboForm (HKLM)

O9 - Extra 'Tools' menuitem: RF &Toolbar (HKLM)

O9 - Extra button: Fill Forms (HKLM)

O9 - Extra 'Tools' menuitem: &Fill Forms (HKLM)

O9 - Extra button: Save (HKLM)

O9 - Extra 'Tools' menuitem: &Save Forms (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: {EC5F3021-FA37-11D1-8B80-00C04F86F194} (AmortControl.Amort) - http://activex.microsoft.com/activex/contr...mortControl.ocx

O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe

O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D0} (EZListings) - http://www.therealyellowpageslive.net/live/ezlistng.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8167.3022800926

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Share this post


Link to post
Share on other sites

Download: "StartDreck", from here:

http://members.blackbox.net/hp_links/21/ni.../startdreck.htm

http://www.niksoft.at/download/startdreck.htm

 

Unzip to its own folder and start the program,

 

Press 'Config'

Press 'Unmark All'

 

Check the following boxes only:

Registry -> Run Keys

System/drivers> Running processes

Press 'Ok'

 

Press 'Save' and select the location to save the log file

(default is the same folder as the application)

 

Post the log in this thread.

 

 

Also post a new HiJackThis log using version 198.0

 

http://209.133.47.12/~merijn/files/HijackThis.exe

http://downloads.net-integration.net/HijackThis.exe

http://www.computercops.biz/downloads-file-328.html

Share this post


Link to post
Share on other sites

Thank You for responding. I have also tried AboutBuster with no luck. here are the log files that you requested.

 

Logfile of HijackThis v1.98.0

Scan saved at 2:25:09 AM, on 7/10/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\UMSD TOOLS2.33\UMSD.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\WINOA386.MOD

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE

C:\WINDOWS\SYSTEM\WINOA386.MOD

C:\WINDOWS\SYSTEM\WINOA386.MOD

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

O2 - BHO: (no name) - {CBA8B751-3A44-4FB7-861F-F9C2BD488B54} - C:\WINDOWS\SYSTEM\MGIMD.DLL

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE

O4 - HKLM\..\Run: [symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE

O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\PROGRAM FILES\UMSD TOOLS2.33

O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Fill from &Identity - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillIdent.html

O8 - Extra context menu item: Fill from &Passcard - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillPass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RF &Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: &Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: &Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O16 - DPF: {EC5F3021-FA37-11D1-8B80-00C04F86F194} (AmortControl.Amort) - http://activex.microsoft.com/activex/contr...mortControl.ocx

O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab

O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe

O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D0} (EZListings) - http://www.therealyellowpageslive.net/live/ezlistng.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O18 - Filter: text/plain - {D9ED7142-DBF4-42D7-B79B-CB4E9C3024B8} - C:\WINDOWS\SYSTEM\MGIMD.DLL

O18 - Filter: text/html - {D9ED7142-DBF4-42D7-B79B-CB4E9C3024B8} - C:\WINDOWS\SYSTEM\MGIMD.DLL

 

StartDreck (build 2.1.5 public BETA) - 2004-07-10 @ 02:23:00

Platform: Windows 98 SE (Win 4.10.2222 A)

 

»Registry

»Run Keys

»Current User

»Run

*PopUpStopperFreeEdition="C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

»RunOnce

»Default User

»Run

*PopUpStopperFreeEdition="C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

»RunOnce

»Local Machine

»Run

*SystemTray=SysTray.Exe

*Logitech Utility=LOGI_MWX.EXE

*Symantec Core LC=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start

*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

*NAV CfgWiz=C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

*NPROTECT=C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE

*PLoader=c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\PROGRAM FILES\UMSD TOOLS2.33

