About:blank

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

xjamiex

Thread Starter
Joined
Feb 2, 2005
Messages
7
Hi!
My homepage keeps changing to about:blank. I don't know why. I keep changing it back to the correct homepage but it won't stay for very long. Also when I start up my computer, there is something over my wallpaper, some kind of warning, you're in danger etc. Also everytime I start Internet Explorer I have a couple links in my favorites that I didn't add. And I get desktop shortcuts to Freepics and Secure Yourself. I don't know where all these came from but they just started yesterday. I ran Adaware and Spybot SD and they keep finding things but it doesn't help.
I saw some info about this problem but I'm VERY computer illiterate and I couldn't really follow it.
Any help would be SO greatly appreciated.
Thanks!!
-Jamie
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
go to here and download 'Hijack This!' self extracter. double click on the file and it will self extract to C:\program files\hijackthis.
Go to that folder then doubleclick the Hijackthis.exe
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

xjamiex

Thread Starter
Joined
Feb 2, 2005
Messages
7
Here is my Hijack This File:

Logfile of HijackThis v1.99.0
Scan saved at 2:43:55 PM, on 2/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\kernels32.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Castelle\FaxPress\FaxTray.Exe
C:\Program Files\Castelle\FaxPress\ExCnvt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\pn.exe
C:\PROGRA~1\Citrix\ICACLI~1\Wfcrun32.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\explorer.exe
C:\WINNT\iplr.exe
C:\WINNT\d3ce.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Castelle\FaxPress\Faxmain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jorozco\Local Settings\Temporary Internet Files\Content.IE5\GVDFYYNT\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\qlubs.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\qlubs.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {74C7113B-BBFB-3956-1721-47A7E10DA6FB} - C:\WINNT\system32\winsj.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CstlFaxTray] C:\Program Files\Castelle\FaxPress\FaxTray.Exe /s
O4 - HKLM\..\Run: [FPEXCNVT] C:\Program Files\Castelle\FaxPress\ExCnvt.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [System] C:\WINNT\system32\kernels32.exe
O4 - HKLM\..\Run: [A.tmp] C:\DOCUME~1\jorozco\LOCALS~1\Temp\A.tmp.exe 0 28129
O4 - HKLM\..\Run: [C.tmp] C:\DOCUME~1\jorozco\LOCALS~1\Temp\C.tmp.exe 0 28129
O4 - HKLM\..\Run: [tibs5] C:\WINNT\system32\tibs5.exe
O4 - HKLM\..\Run: [C.tmp.exe] C:\DOCUME~1\jorozco\LOCALS~1\Temp\C.tmp.exe 0 28129
O4 - HKLM\..\Run: [d3ce.exe] C:\WINNT\d3ce.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [iplr.exe] C:\WINNT\iplr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BorawskiInsurance.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E14FA94-20D9-4379-84F5-1F24492E8515}: NameServer = 192.168.104.125,66.203.70.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BorawskiInsurance.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E14FA94-20D9-4379-84F5-1F24492E8515}: NameServer = 192.168.104.125,66.203.70.10
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = BorawskiInsurance.local
O17 - HKLM\System\CS3\Services\Tcpip\..\{1E14FA94-20D9-4379-84F5-1F24492E8515}: NameServer = 192.168.104.125,66.203.70.10
O23 - Service: .NET Framework Service - Unknown - C:\WINNT\svchost.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Network Security Service - Unknown - C:\WINNT\system32\sdkri32.exe (file missing)
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Before you start, please unzip or move hijackthis to a separate folder. The program will make backups in the folder it's in.
These easily get lost in a Temp folder or in the root of C: or get scattered all over the desktop and we need to empty the temp folders to remove the hijackers and as HJT is in the temp folder it will get removed when we start to clean up

That is why I said get the self extracter because it automatically puts it in program files

When you have moved it then repost a new log and we'll clean you up
 

xjamiex

Thread Starter
Joined
Feb 2, 2005
Messages
7
Hi Derek,
I hope I did this right.... I did download 2 different HJT's, one was the one you told me to download, and I unzipped it, and as far as I can tell it is in Program Files, but I downloaded another one too because I didn't think I did the first one right. SOrry! Here's my new HJT log, and sorry if it's wrong again, but thanks for your help!
Logfile of HijackThis v1.99.0
Scan saved at 3:20:10 PM, on 2/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\kernels32.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Castelle\FaxPress\FaxTray.Exe
C:\Program Files\Castelle\FaxPress\ExCnvt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\pn.exe
C:\PROGRA~1\Citrix\ICACLI~1\Wfcrun32.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\explorer.exe
C:\WINNT\iplr.exe
C:\WINNT\d3ce.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Castelle\FaxPress\Faxmain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jorozco\Local Settings\Temporary Internet Files\Content.IE5\GVDFYYNT\HijackThis[1].exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\qlubs.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\qlubs.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {74C7113B-BBFB-3956-1721-47A7E10DA6FB} - C:\WINNT\system32\winsj.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CstlFaxTray] C:\Program Files\Castelle\FaxPress\FaxTray.Exe /s
O4 - HKLM\..\Run: [FPEXCNVT] C:\Program Files\Castelle\FaxPress\ExCnvt.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [System] C:\WINNT\system32\kernels32.exe
O4 - HKLM\..\Run: [A.tmp] C:\DOCUME~1\jorozco\LOCALS~1\Temp\A.tmp.exe 0 28129
O4 - HKLM\..\Run: [C.tmp] C:\DOCUME~1\jorozco\LOCALS~1\Temp\C.tmp.exe 0 28129
O4 - HKLM\..\Run: [tibs5] C:\WINNT\system32\tibs5.exe
O4 - HKLM\..\Run: [C.tmp.exe] C:\DOCUME~1\jorozco\LOCALS~1\Temp\C.tmp.exe 0 28129
O4 - HKLM\..\Run: [d3ce.exe] C:\WINNT\d3ce.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [iplr.exe] C:\WINNT\iplr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BorawskiInsurance.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E14FA94-20D9-4379-84F5-1F24492E8515}: NameServer = 192.168.104.125,66.203.70.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BorawskiInsurance.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E14FA94-20D9-4379-84F5-1F24492E8515}: NameServer = 192.168.104.125,66.203.70.10
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = BorawskiInsurance.local
O17 - HKLM\System\CS3\Services\Tcpip\..\{1E14FA94-20D9-4379-84F5-1F24492E8515}: NameServer = 192.168.104.125,66.203.70.10
O23 - Service: .NET Framework Service - Unknown - C:\WINNT\svchost.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Network Security Service - Unknown - C:\WINNT\system32\sdkri32.exe (file missing)
 

