1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

About:Blank hijack

Discussion in 'Virus & Other Malware Removal' started by XThunderX, Apr 14, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. XThunderX

    XThunderX Thread Starter

    Joined:
    Apr 14, 2004
    Messages:
    5
    Is this clean?... my browser keeps changing to about:blank and I have used CWShredder a 100 times and it says it picks it up, but then doesn't delete anything.

    Logfile of HijackThis v1.97.7
    Scan saved at 6:17:53 PM, on 4/14/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AIM\aim.exe
    C:\Documents and Settings\Evan\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: TX4 - {00000000-0000-5DFC-5652-1705043F6518} - C:\WINDOWS\System32\audiosrv32.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
    O2 - BHO: (no name) - {2B782D72-0D9D-4797-B5F2-69407122A217} - C:\WINDOWS\System32\caiii.dll (file missing)
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - http://toolbar.isearch.com/general/drm.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38043.8121064815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi XThunderX

    Welcome to TSG! :)

    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank

    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

    O2 - BHO: TX4 - {00000000-0000-5DFC-5652-1705043F6518} - C:\WINDOWS\System32\audiosrv32.dll

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll

    O2 - BHO: (no name) - {2B782D72-0D9D-4797-B5F2-69407122A217} - C:\WINDOWS\System32\caiii.dll (file missing)

    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - http://toolbar.isearch.com/general/drm.cab


    Restart your computer.


    Go here and download Adaware 6 Build 181

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

    Make sure the following settings are made and on -------ON=GREEN

    From main window :Click Start then Activate in-depth scan (recommended)

    Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

    Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

    Click proceed to save your settings.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.


    Then go here and download Spybot Search & Destroy.

    Install the program and launch it.

    Before scanning press Online and Search for Updates .

    Put a check mark at and install all updates.

    Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

    Restart your computer.
     
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I have split your post off into your own thread. In the future if you have a Question/Problem please start a "New Thread". It get's too confusing trying to address two different people's problem in the same thread and you may get overlooked.
     
  4. XThunderX

    XThunderX Thread Starter

    Joined:
    Apr 14, 2004
    Messages:
    5
    So fare it seemed to have completely stoped the problem. Thank you very much for helping me, been trying to get ride of it for weeks :) .
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    My pleasure! :)

    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
     
  6. XThunderX

    XThunderX Thread Starter

    Joined:
    Apr 14, 2004
    Messages:
    5
    It came back.... did everything you said, and it worked for a little bit, but then I got up in the morning it was back. Not sure how or why.. but figure I would tell you. I have scanned with "Ad-aware 6.0 professional", and scanend with the "Spybot - Search & Destroy" and they both show nothing now. Not sure how it isn't gone now.. but here is my hijackthis log to see if something is still there:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:48:41 PM, on 4/15/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AIM\aim.exe
    C:\Documents and Settings\Evan\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kommfb.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kommfb.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kommfb.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kommfb.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kommfb.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kommfb.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=runonce&pver=6.0&plcid=0x0409
    O2 - BHO: (no name) - {5C7F2455-D59F-4D40-BECA-7CBAB02B7E7E} - C:\WINDOWS\System32\kommfb.dll
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38043.8121064815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Another thing is I read somewhere to get ride of: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank.
    The Problem is when I get ride of it acouple seconds later it comes back.
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Ok I've got a fix for this that sould work. It will take several steps.

    Download this zip.

    http://www.zero.vulc4n.com/downloads/pv.zip

    unzip it to the desktop.

    Be sure to have at least 1 internet explorer window open.

    Double click on the runme.bat

    This will open a command window. In the command window enter the digit 1 by hitting the 1 key on your keyboard and then hit the Enter key.

    Notepad will open with a log in it. Please copy and paste the log into this thread.
     
  8. XThunderX

    XThunderX Thread Starter

    Joined:
    Apr 14, 2004
    Messages:
    5
    Here you go:

