Jump to content


Browser hijack

  • Please log in to reply
1 reply to this topic

#1 Shike



  • New Member
  • Pip
  • 2 posts

Posted 14 July 2004 - 11:22 PM

It got me... and I've been trying to get rid of it for the last 5 days!

Ran Ad-aware6 (using custom settings suggested), Spybot1.3, About:Buster1.7 and even Spyware Eliminator3.0. Can anyone advise? Thanks in advance.

Here's the log from HijackThis:

Logfile of HijackThis v1.98.0
Scan saved at 6:08:46 PM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Aluria Software\ASE\ASEserv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Aluria Software\EPS\eps.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\ALGAE\My Documents\My Downloads\TSHOOT\HIJACKDIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ALGAE\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ALGAE\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ALGAE\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ALGAE\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ALGAE\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ALGAE\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39795B6B-6B36-41EB-B56D-BB4206EFDEBA} - C:\WINDOWS\System32\amaimb.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Window5 Update] dxb.exe
O4 - HKLM\..\Run: [Win32 Sound Config] win32snd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Updates] wumdasti.exe
O4 - HKLM\..\Run: [Microsoft Update] SCVHOSTXP.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Aluria's Pop-Up Stopper] C:\Program Files\Aluria Software\EPS\eps.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Sinsup] odjiwjf.exe
O4 - HKLM\..\RunServices: [Microsoft Update] SCVHOSTXP.exe
O4 - HKLM\..\RunServices: [Window5 Update] dxb.exe
O4 - HKLM\..\RunServices: [Win32 Sound Config] win32snd.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] wumdasti.exe
O4 - HKLM\..\RunServices: [Microsoft Sinsup] odjiwjf.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Window5 Update] dxb.exe
O4 - HKCU\..\Run: [Win32 Sound Config] win32snd.exe
O4 - HKCU\..\Run: [Microsoft Updates] wumdasti.exe
O4 - HKCU\..\Run: [Microsoft Sinsup] odjiwjf.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://my.msn.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://my.msn.com
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O18 - Filter: text/html - {9154E96A-25F0-44E1-8EDC-7E0C26849AC6} - C:\WINDOWS\System32\amaimb.dll
O18 - Filter: text/plain - {9154E96A-25F0-44E1-8EDC-7E0C26849AC6} - C:\WINDOWS\System32\amaimb.dll

Log from About:Buster (run at safe mode):

-- Scan 1 --------
About:Buster Version 1.27
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.27
Attempted Clean Of Temp folder.
Pages Reset... Done!

#2 Shike



  • New Member
  • Pip
  • 2 posts

Posted 19 July 2004 - 01:54 PM

I was able to get rid of this hijacker. I followed several instructions.

1) I set Ad-Aware custom scan based on these instructions: http://forums.spywar...showtopic=11150

2) I re-installed Spybot S&D 1.3 and set Teatimer on and silent pop up blocking.

3) I made sure I had the most recent releases of 'Hijack This', 'About:Buster' and 'CWShredder' AWA the most current virus definitions for NAV.

4) I went into the registry and exported it as a backup then scanned for the 'about:blank' and '...sp.html' values. I deleted each registry value. I turned off system restore which flushed all restore points.

5) I booted into safe mode then ran the following in this order:

a) Norton AV full scan (no findings)
b) Ad-Aware (found 9 entries all relating to possible hijackings; I had it all fixed)
c) Spybot (no findings)

6) I re-started PC and booted into safe mode again and ran the following in this order:

a) Hijack This scan and fixed all the entries relating to '...SP.HTML' and '...About:Blank'

b) About:Buster (no findings)

c) CWShredder which fixed my IE startpage entries.

I re-started and booted into normal mode. I checked the properties of the IE icon to see what my startpage was... it was what I wanted.

I launched IE and played around a little. Spybot Teatimer prompted for permission to allow or deny change to registry followed by change to startpage. I denied both.

I closed IE and used Ad-Aware to scan. It found 4 entries related to possible hijacking. I had them deleted. Spybot reported DSO exploit which I ignored. Ran Hijack This and again fixed entries relating to 'About:Blank' and '...sp.html'.

I launched IE again which went to my preffered startpage. Closed it down and launched again. It didn't go to About:Blank.

After observing that the 'About:Blank' hijack occured again under my wifes logon... I took the same steps described above under her profile.

All these things I did last Thursday (07.15.04). About:Blank hasn't occured again. Spybot Teatimer prompts us once in a while about changes (not related to About:Blank) which we deny.

By Saturday night, I felt confident enough to create a restore point.

I hope this helps others get passed the 'About:Blank' hijack.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button