Jump to content


Photo

about:blank problem


  • Please log in to reply
2 replies to this topic

#1 Jerrinna

Jerrinna

    Member

  • New Member
  • Pip
  • 1 posts

Posted 21 July 2004 - 04:24 PM

For about two weeks now I have had the spyware problem with the changing of my homepage url. I have used hijack this..fixing the R1, R0 and BH0...followed by a dose of about buster in safe mode. But after a while it comes back. My hijack this log is posted below. Thanks.

Logfile of HijackThis v1.97.7
Scan saved at 5:18:13 PM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\javawu.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
D:\IPOD\bin\iPodService.exe
C:\WINDOWS\system32\crok.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Documents and Settings\Dina\Desktop\HijackThis.exe

O2 - BHO: (no name) - {C5E5AAF1-E338-ED8E-4D57-DC8FB2DE04CB} - C:\WINDOWS\netbp32.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] D:\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [crok.exe] C:\WINDOWS\system32\crok.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt2_x.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...022384e480b9c0d
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn....id/MSSurVid.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab[

#2 strafer

strafer

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 21 July 2004 - 04:32 PM

Try this:

Hit start>Run. Type regedit. Hit ok.

Go to My Computer\HKey_Local_Maching\SOFTWARE\Microsoft\Windows NT\Current Version\Windows

Click on windows folder and look at the right pane. Double click on AppInit_DLLs. If it says this C:\WINDOWS\System32\xxxxx.dll (random .dll name) then close all programs except regedit.

Get ready to shut down.

Rename the file path to jiberish (ahfashgklash). Have some fun :D .

Hit ok and restart windows. Once you are booted up, run cwshredder. Remove all infected files and remove them from the recycle bin. Open regedit again and check the windows file to make sure the path isn't there. If it isn't wait it out and see if it is gone, if not post again.

#3 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 07 September 2004 - 04:33 PM

Sorry for the delay, if you still have problems post a fresh log please




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button