Jump to content


Photo

about:blank - hijacked


  • Please log in to reply
27 replies to this topic

#1 iltis

iltis

    Member

  • New Member
  • Pip
  • 1 posts

Posted 22 June 2004 - 04:46 PM

Hi,
for a few days my IE starts with about:blank (Search for...) no matter what starting page I've set before. At the same time my net connection slowed down extremely!
Ad-aware & Spybot did not help. Please give me some intructions how to get rid of that! Thanks.

Here is my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 23:30:18, on 2004.06.22.
Platform: Windows XP Szervizcsomag 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\ctfmon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\pruzo\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\pruzo\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\pruzo\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\pruzo\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\pruzo\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\pruzo\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {7C62771B-A1B7-453A-9EAA-E1E2B2DD16F7} - C:\WINDOWS\System32\mmg.dll
O3 - Toolbar: &Rádió - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Program Files\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportálás Microsoft Excel formátumba - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8051.5118287037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 docghost

docghost

    Stay the Course

  • Full Member
  • Pip
  • 9 posts

Posted 22 June 2004 - 05:41 PM

I have the same trouble. Is there anything I can do?
Thanks

#3 iamahoosier

iamahoosier

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 22 June 2004 - 05:54 PM

i have same problem- keep resetting my home page- getting pop ups telling me internet explorer has spy
i've ran spybot and reg cleaner
HELP :grrr:

#4 cherrish

cherrish

    Member

  • New Member
  • Pip
  • 4 posts

Posted 22 June 2004 - 06:09 PM

(sorry bad english) i have got the same problem (about blank), but i have it a bit under controle now i think.
i have used CWshredder (found on google) and deleted the first "software"
then i did a hijackthis on my computer and saved a log file.
and i use spysweeper so i am protected and you can restore your homepage by adding it in one of the tabs. so you can use your internet now normal.
the only (bad) thing is, i don't know how to get rid of it completly, cause it is keep coming back, i do a check with sweeper every day and he will find it back every day.
so it seems that it is deep down in my computer i think.
i have made a logfile with hijack this, maybe someone knows if there is still something in my computer and what i should remove.
i have put one file "out of order", it looked weired i though, maybe someone knows if it belongs to my computer or not.
it's a: nwiz-quitlyinstall...... file.
i have read in another forum that it belongs to windows, but others said that it is spy or something.

Logfile of HijackThis v1.97.7
Scan saved at 23:28:47, on 22-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Eigenaar\Mijn documenten\My eBooks\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A696EA93-1C02-4CB5-9F84-9C799CECB151} - C:\WINDOWS\System32\hjklda.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


i hope somebody can tell me what to do with all this.

#5 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 22 June 2004 - 06:16 PM

Well... first, I know that we're supposed to not post our hijack files on other folks' threads... but be-that-as-it-may,

I've got the same problem and I've noticed that we all have that temp/sp.html file in common and I KNOW it's not supposed to be there. I'm going to have a look around. Remember that these folks get probably a couple hundred of idiots like me every day with these problems. I'm sure someone's beaten it.

#6 jojo

jojo

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 06:27 PM

sights0d and all of you guys pleaaaaaase help me, i've been struggling with the same problem and it seems that my log is very similar to yours. i have tried everything: ad-aware, spy-bot, spy-sweeper, CWshredder.....nothing helps it keeps coming back...

i hope there is a solution out there somehwere!!!!

thanks...in advance....i hope

#7 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 22 June 2004 - 06:29 PM

sights0d and all of you guys pleaaaaaase help me, i've been struggling with the same problem and it seems that my log is very similar to yours. i have tried everything: ad-aware, spy-bot, spy-sweeper, CWshredder.....nothing helps it keeps coming back...

i hope there is a solution out there somehwere!!!!

thanks...in advance....i hope

Well... I see seraphim here and he's the only one I know who's conquered it. TELL US, OH GREAT ONE!!!