*Ad-aware="C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c

*Installed=1

*NoChange=1

*Installed=1

*Installed=1

»RunOnce

»RunServices

*SchedulingAgent=mstask.exe

*SSDPSRV=c:\windows\SYSTEM\ssdpsrv.exe

*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

*ccSetMgr="C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

*NPROTECT=C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE

»RunServicesOnce

»RunOnceEx

»RunServicesOnceEx

»Files

»System/Drivers

»Running Processes

*FFEF3479=C:\WINDOWS\SYSTEM\KERNEL32.DLL

*FFFFE315=C:\WINDOWS\SYSTEM\MSGSRV32.EXE

*FFFFF485=C:\WINDOWS\SYSTEM\MPREXE.EXE

*FFFF9455=C:\WINDOWS\SYSTEM\mmtask.tsk

*FFFF9AB1=C:\WINDOWS\SYSTEM\MSTASK.EXE

*FFE06459=C:\WINDOWS\SYSTEM\SSDPSRV.EXE

*FFE00019=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

*FFE01A59=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE

*FFE02E39=C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE

*FFE104F5=C:\WINDOWS\EXPLORER.EXE

*FFE2D561=C:\WINDOWS\SYSTEM\SYSTRAY.EXE

*FFE29F8D=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

*FFE31D31=C:\PROGRAM FILES\UMSD TOOLS2.33\UMSD.EXE

*FFE30E69=C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

*FFE3B13D=C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE

*FFFF9C3D=C:\WINDOWS\SYSTEM\WMIEXE.EXE

*FFE35DF9=C:\WINDOWS\SYSTEM\WINOA386.MOD

*FFE35C71=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE

*FFE5D8D9=C:\WINDOWS\SYSTEM\WINOA386.MOD

*FFE30D5D=C:\WINDOWS\SYSTEM\WINOA386.MOD

*FFE40F69=C:\WINDOWS\DESKTOP\STARTDRECK.EXE

*FFE7AA55=C:\WINDOWS\SYSTEM\SPOOL32.EXE

»Application specific

Share this post


Link to post
Share on other sites

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

 

Check the following items in HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

O2 - BHO: (no name) - {CBA8B751-3A44-4FB7-861F-F9C2BD488B54} - C:\WINDOWS\SYSTEM\MGIMD.DLL

 

O18 - Filter: text/plain - {D9ED7142-DBF4-42D7-B79B-CB4E9C3024B8} - C:\WINDOWS\SYSTEM\MGIMD.DLL

O18 - Filter: text/html - {D9ED7142-DBF4-42D7-B79B-CB4E9C3024B8} - C:\WINDOWS\SYSTEM\MGIMD.DLL

 

Close all windows except HijackThis and click Fix checked.

 

 

HiJackThis version 198.0 is now available.

If you do already have it installed, download it from here:

http://209.133.47.12/~merijn/files/HijackThis.exe

http://downloads.net-integration.net/HijackThis.exe

http://www.computercops.biz/downloads-file-328.html

 

Then run HiJackThis again and post a new log in this thread.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 8:44:13 PM, on 7/10/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\UMSD TOOLS2.33\UMSD.EXE

C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\HIJACKTHIS.EXE

 

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE

O4 - HKLM\..\Run: [symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE

O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\PROGRAM FILES\UMSD TOOLS2.33

O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Fill from &Identity - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillIdent.html

O8 - Extra context menu item: Fill from &Passcard - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillPass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RF &Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: &Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: &Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O16 - DPF: {EC5F3021-FA37-11D1-8B80-00C04F86F194} (AmortControl.Amort) - http://activex.microsoft.com/activex/contr...mortControl.ocx

O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab

O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe

O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D0} (EZListings) - http://www.therealyellowpageslive.net/live/ezlistng.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Share this post


Link to post
Share on other sites

At last, your system is clean and free of spyware! Want to keep it that way?

 

Here are some simple steps you can take to reduce the chance of infection in the future.

 

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!

Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

 

1. Adjust your security settings for ActiveX:]

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the

second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

 

2. Download and install the following free programs

a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html

c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm

 

1. Install Spyware Detection and Removal Programs:

You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.

a. AdAware: http://www.lavasoft.de/

b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

 

 

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

 

 

Good luck, and thanks for coming to our forums for help with your security and malware issues.

Share this post


Link to post
Share on other sites

What a relief. my home page is back. Thank you for all of your help.

 

I have downloaded the additional software and updates.

 

I hope ISP's like Earthlink, AOL or even some hacks go after CWS.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0