xjamiex

Thread Starter
Joined
Feb 2, 2005
Messages
7
Hi I was wondering if someone could help. I haven't heard from the original guy who was helping me in a couple days and I'm not sure what to do.
Thanks!
-Jamie
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Sorry you seem to have dropped off the notification list so I didn't get an email that said you had replied

Read all these instructions carefully, Print them out and download all the things mentioned before starting

First download CWshredder from http://www.intermute.com/spysubtract/cwshredder_download.html and install it and update it, DO not run it yet
Also
Click here to download AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

Download pocket killbox from Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

Now boot into safe mode

How to start your computer in safe mode

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\qlubs.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\qlubs.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\qlubs.dll/sp.html#28129
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {74C7113B-BBFB-3956-1721-47A7E10DA6FB} - C:\WINNT\system32\winsj.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [System] C:\WINNT\system32\kernels32.exe
O4 - HKLM\..\Run: [A.tmp] C:\DOCUME~1\jorozco\LOCALS~1\Temp\A.tmp.exe 0 28129
O4 - HKLM\..\Run: [C.tmp] C:\DOCUME~1\jorozco\LOCALS~1\Temp\C.tmp.exe 0 28129
O4 - HKLM\..\Run: [tibs5] C:\WINNT\system32\tibs5.exe
O4 - HKLM\..\Run: [C.tmp.exe] C:\DOCUME~1\jorozco\LOCALS~1\Temp\C.tmp.exe 0 28129
O4 - HKLM\..\Run: [d3ce.exe] C:\WINNT\d3ce.exe

O4 - HKLM\..\RunOnce: [iplr.exe] C:\WINNT\iplr.exe

O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

O23 - Service: .NET Framework Service - Unknown - C:\WINNT\svchost.exe (file missing)

O23 - Service: Network Security Service - Unknown - C:\WINNT\system32\sdkri32.exe (file missing)


now run killbox and paste each of these lines into the box, select standard file delete then press the red X button,say yes to the prompt then continue to paste the lines in in turn and follow the above procedure every time,

C:\WINNT\qlubs.dll
C:\WINNT\system32\winsj.dll
C:\WINNT\system32\kernels32.exe
C:\DOCUME~1\jorozco\LOCALS~1\Temp\A.tmp.exe
C:\DOCUME~1\jorozco\LOCALS~1\Temp\C.tmp.exe
C:\WINNT\system32\tibs5.exe
C:\WINNT\d3ce.exe
C:\WINNT\iplr.exe
C:\WINNT\svchost.exe
C:\WINNT\system32\sdkri32.exe



Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

then Run Cwshredder
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.

then go to C:\windows\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for C:\temp

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then
Run adaware

Download and unzip or install this program/application if you haven't already got it. If you have it, then make sure it is updated and configured as described

AdAware SE from http://www.lavasoft.de/support/download
and while you are at the adaware site download and install http://www.lavasoft.de/software/addons/vx2cleaner.shtml
and run it before the main adaware scan and follow it's directions
Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least SE1R26 25.01.2005 or a higher number/later date

Set up the Configurations as follows:

General Button
Safety:
Check (Green) all three.

Click on "Proceed"

Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click on "Scan Now"

Run the scanner using the Full Scan (Perform full system scan) mode.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

NOW REBOOT

Run an online antivirus check from
http://housecall.trendmicro.com/

Make sure autoclean is ticked

reboot again

These hijackers are known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and run hoster then press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the System32 folder to be sure you have a file named Shell.dll. If you do not have one, go to System32\dllcache
Find shell.dll and right click on it. Choose Copy from the menu.
Open System32 and right click on an empty space in the window. Choose Paste from the menu.


control.exe may have been deleted.
See if control.exe is present in C:\winnt\system32

If control.exe isn't there, go here, and download control.exe per the instructions at the site.

IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.


download http://www.mvps.org/winhelp2002/DelDomains.inf and place it of desktop
right click the file and select install, that will reset the trusted zone domains that have been wrongly placed there

Then post a new hijackthis log to check please
 

xjamiex

Thread Starter
Joined
Feb 2, 2005
Messages
7
Hi Derek,
I just tried to download aboutbuster but it asked me to choose a program to open it with and I don't know which one I should use.
Thanks!
-Jamie
 

xjamiex

Thread Starter
Joined
Feb 2, 2005
Messages
7
Hi Derek!
It keeps telling me that the aboutbuster database is either corrupt or missing and to download a new one.
-Jamie
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
I think I've twigged it

make sure you save the file before trying to unzip it

right click the link in my first instructions and select save target as or save link as and then save it to your desktop, then unzip it
 

xjamiex

Thread Starter
Joined
Feb 2, 2005
Messages
7
Hi Derek,
I still can't get the the aboutbuster to work but I'm going to have to try this again on monday because I'm leaving now. Thanks so much for your help, though.
-Jamie
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top