#8 cherrish

cherrish

    Member

  • New Member
  • Pip
  • 4 posts

Posted 22 June 2004 - 06:36 PM

i am sorry for the log file. i hope someone can give us the solution, i am becoming mad from this "thing".
i am still seeing it in my log, seems he nevers disappears.
thousend thanks if one can help.

#9 cherrish

cherrish

    Member

  • New Member
  • Pip
  • 4 posts

Posted 22 June 2004 - 06:54 PM

okay i just have got the solution from some one from belgium.
if your logfile have the same files like mine, you must delete the follwing files in "hijack this":
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
and this one:
O2 - BHO: (no name) - {A696EA93-1C02-4CB5-9F84-9C799CECB151} - C:\WINDOWS\System32\hjklda.dll
after deleting them, you reboot your system and test again in "hijack this"
mine was clean at last!!!!!!

#10 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 22 June 2004 - 07:06 PM

WHOA!!! HOLD ON!!!

Remember that this )(&#@)$&(!~!!! is generating random registry names...

Check all those items that end in temp/sp.html fix those.

Now... the item in my comp was named gshm and it was in my system folder in the 04 section on HJT. Find the item in your system folder that is newest (view it by date). It's probably the culprate, especially if it's been within the last day or so. Check him and delete his butt.

I'm clean now. WOOHOO!!! :wave:

I only had to get rid of one item aside from those sp.html files.

Good luck!

Trust me. Don't screw your registry up unless you're SURE you know what to do.

Edited by sights0d, 22 June 2004 - 07:08 PM.


#11 jojo

jojo

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 07:06 PM

AHHHHHHHHHHHHHHHHH this thing is killing me.....I had the same "sp.html" as cherrish but not the ".dll"?????

what to do ????

#12 jojo

jojo

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 07:17 PM

hey sights0d i couldnt find that file.....what shall i do???

im almost tempted to format my stupid hard drive!!!!

#13 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 22 June 2004 - 07:19 PM

AHHHHHHHHHHHHHHHHH this thing is killing me.....I had the same "sp.html" as cherrish but not the ".dll"?????

what to do ????

It randomly generates the file name. I'd go into the system folder and find the newest files. It should have been modified the last time you deleted the sp files. That's the bad boy.

#14 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 22 June 2004 - 07:21 PM

AHHHHHHHHHHHHHHHHH this thing is killing me.....I had the same "sp.html" as cherrish but not the ".dll"?????

what to do ????

It randomly generates the file name. I'd go into the system folder and find the newest files. It should have been modified the last time you deleted the sp files. That's the bad boy.

Jojo... pm me your HJT log. I'll look it over. I'm no expert, but maybe I can help you.

#15 jojo

jojo

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 07:22 PM

i dont know if i'm being an idiot or not (please excuse me if i am), by system folder you're implying windows/system? the latest modified file dates back to 2002..

im lost!

#16 jojo

jojo

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 07:24 PM

here it is.....

i have already deleted the sp. lines and rebooted


Logfile of HijackThis v1.97.7
Scan saved at 8:23:24 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Documents and Settings\Johans\Desktop\FreeRAM XP Pro 1.40.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\setup.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Johans\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro2004.com/index.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Johans\Desktop\FreeRAM XP Pro 1.40.exe" -win
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macr...are/awswaxf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1087766319343
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7903.3950578704
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft...ols/DoomCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.madonion...lobal/msc34.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab

#17 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 22 June 2004 - 07:24 PM

i dont know if i'm being an idiot or not (please excuse me if i am), by system folder you're implying windows/system? the latest modified file dates back to 2002..

im lost!

Just post your HJT log. The file you're looking for is the most recent in the windows/system folder. On your HJT file it'll probably say no name at the beginning... Like mine said

O2 - BHO: (no name) - {CAA618A3-C3A6-11D8-8AE8-00500AB1BAF8} - C:\WINDOWS\SYSTEM\GAHI.DLL



#18 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 22 June 2004 - 07:28 PM

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro2004.com/index.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

These ones are suspicious. Find the files associated with them (by navigating to them) and check their last activity by getting the properties on the actual file.

