Jump to content


Photo

About:blank pop-ups and weird search results


  • Please log in to reply
6 replies to this topic

#1 john615

john615

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 26 May 2004 - 08:30 AM

I am having the same problems as many others on this board, I keep getting pop-iups with 'about:blank' on the header with links to various search sites and any time i search on google or yahoo, the first page of results are just links to the same search engines. I've run ad-aware and spybot and they both found nothing. I've posted my hijack this log below. Any help would be greatly appreciated. I'm not very good with computers so i apologize in advance if i need things explained a little more basically than you are used to. Thanks again

Logfile of HijackThis v1.97.7
Scan saved at 14:33:39, on 26/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gsicon.exe
C:\WINNT\system32\dslagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Documents and Settings\Tsering Mellor\My Documents\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Msppkdp] C:\WINNT\system32\MSPPKDP.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5zgRlt] C:\documents and settings\tsering mellor\local settings\temp\5zgRlt.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\Tsering Mellor\Local Settings\Temp\ms13.tmp"
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7900.3720601852
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...296/mcfscan.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - http://by2fd.bay2.ho...ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA1E18BF-A1B9-424B-8C2A-70A6B5D6AEF3}: NameServer = 194.74.65.69 194.72.9.38

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 May 2004 - 08:55 AM

Start by fixing the following in hijackthis:

-O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
-O4 - HKLM\..\Run: [Msppkdp] C:\WINNT\system32\MSPPKDP.EXE
-O4 - HKLM\..\Run: [5zgRlt] C:\documents and settings\tsering mellor\local settings\temp\5zgRlt.exe
-O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\Tsering Mellor\Local Settings\Temp\ms13.tmp"
-O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab

Restart computer.
Go to:

C:\Documents and Settings\Tsering Mellor folder.
Click->tools/folder options/view
Check->show hidden files and folders.
'ok' it.
Open the 'Local Settings'\Temp< Subfolder.
Delete entire contents of temp folder.

Find:
C:\WINNT\system32\MSPPKDP.EXE
And post the info/properties if you know what is it,
otherwise rename the file to MSPPKDP.old

When done, Download:
http://freeatlast.10...om/Find-All.zip
*UNzip.
DoubleClick on the 'Find-All.Cmd' file inside, follow
instructions and post the log.
Post another hijackthis log as well.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 john615

john615

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 26 May 2004 - 09:41 AM

logs posted below. Also, the msppkdp.exe file wasn't in the system32 folder anymore

--==***@@@ 'FIND-ALL' VERSION 8.1 -5/27 @@@***==--


Wed May 26 15:43:28 2004 -- ++Results:
»»System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (0C57:13D5) - FS:NTFS clusters:4k
Total: 3 856 236 544 [3.6G] - Free: 232 292 352 [222M]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
? C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3802.0 C:\WINNT\System32\msjava.dll


»»PC uptime:
3:43pm up 0 days, 0:23

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
8 System
148 SMSS.EXE
176 CSRSS.EXE Title:
172 WINLOGON.EXE Title: NetDDE Agent
224 SERVICES.EXE Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M
ssenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,Wmi
236 LSASS.EXE Svcs: PolicyAgent,SamSs
360 Smc.exe Svcs: SmcService
432 svchost.exe Svcs: RpcSs
460 spoolsv.exe Svcs: Spooler
492 ccEvtMgr.exe Svcs: ccEvtMgr
604 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
620 hidserv.exe Svcs: HidServ
648 Navapsvc.exe Svcs: navapsvc
696 regsvc.exe Svcs: RemoteRegistry
756 mstask.exe Svcs: Schedule
832 WinMgmt.exe Svcs: WinMgmt
892 explorer.exe Title: Program Manager
924 svchost.exe Svcs: wuauserv
784 svchost.exe Svcs: BITS
1160 gsicon.exe Title: GlobeSpan Cpl Target Window
1184 dslagent.exe Title: DSLAGENT
1196 ccApp.exe Title: Norton AntiVirus
1244 qttask.exe Title: 4d8
1268 winampa.exe Title:
1288 internat.exe Title:
1296 msnmsgr.exe Title: MSN Today
1344 NkvMon.exe Title: Nikon Monitor
1304 mpbtn.exe Title: btbbButton
1448 CMD.EXE Title: C:\WINNT\system32\cmd.exe
1548 NTVDM.EXE
1368 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
@="SearchRepPP Class"
"CLSID"="{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Group/user settings:


User: [TSERING\Tsering Mellor], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group TSERING\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»»ACLs list:
C:\junk Everyone:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F

ERROR: There are no more files.


