Jump to content


Photo

Hijacked: about:blank Homepage


  • Please log in to reply
1 reply to this topic

#1 Edger

Edger

    Member

  • New Member
  • Pip
  • 2 posts

Posted 23 June 2004 - 02:02 PM

I looked at the site, and didn't see the thing I'm getting, though there were a few similar ones(nasty ones, at that).

I have DLed Ad-aware, Spybot S&D, Hijackthis, and CWSShredder.
Ad-aware will occasionally find a CoolWedSearch recognition. None of the other programs do.

I have attempted to fix regedit, setting my homepage back to default, DLed windows XP activex security fix, fix my activex settings, etc. Still no work.

I have read the FAQ, and like I said, used Ad-aware and such. I have DLed the latest updates, to my knowledge, as I just installed XP on my computer yesterday at around noon, and DLed these programs early this morning(around 1-2 o'clock). I was up until 7:30 trying to get these buggers, to no avail.

I notice that I get a file called sp.html in C:\Documents and Settings\Administrator\Local Settings\Temp

Here's the HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 2:00:25 PM, on 6/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {69398CE8-BFC6-4F84-B1EC-7C4DF263EFFA} - C:\WINDOWS\System32\hdohig.dll
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{20401541-3CB8-4FE9-8FE6-920F772DF29F}: NameServer = 205.171.3.65 205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{20401541-3CB8-4FE9-8FE6-920F772DF29F}: NameServer = 205.171.3.65 205.171.2.65




Now I've got to go. I'm going to run another scan with ad-aware and spybot, reboot, and run CWD and HJT. Thanks in advanced!



Edit: Rebooted in safe mode, ran Spy-ware, then rebooted again. Ran HJT again, removing everything from ignore list. New log:

Logfile of HijackThis v1.97.7
Scan saved at 2:37:33 PM, on 6/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuam.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe



Now I'll be heading out. I'll check regularly, but until I get help, I'm not going to so much as open another window.

Edited by Edger, 23 June 2004 - 02:40 PM.


#2 Edger

Edger

    Member

  • New Member
  • Pip
  • 2 posts

Posted 27 June 2004 - 11:31 AM

I had someone I know take it in to their work and they had the hard drive written zeroes to for me. Thankfully I got Norton installed this time, and the XP Security update. I'm re-downloading Spybot and Ad-aware. I should be installing a quality firewall later today.

Currently I think I have some sort of spyware, however. It's redirected me to some angelfire page. I can't find the link, otherwise I'd post it.

What can I do to prevent this spyware from getting on my computer? I go to the same sites I go to on the other computers in the house, and they don't get infected. It could be a program I have installed, such as MSN Messenger or AIM? I know aim has Spyware, but it's never done this before, for me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button