BTW, this'll screw up your MS Media player, so you'll have to re-download it.

O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
are especially suspicious because of the "no name" on them.

#19 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 22 June 2004 - 07:34 PM

Great. Never mind. Mine came back :grrr: :techsupport: I'm going back to work on it. BTW... has anyone else had any luck downloading ad aware?

#20 cherrish

cherrish

    Member

  • New Member
  • Pip
  • 4 posts

Posted 22 June 2004 - 07:36 PM

yes i have it, full version (ad aware)

Edited by cherrish, 22 June 2004 - 07:37 PM.


#21 jojo

jojo

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 07:37 PM

hey sights0d i have ad aware...how do u want it?

i guess it's back to the drawing board for us!!

#22 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 22 June 2004 - 07:42 PM

hey sights0d i have ad aware...how do u want it?

i guess it's back to the drawing board for us!!

I'll send you an email address via email through this board.

#23 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 22 June 2004 - 08:51 PM

Problem solved once I ran ad aware with the newest update. Hopefully it'll stay that way. It ran a bit slowly at first, but I ran MSconfig and unclicked some processes.

#24 tacolover

tacolover

    Member

  • New Member
  • Pip
  • 1 posts

Posted 22 June 2004 - 08:57 PM

i just registered to the site because this post fixed my computer.

remove all the log entries that refer to the location mentioned earlier. if your .dll file does not match the one above, which mine didn't, i checked the box for .dll file that was located in the system32 folder like the other. i fixed those entries and i rebooted and scanned again. i recieved the same log but i had a different .dll file but in the same system 32 folder. i checked all the boxes again including the new .dll file and fixed those. after rebooting and scanning again i found the problem was solved and i got my homepage back again. any questions feel free to e-mail me for any clarity if needed.

#25 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 22 June 2004 - 09:10 PM

i just registered to the site because this post fixed my computer.

remove all the log entries that refer to the location mentioned earlier. if your .dll file does not match the one above, which mine didn't, i checked the box for .dll file that was located in the system32 folder like the other. i fixed those entries and i rebooted and scanned again. i recieved the same log but i had a different .dll file but in the same system 32 folder. i checked all the boxes again including the new .dll file and fixed those. after rebooting and scanning again i found the problem was solved and i got my homepage back again. any questions feel free to e-mail me for any clarity if needed.

I did the same thing and it wasn't there even after restarting twice, but it came back anyway. Trust me. the ad aware worked wonders.

#26 docghost

docghost

    Stay the Course

  • Full Member
  • Pip
  • 9 posts

Posted 24 June 2004 - 02:05 PM

After reading that Ad-Aware helps I tried to download Ad-Aware from download.com and was unable to download the program. Any suggestions?

#27 coooka

coooka

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 24 June 2004 - 02:19 PM

HELP! HELP! HELP!
THIS ABOUT:BLANK BROWSER HIJACK IS A SON OF A B!!
I CAN'T SEEM TO SHAKE IT NO MATTER WHAT I DO.. ADAWARE,CWSSHREDDER.. YOU NAME IT.
CAN SOMEONE PLEASE HELP ME.
I FEEL LIKE TOSSING MY COMPUTER OUT OF THE WINDOW.
THANKS, -C

#28 found-kept

found-kept

    Member

  • New Member
  • Pip
  • 2 posts

Posted 24 June 2004 - 02:31 PM

IF you don't have the dll mentioned in other posts you probably have this one. adgbg.dll
That's the one that creates the registry entries and the sp.html file.
You'll probably have to delete it in safe-mode
You must delete this file before making cautious changes to your registry and deleting the sp.html file.
Search your registry for all references to the file and delete them. Then delete references to sp.html

Please be cautious with your registry. An updated version of Ad-aware will also be able to find this ware and fix the problems




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button