»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Wed May 26 15:43:35 2004 -- ++Find-All 'Windows'.hiv .reg list:
A C:\DOCUME~1\TSERIN~1\MYDOCU~1\Find-All\winBackup.hiv
A C:\DOCUME~1\TSERIN~1\MYDOCU~1\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows




Logfile of HijackThis v1.97.7
Scan saved at 15:46:29, on 26/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gsicon.exe
C:\WINNT\system32\dslagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Documents and Settings\Tsering Mellor\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7900.3720601852
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...296/mcfscan.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - http://by2fd.bay2.ho...ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA1E18BF-A1B9-424B-8C2A-70A6B5D6AEF3}: NameServer = 194.74.65.69 194.72.9.38

Cheers

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 May 2004 - 10:00 AM

I see the problem...

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
@="SearchRepPP Class"
"CLSID"="{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}"

But we don't have the file name...

Search for this file:
C:\WINNT\system32\msdhmd.dll

And post back if found.

Download this registry search tool:

http://freeatlast.10....com/Search.zip

Unzip.
Run the NewregSrch.vbs file.
On the first prompt: "how many items.."
type: 2
On first search item copy and paste:
SearchRepPP
On second, type:
{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}

It will run for a while and subsequently open a report.
Copy and post it here.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 May 2004 - 10:52 AM

This should fix it.

Download:
http://freeatlast.10...earchRepFix.zip
Unzip.
Close all browser windows!
DoubleClick on the 'Fix.bat' file inside!
Restart comuter!
DoubleClick again on the 'Fix.bat' (since some files may have been inuse)

Consider it all gone! ;)

Edited by freeatlast, 26 May 2004 - 10:53 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 john615

john615

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 26 May 2004 - 11:49 AM

Here's the report. i couldn't find the dll file tho. I ran fix.bat as well but it didn't seem to do anyting. Also i've noticed that Windows Media Player won't run. Is that connected? Thanks

------------------------------------------------------

REGEDIT4
; NewRegSrch.vbs © Bill James

; Registry search results for string "SearchRepPP" 26/05/2004 17:40:39

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\searchrep.SearchRepPP]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\searchrep.SearchRepPP]
@="SearchRepPP Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\searchrep.SearchRepPP\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\searchrep.SearchRepPP\CurVer]
@="Searchrep.SearchRepPP.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\searchrep.SearchRepPP.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\searchrep.SearchRepPP.1]
@="SearchRepPP Class"
------------------------------------------------------

REGEDIT4
; NewRegSrch.vbs © Bill James

; Registry search results for string "{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}" 26/05/2004 17:43:29

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 May 2004 - 10:07 PM

wmplayer not connected to this.

But before, on your very first information Find-All log this was spotted:

»»Wmplayer version:
? C:\Program Files\Windows Media Player\wmplayer.exe

Check in program files. The file may have been corrupted or 'replaced'.
There are several pests that do that!
If the version was not retrieved that is likely to be the case.
You can reinstall it or overwrite the file with
valid copy of wmplayer.exe from the dllcache folder.

As for searchrep, you still have the registry keys for some reson.
Just delete them manually.
Go to Start/run/type
regedit
Scroll up , hilite my computer folder.
Use the find/find next and type searchrep to the search box.
when found, locate these SubFolders and delete:
HKEY_LOCAL_MACHINE\SOFTWARE\
Classes\searchrep.SearchRepPP<

HKEY_LOCAL_MACHINE\SOFTWARE\
Classes\searchrep.SearchRepPP.1<

If you still have problems, post another
hijackthis log and another Find-All log.

Edited by freeatlast, 26 May 2004 - 10:13 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button