Jump to content


Photo

Newbie Hijacked (homepage is about:blank) - HELP!!


  • Please log in to reply
3 replies to this topic

#1 shirak23

shirak23

    Member

  • New Member
  • Pip
  • 2 posts

Posted 03 June 2004 - 11:00 PM

I'm pulling my hair out over this. I've tried everything! Spybot, various virus checkers, trojan removers. I've got to a point where nothing is detected on my system, but this homepage thing is still happening. There was one virus checker that said my svchost.exe file was infected in my Windows/Downloaded Programs Folder, but I can't find it. Anyway, here's my "Hijack This" report, can anyone help me?!?!?!

Logfile of HijackThis v1.97.7
Scan saved at 7:03:01 PM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\system32\svchosd.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Grisoft\AVG6\avgcc32.exe
D:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX.exe
D:\Program Files\Adaptec\Wireless Utility\ADUSBCFG.exe
D:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F0 - system.ini: Shell=Explorer.exe svchosd.exe
F2 - REG:system.ini: Shell=Explorer.exe svchosd.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PMXInit] D:\WINDOWS\System32\pmxinit.exe
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG_CC] D:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [DesktopX] "D:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX.exe"
O4 - HKLM\..\RunOnce: [Q814995] rundll32.exe apphelp.dll,ShimFlushCache
O4 - Global Startup: Adaptec Wireless USB Adapter v2.5 Utility.lnk = D:\Program Files\Adaptec\Wireless Utility\ADUSBCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}

I've tried deleting the registry parts I know are problematic AND the O1 - Hosts: 213.159.117.235 auto.search.msn.com part, but it keeps coming back.

Thanks!

#2 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 04 June 2004 - 11:00 PM

Hi shirak23
Close all browsers and rerun HJT. Check and click fix checked for the following-
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F0 - system.ini: Shell=Explorer.exe svchosd.exe
F2 - REG:system.ini: Shell=Explorer.exe svchosd.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}

Reboot a couple of times, play around for a bit and then post another log.

#3 shirak23

shirak23

    Member

  • New Member
  • Pip
  • 2 posts

Posted 05 June 2004 - 02:27 PM

Hey there OlTramp,
THANKS! :D That worked!!! Here's my new hijackthis log (I changed my internet startpage to news.bbc.co.uk, that's what that listing is). I was going out of my mind, so once again thank you!!!

Logfile of HijackThis v1.97.7
Scan saved at 12:22:13 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Grisoft\AVG6\avgcc32.exe
D:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX.exe
D:\Program Files\Adaptec\Wireless Utility\ADUSBCFG.exe
D:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PMXInit] D:\WINDOWS\System32\pmxinit.exe
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG_CC] D:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [DesktopX] "D:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX.exe"
O4 - Global Startup: Adaptec Wireless USB Adapter v2.5 Utility.lnk = D:\Program Files\Adaptec\Wireless Utility\ADUSBCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 05 June 2004 - 08:41 PM

You are welcome. Glad we could help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button