    Module information for 'Explorer.EXE'
    MODULE BASE SIZE PATH
    Explorer.EXE 1000000 1011712 C:\WINDOWS\Explorer.EXE 6.00.2600.0000 (xpclient.010817-1148) Windows Explorer
    ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
    kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
    msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
    ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
    RPCRT4.dll 78000000 450560 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.109 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
    GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.0 (xpclient.010817-1148) GDI Client DLL
    USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL
    SHLWAPI.dll 772d0000 405504 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Light-weight Utility Library
    SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll
    ole32.dll 771b0000 1114112 C:\WINDOWS\system32\ole32.dll 5.1.2600.115 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
    OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
    BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
    SHDOCVW.dll 769c0000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library
    UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
    d3d.dll 61c00000 61440 c:\windows\system32\d3d.dll
    comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
    comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library
    appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
    CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
    COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
    VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
    cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
    CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
    themeui.dll 5b630000 458752 C:\WINDOWS\System32\themeui.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Theme API
    Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
    MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.0 (xpclient.010817-1148) GDIEXT Client DLL
    USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
    netapi32.dll 71c20000 323584 C:\WINDOWS\System32\netapi32.dll 5.1.2600.0 (xpclient.010817-1148) Net Win32 API DLL
    ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Shell extensions for sharing
    ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
    SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
    RASAPI32.dll 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access API
    rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
    WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
    WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
    TAPI32.dll 76eb0000 172032 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows(TM) Telephony API Client DLL
    rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
    WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
    wininet.dll 76200000 618496 C:\WINDOWS\system32\wininet.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Extensions for Win32
    CRYPT32.dll 762c0000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto API32
    MSASN1.dll 762a0000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
    NETSHELL.dll 75cf0000 1638400 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Shell
    credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.0 (xpclient.010817-1148) Credential Manager User Interface
    iphlpapi.dll 76d60000 86016 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP Helper API
    netman.dll 76de0000 155648 C:\WINDOWS\system32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Manager
    MPRAPI.dll 76d40000 90112 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
    ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
    adsldpc.dll 76e10000 147456 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL
    WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
    SAMLIB.dll 71bf0000 69632 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
    WZCSvc.DLL 76da0000 196608 C:\WINDOWS\system32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration Service
    WMI.dll 76d30000 16384 C:\WINDOWS\system32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality
    DHCPCSVC.DLL 76d80000 106496 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-1148) DHCP Client Service
    DNSAPI.dll 76f20000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
    WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
    WINSTA.dll 76360000 61440 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
    msi.dll 76400000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer
    webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2600.0000 (xpclient.010817-1148) Web Site Monitor
    stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.0 (xpclient.010817-1148) Systray shell service object
    BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
    POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
    wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
    msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
    MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
    midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
    LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
    browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
    urlmon.dll 760f0000 491520 C:\WINDOWS\system32\urlmon.dll 6.00.2600.0000 (xpclient.010817-1148) OLE32 Extensions for Win32
    DUSER.dll 6c1b0000 274432 C:\WINDOWS\System32\DUSER.dll 5.1.2600.0 (xpclient.010817-1148) Windows DirectUser Engine
    printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.0 (XPClient.010817-1148) Print UI DLL
    WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
    CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
    MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
    ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Lan Manager
    NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
    NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
    NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
    drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
    davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
    SXS.DLL 75e90000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5
    rarext.dll 12c0000 167936 C:\Program Files\WinRAR\rarext.dll
    shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library
    MSGINA.dll 75970000 987136 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT Logon GINA DLL
    ODBC32.dll 1f7b0000 200704 C:\WINDOWS\System32\ODBC32.dll 3.520.7713.0 Microsoft Data Access - ODBC Driver Manager
    comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
    odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
    WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
    IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
    rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
    asfsipc.dll 70eb0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
    MSISIP.DLL 605f0000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
    wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft (r) Shell Extension for Windows Script Host
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Ok here's the offending file I was looking for:

    d3d.dll 61c00000 61440 c:\windows\system32\d3d.dll

    If you do not already have it Click here to download CWShredder. UnZip the file, but do not run it yet.

    Now download TheKillbox from here:

    http://download.broadbandmedic.com/VbStuff/KillBox.zip

    Unzip the files to the folder of your choice.

    Now go offline and Do Not go back online until these procedures are completed.

    Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

    c:\windows\system32\d3d.dll

    Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The c:\windows\system32\d3d.dll listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.




    Finally click on the cwshredder.exe and then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.


    When you're back in windows, check to see if there's any change in the search problem and report back. Please also post a new Hijack This log. along with a new explorer.bat log.



    IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

    The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"
     
  10. XThunderX

    XThunderX Thread Starter

    Joined:
    Apr 14, 2004
    Messages:
    5
    Seems to be completely gone!, restarted after again and it didn't come back. This time looks like its gone for good :) . Haha I owe it all to you. Haha thank you for the time and effort in helping me. I can't thank you enough!
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    My pleasure! :)

    I'm going to leave this thread open. Please post back tomorrow and let us know if all is still well.

    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/220514

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice