1. Home
  2. Networking Firewalls
  3. Hijackthis.log to be read to get rid of about:blank

Hijackthis.log to be read to get rid of about:blank

Hi, about:blank has taken over my homepage. Don't know how it got to my machine. Can someone tell me what to get rid off from this log which I got from Hijackthis software.

Thanks in advance. shak

Logfile of HijackThis v1.99.1 Scan saved at 9:09:03 PM, on 2/21/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes: C:\\WINDOWS\\System32\\smss.exe C:\\WINDOWS\\system32\\winlogon.exe C:\\WINDOWS\\system32\\services.exe C:\\WINDOWS\\system32\\lsass.exe C:\\WINDOWS\\system32\\svchost.exe C:\\WINDOWS\\System32\\svchost.exe C:\\WINDOWS\\system32\\spoolsv.exe C:\\WINDOWS\\System32\\ati2evxx.exe C:\\WINDOWS\\Explorer.exe C:\\WINDOWS\\WinIogon.exe C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\Atiptaxx.exe C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe C:\\Program Files\\QuickTime\\qttask.exe C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2D1.EXE C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2D1.EXE C:\\PROGRA~1\\VERIZO~1\\SMARTB~1\\MotiveSB.exe C:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe C:\\Program Files\\HighCriteria\\TotalRecorder\\TotRecSched.exe C:\\WINDOWS\\system\\lsvchost.exe C:\\WINDOWS\\System32\\ldbyehij.exe C:\\WINDOWS\\System32\\systcpm.exe C:\\Program Files\\NETGEAR\\WG511SCU\\Utility\\Gear511.exe C:\\WINDOWS\\blah.exe C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe C:\\Program Files\\WinZip\\WZQKPICK.EXE C:\\Program Files\\Nikon\\PictureProject\\NkbMonitor.exe c:\\progra~1\\Support.com\\client\\bin\\tgcmd.exe C:\\WINDOWS\\xqyvrhovbs.exe C:\\WINDOWS\\System32\\svchost.exe C:\\Program Files\\Verizon Online\\bin\\mpbtn.exe C:\\Program Files\\Netscape\\Netscape\\Netscp.exe C:\\PROGRA~1\\WINZIP\\winzip32.exe C:\\unzipped\\hijackthis\\HijackThis.exe

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar = res://C:\\DOCUME~1\\Shak\\LOCALS~1\\Temp\\se.dll/sp.html R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = about:blank R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL =

formatting link
- HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar = res://C:\\DOCUME~1\\Shak\\LOCALS~1\\Temp\\se.dll/sp.html R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = about:blank R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant = about:blank R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant = about:blank R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,HomeOldSP = about:blank R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,HomeOldSP = about:blank R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,ProxyOverride = 127.0.0.1 F2 - REG:system.ini: Shell=Explorer.exe C:\\WINDOWS\\WinIogon.exe F3 - REG:win.ini: run=tgikuwdeufy.exe, ocgptgcpw.exe, ocwpiha.exe, jcyicrqxjcicr.exe, omrxgao.exe, mlsqtxtdjnhiv.exe, jehdu.exe, anrhctbxfcymu.exe, ixfe.exe, pjnogytodbwmn.exe, yljfskxb.exe, oxrdvshell.exe, pfxbmculn.exe, exromosx.exe, gsirxd.exe, vkxtoxcx.exe, xqyvrhovbs.exe N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\\Documents and Settings\\Shak\\Application Data\\Mozilla\\Profiles\\default\\m0o2rdr1.slt\\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\ActiveX\\AcroIEHelper.ocx O2 - BHO: SideStep Browser Helper - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\\WINDOWS\\Downloaded Program Files\\SbCIe027.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\\Program Files\\MSN Apps\\ST\\01.02.3000.1002\\en-xu\\stmain.dll O2 - BHO: (no name) - {AD30A5B2-87C6-45D1-A150-76BDEE393C9E} - C:\\WINDOWS\\System32\\fhla.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\\Program Files\\MSN Apps\\MSN Toolbar\\01.02.3000.1001\\en-us\\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\\WINDOWS\\System32\\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\\Program Files\\MSN Apps\\MSN Toolbar\\01.02.3000.1001\\en-us\\msntb.dll O4 - HKLM\\..\\Run: [Apoint] C:\\Program Files\\Apoint\\Apoint.exe O4 - HKLM\\..\\Run: [ZTgServerSwitch] c:\\program files\\support.com\\client\\lserver\\server.vbs O4 - HKLM\\..\\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\\..\\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\\..\\Run: [EM_EXEC] C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE O4 - HKLM\\..\\Run: [MMTray] C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe O4 - HKLM\\..\\Run: [RealTray] C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\\..\\Run: [QuickTime Task] "C:\\Program Files\\QuickTime\\qttask.exe" -atboottime O4 - HKLM\\..\\Run: [EPSON Stylus C84 Series] C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84" O4 - HKLM\\..\\Run: [EPSON Stylus C84 Series (Copy 1)] C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2D1.EXE /P32 "EPSON Stylus C84 Series (Copy 1)" /O6 "USB001" /M "Stylus C84" O4 - HKLM\\..\\Run: [Motive SmartBridge] C:\\PROGRA~1\\VERIZO~1\\SMARTB~1\\MotiveSB.exe O4 - HKLM\\..\\Run: [msnappau] "C:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe" O4 - HKLM\\..\\Run: [TotalRecorderScheduler] "C:\\Program Files\\HighCriteria\\TotalRecorder\\TotRecSched.exe" O4 - HKLM\\..\\Run: [.mscdsr] C:\\WINDOWS\\system\\lsvchost.exe O4 - HKLM\\..\\Run: [Microsoft WinUpdate] ldbyehij.exe O4 - HKLM\\..\\Run: [System32 TCP Manager] systcpm.exe O4 - HKLM\\..\\Run: [AS00_Gear511] C:\\Program Files\\NETGEAR\\WG511SCU\\Utility\\Gear511.exe -hide O4 - HKLM\\..\\Run: [Windows Logon Application] C:\\WINDOWS\\WinIogon.exe O4 - HKLM\\..\\Run: [blah] C:\\WINDOWS\\blah.exe /nomsg O4 - HKLM\\..\\Run: [ViewMgr] C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe O4 - HKLM\\..\\Run: [sp] rundll32 C:\\DOCUME~1\\Shak\\LOCALS~1\\Temp\\se.dll,DllInstall O4 - HKLM\\..\\Run: [MSNSysRestore] C:\\WINDOWS\\System32\\pc32.exe bg O4 - HKLM\\..\\RunServices: [Microsoft WinUpdate] ldbyehij.exe O4 - HKLM\\..\\RunServices: [System32 TCP Manager] systcpm.exe O4 - HKCU\\..\\Run: [MsnMsgr] "C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe" /background O4 - HKCU\\..\\Run: [Microsoft WinUpdate] ldbyehij.exe O4 - HKCU\\..\\Run: [System32 TCP Manager] systcpm.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\\Program Files\\WinZip\\WZQKPICK.EXE O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LDMConf.exe O4 - Global Startup: Verizon Online Support Center.lnk = C:\\Program Files\\Verizon Online\\bin\\matcli.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\\Program Files\\Nikon\\PictureProject\\NkbMonitor.exe O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\\WINDOWS\\Downloaded Program Files\\SbCIe027.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\\WINDOWS\\web\\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\\WINDOWS\\web\\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\\WINDOWS\\System32\\Shdocvw.dll O12 - Plugin for .spop: C:\\Program Files\\Internet Explorer\\Plugins\\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=

formatting link
- DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
formatting link
- DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

formatting link
- DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} -
formatting link
- HKLM\\System\\CCS\\Services\\Tcpip\\Parameters: Domain = lads.is.lmco.com O17 - HKLM\\Software\\..\\Telephony: DomainName = lads.is.lmco.com O17 - HKLM\\System\\CCS\\Services\\Tcpip\\..\\{070F32A3-6DA0-4FE3-BDB8-F1941F0A1BE2}: Domain = lads.is.lmco.com O17 - HKLM\\System\\CS1\\Services\\Tcpip\\Parameters: Domain = lads.is.lmco.com O18 - Filter: text/html - {8F1677D9-FBAB-4B98-BBF1-C953746E3B4A} - C:\\WINDOWS\\System32\\fhla.dll O18 - Filter: text/plain - {8F1677D9-FBAB-4B98-BBF1-C953746E3B4A} - C:\\WINDOWS\\System32\\fhla.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\\WINDOWS\\System32\\ati2evxx.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\\Program Files\\Common Files\\Sony Shared\\AVLib\\SPTISRV.exe

Reply to
shak
Loading thread data ...

Dear Shak: It's amazing what an HJT log can reveal! You can always delete 'about:blank' by exposing your hidden/system files and then looking for it on your c:\\ root directory and then in your ..\\system32 folder(winXP). That, however, will do you no good. Basically, your browser as well as your OS have been infected with spyware. Your ports have been usurped! You should never allow unknown third party BHO's especially search bars to exploit your internet browser. What you'll have to do now is reinstall your operating system; because, more than likely, your local restore points have been corrupted. One thing you might try, however, is downloading, updating, and then running 'Spybot Search & Destroy' if you can still access the net for a user opted download, though, not likely. Make sure you use your computer's OEM disk if you decide to reinstall. Also, I don't see any legitamate virus/malware protection, what happened?! Garth

Reply to
Garth

Dear Shak: It's amazing what an HJT log can reveal! You can always delete 'about:blank' by exposing your hidden/system files and then looking for it on your c:\\ root directory and then in your ..\\system32 folder(winXP). That, however, will do you no good. Basically, your browser as well as your OS have been infected with spyware. Your ports have been usurped! You should never allow unknown third party BHO's especially search bars to exploit your internet browser. What you'll have to do now is reinstall your operating system; because, more than likely, your local restore points have been corrupted. One thing you might try, however, is downloading, updating, and then running 'Spybot Search & Destroy' if you can still access the net for a user opted download, though, not likely. Make sure you use your computer's OEM disk if you decide to reinstall. Also, I don't see any legitamate virus/malware protection, what happened?! Garth

Reply to
Garth

You need to find the appropriate NG for your post. There is one but I don't know the name of it.

Duane :)

Reply to
Duane Arnold

On 21 Feb 2005 18:20:38 -0800, shak spoketh

formatting link
Lars M. Hansen
formatting link
'badnews' with 'news' in e-mail address)

Reply to
Lars M. Hansen

You should format the drive and reinstall the operating system. If you can't do that yourself please find someone else who can.

Jason

Reply to
Jason Edwards

Send you hijackthis output to the analyzer on the following page:

formatting link
As you can see, your computer is totally taken over by a myriad of malware, viruses and other creepy stuff. about:blank is the least of all your problems. If you look at

formatting link

151.203.236.78 then you can see that recently your computer started sending tons of e-mails out (spams most likely). Even if this conclusion is not 100% sure as this IP address may be used by someone else before you in the last couple of days, your symptoms (all those malware) points strongly to your computer.

There is really no other safe solution then take this computer immediately off the internet, take a Windows CD and boot from this CD let the Setup reformat your drive and start a fresh installation. Activate the firewall before you connect the computer to the internet the first time. Close all incoming ports with the firewall. Then go to windowsupdate before you do anything else. Install all updates available. In particular I recommend to install SP2. Cycle through the reboot/update process until there are no other updates available.

With that much stuff running on your computer it is virtually impossible to get it completely cleaned. Anything else would be irresponsible. Your computer in this state may be used to distribute music or other stuff you don't even want to think of. There have been cases when the police knocked on people's doors because their computer was infested with malware and someone started spreading p*rn from their computer.

Please, please reinstall the machine. I know there are people you may tell you just run this anti-virus scanner and clean everything and run this anti-malware and do the same. These programs run with pretty normal average malware but in your case you don't know what already happened and which malware used which backdoor of another malware to establish another backdoor...

Gerald

Reply to
Gerald Vogt

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.