I have had success with a program called, HIJACKTHIS.EXE Check on Google for download sites. Run it in the safe mode and it clears much of the hijacked browser problems.
If that doesn't work, there is another program called ABOUTBUSTER that is great. I will look that up for you in the morning. There is also a forum that helps you with the problem.. I just don't have the info at hand right now, but will post it all tomorrow.
Thanks. I turned on my pc, went to page, wrote down the download page address, turned off my pc, turned on fred's pc, typed in address, and it took me to page.
Such a deal, but spyware from download.com is running.
What's the difference between the four places you can download from?
If you are getting About:blank, that is a good thing.
If you go to the TOOLS menu and then internet options. In the top box (Home Page) you can type in what you want as a home page.
If the computer is rebooting and About:Blank is coming up, then you may have gotten rid of the monster. I will look at the Hijackthis printout and let you know which ones to delete, if any.
Put in a web site, like Google and then reboot and see if it comes back as your home page after you reboot.
about.blank doesn't even wait until reboot to come back.
Even if I put in a most wonderful place like GSCAFE.com, it comes back with this "about.blank" which isn't about.blank, but about blankety-blank in about 10 seconds.
Here is the page I promised you. I have already gone ahead and put your hijackthis file up there I should get a response sometime in the next day or so.
When you run hijackthis, run it in safe mode. The way to get to safe mode is to start up the computer and click on F8 every second or so from the initial start up and you will get a screen that will give you some options, pick safe mode at the top (not safe mode with networking and NOT safe mode prompt)
And take two aspirin and let me know what happens :)-->
This one is called "TrojanDownloader/dropper.Win32.Small.cw"
Its whole purpose in life is to retrieve and install additional files, when run. Most will be configured to retrieve files/images from a designated web or FTP site. Notice the "dialer2000" website part of it, probly "adult content" is associated with it. Do you see the /load.exe?
I would suggest checking that O16 entry as well for fixing while in safe mode. If it (the browser hijacking) does not go away, a number of file deletions and registry editing might be in order. This one is probly getting loaded at boot. There are a number of other bed-bugs present as well (such as odd browser helper objects (BHO's)) But will let you drive the bus
Also very very important
C:WINDOWSTEMPORARY INTERNET FILESCONTENT.IE5GHAJ0LQVHIJACKTHIS[1]HIJACKTHIS.EXE
One last thing, never run Hijackthis from a "temp file" always make a folder, preferably on your root directory..(ie c:hijackthis) put the program exe in it and run it from there.
Reason being is that Hijackthis does make a back up should you need to put back what you deleted/fixed. If you run it from a temp file you will lose everything when you reboot.
Recommended Posts
ckeer
I hope this helps:
- try these steps
Down load and run Spybot and adaware- both have free versions
Spybot Search and destroy- http://www.safer-networking.org/en/index.html
Adaware- http://www.lavasoftusa.com/software/adaware/
Popup prevention- switch to Mozilla or Firefox from
Mozzilla- http://www.mozilla.org/
(Also free)
There are several threads in this section of GS on Mozilla and Fire Fox
Link to comment
Share on other sites
WordWolf
Homepage hijackers are often spyware, so Spybot-S&D should tackle it.
Remember to UPDATE your AdAware and Spybot-S&D.
Also, Spybot's shareware-it's nice to send them a few bucks if they save
your machine.
Also also, Spybot has an "Immunization" function. Switch that mutha on.
Yes, using Mozilla, Opera or FireFox as your browser sidesteps most of those.
I just keep IE around as a backup, and use FireFox. Its user interface is VERY
similar to IE. FireFox 0.92 is the latest iteration, I hear.
The Registry Keys thread has some links, including at least one link to an
online virus scanner/remover. Give your system the once-over at least monthly,
even if you ARE running an antivirus program.
Link to comment
Share on other sites
Steve!
Also find a Browser Hijack Blaster.
Link to comment
Share on other sites
pawtucket
Kit,
I have had success with a program called, HIJACKTHIS.EXE Check on Google for download sites. Run it in the safe mode and it clears much of the hijacked browser problems.
If that doesn't work, there is another program called ABOUTBUSTER that is great. I will look that up for you in the morning. There is also a forum that helps you with the problem.. I just don't have the info at hand right now, but will post it all tomorrow.
Link to comment
Share on other sites
Kit Sober
Thank you so very much.
Link to comment
Share on other sites
Kit Sober
Would you be able to post a link to download?
Fred's IE is messed up and puts a bunch of gobbledegook when I hit the download link on spybot website.
Link to comment
Share on other sites
WordWolf
Spybot S & D direct download link.
http://kujoe.com/freeware/spybot.php
Run it, then update it, then activate the
immunize function (the corner of bricks),
then run it again.
Link to comment
Share on other sites
Kit Sober
Thanks. I turned on my pc, went to page, wrote down the download page address, turned off my pc, turned on fred's pc, typed in address, and it took me to page.
Such a deal, but spyware from download.com is running.
What's the difference between the four places you can download from?
kit
Link to comment
Share on other sites
pawtucket
just 4 choices. It was meant to give you an alternate if one place doesn't respond.
Link to comment
Share on other sites
Kit Sober
ran spybot (122 files deleted) and spydoctor 2.1 (12 more deleted) and hijack.exe.
Here is the log:
Logfile of HijackThis v1.98.1
Scan saved at 9:24:07 AM, on 8/6/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:WINDOWSSYSTEMKERNEL32.DLL
C:WINDOWSSYSTEMMSGSRV32.EXE
C:WINDOWSSYSTEMmmtask.tsk
C:WINDOWSSYSTEMMPREXE.EXE
C:WINDOWSSYSTEMMSTASK.EXE
C:WINDOWSSYSTEMSSDPSRV.EXE
C:WINDOWSSYSTEMMDM.EXE
C:PROGRAM FILESCOMMON FILESAOLACSACSD.EXE
C:WINDOWSEXPLORER.EXE
C:WINDOWSSYSTEMRESTORESTMGR.EXE
C:WINDOWSTASKMON.EXE
C:WINDOWSSYSTEMSYSTRAY.EXE
C:PROGRAM FILESROXIOEASY CD CREATOR 6DRAGTODISCDRGTODSC.EXE
C:PROGRAM FILESTHUNK DATE WINTONSMEMO.EXE
C:WINDOWSSYSTEMWMIEXE.EXE
C:PROGRAM FILESAMERICA ONLINE 9.0AOLTRAY.EXE
C:PROGRAM FILESAOL COMPANIONCOMPANION.EXE
C:WINDOWSSYSTEMSPOOL32.EXE
C:WINDOWSSYSTEMTAPISRV.EXE
C:WINDOWSSYSTEMDDHELP.EXE
C:PROGRAM FILESTREND MICROINTERNET SECURITYPCCIOMON.EXE
C:PROGRAM FILESTREND MICROINTERNET SECURITYPCCPFW.EXE
C:PROGRAM FILESTREND MICROINTERNET SECURITYTMPROXY.EXE
C:PROGRAM FILESTREND MICROINTERNET SECURITYPCCLIENT.EXE
C:PROGRAM FILESTREND MICROINTERNET SECURITYPCCGUIDE.EXE
C:PROGRAM FILESTREND MICROINTERNET SECURITYTMOAGENT.EXE
C:PROGRAM FILESAMERICA ONLINE 9.0WAOL.EXE
C:PROGRAM FILESAMERICA ONLINE 9.0SHELLMON.EXE
C:PROGRAM FILESAMERICA ONLINE 9.0AOLWBSPD.EXE
C:WINDOWSSYSTEMRNAAPP.EXE
C:WINDOWSRUNDLL32.EXE
C:WINDOWSTEMPORARY INTERNET FILESCONTENT.IE5GHAJ0LQVHIJACKTHIS[1]HIJACKTHIS.EXE
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://look-today.com/searchbar.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://look-today.com/searchbar.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://look-today.com/searchbar.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://look-today.com/searchbar.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://look-today.com/searchbar.html
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://look-today.com/searchbar.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
O2 - BHO: (no name) - {89B28CC7-CCEC-4A0A-9F21-F555DC7C42CD} - (no file)
O2 - BHO: Windows OleServer - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:WINDOWSSYSTEMMSMK.DLL (file missing)
O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:WINDOWSUDPMOD.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:PROGRAM FILESADOBEACROBAT 6.0READERACTIVEXACROIEHELPER.DLL
O2 - BHO: (no name) - {64818568-29E0-487B-8355-352595A9919A} - C:WINDOWSSYSTEMKIKFAD.DLL
O2 - BHO: holejoybase - {A0315BB8-C7F3-5DCF-35D6-668B0E65AF11} - C:PROGRAM FILESFAST THEGRIMERROR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSYSTEMMSDXM.OCX
O3 - Toolbar: DentMeet - {9423BB96-BEB0-4960-9066-CE077B7382A1} - C:PROGRAM FILESFAST THEGRIMERROR.DLL
O4 - HKLM..Run: [scanRegistry] C:WINDOWSscanregw.exe /autorun
O4 - HKLM..Run: [TaskMonitor] C:WINDOWStaskmon.exe
O4 - HKLM..Run: [PCHealth] C:WINDOWSPCHealthSupportPCHSchd.exe -s
O4 - HKLM..Run: [systemTray] SysTray.Exe
O4 - HKLM..Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..Run: [projselector] "C:Program FilesCommon FilesRoxio SharedProject Selectorprojselector.exe" -r
O4 - HKLM..Run: [RoxioEngineUtility] "C:Program FilesCommon FilesRoxio SharedSystemEngUtil.exe"
O4 - HKLM..Run: [RoxioDragToDisc] "C:Program FilesRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe"
O4 - HKLM..Run: [RoxioAudioCentral] "C:Program FilesRoxioEasy CD Creator 6AudioCentralRxMon.exe"
O4 - HKLM..Run: [Type readme] C:PROGRA~1THUNKD~1Tonsmemo.exe
O4 - HKLM..Run: [pccguide.exe] "C:Program FilesTrend MicroInternet Securitypccguide.exe"
O4 - HKLM..Run: [PCCIOMON.exe] "C:Program FilesTrend MicroInternet SecurityPCCIOMON.exe"
O4 - HKLM..Run: [PCClient.exe] "C:Program FilesTrend MicroInternet SecurityPCClient.exe"
O4 - HKLM..Run: [TM Outbreak Agent] "C:Program FilesTrend MicroInternet SecurityTMOAgent.exe" /run
O4 - HKLM..RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..RunServices: [schedulingAgent] mstask.exe
O4 - HKLM..RunServices: [*StateMgr] C:WINDOWSSystemRestoreStateMgr.exe
O4 - HKLM..RunServices: [sSDPSRV] C:WINDOWSSYSTEMssdpsrv.exe
O4 - HKLM..RunServices: [Machine Debug Manager] C:WINDOWSSYSTEMMDM.EXE
O4 - HKLM..RunServices: [AolAcsDaemon1] "C:PROGRAM FILESCOMMON FILESAOLACSACSD.EXE"
O4 - HKLM..RunServices: [PCCIOMON.exe] "C:Program FilesTrend MicroInternet SecurityPCCIOMON.exe"
O4 - HKLM..RunServices: [PccPfw] C:Program FilesTrend MicroInternet SecurityPccPfw.exe
O4 - HKLM..RunServices: [tmproxy] C:Program FilesTrend MicroInternet Securitytmproxy.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:Program FilesAmerica Online 9.0aoltray.exe
O4 - Startup: AOL Companion.lnk = C:Program FilesAOL Companioncompanion.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:PROGRA~1MESSEN~1MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:PROGRA~1MESSEN~1MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSSYSTEMShdocvw.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:MAIN.MHT!http://d.dialer2004.com//tv/main.chm::/load.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O17 - HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net
O18 - Filter: text/html - {EDD4D320-8415-40CF-A658-781F63120D95} - C:WINDOWSSYSTEMKIKFAD.DLL
O18 - Filter: text/plain - {EDD4D320-8415-40CF-A658-781F63120D95} - C:WINDOWSSYSTEMKIKFAD.DLL
And the Windows explorer page is still the page that with address "about.blank" and it keeps coming back, even if I type another address.
Link to comment
Share on other sites
WordWolf
I normally prefer to use less popular sites other than Download.com
if there's alternatives, since that one's bound to have more
traffic.
In the case of the URL I gave you, it has a shorter URL, so I spent
the least time typing.
:D-->
Link to comment
Share on other sites
Kit Sober
can I search for "about.blank" and delete it? ? ?
Link to comment
Share on other sites
WordWolf
Here's something else.
You don't need the internet connection open for this.
Open IE.
Hit "tools" "internet options" "general" and read the homepage
address. If it's not the one you want, try typing the homepage
manually there.
================
While working this one out, I recommend the following step.
Download FireFox and use that until you have IE cleaned out.
http://ftp.mozilla.org/pub/mozilla.org/fir...Setup-0.9.2.exe
Its nearly identical to IE in terms of commands, and can
carry your over your favourites in one command.
That's the latest version as of today.
Then you can use the internet fine while you work on this
problem.
:)-->
In fact, you'll probably want to clean up IE and retain it as a
backup program, and use FireFox as your primary program.
Link to comment
Share on other sites
pawtucket
Kit,
If you are getting About:blank, that is a good thing.
If you go to the TOOLS menu and then internet options. In the top box (Home Page) you can type in what you want as a home page.
If the computer is rebooting and About:Blank is coming up, then you may have gotten rid of the monster. I will look at the Hijackthis printout and let you know which ones to delete, if any.
Put in a web site, like Google and then reboot and see if it comes back as your home page after you reboot.
Link to comment
Share on other sites
Kit Sober
Thank you most kind Pawtucket.
about.blank doesn't even wait until reboot to come back.
Even if I put in a most wonderful place like GSCAFE.com, it comes back with this "about.blank" which isn't about.blank, but about blankety-blank in about 10 seconds.
Link to comment
Share on other sites
WordWolf
When you try to manually change the homepage,
what's the URL that is in the space for the homepage?
Link to comment
Share on other sites
Kit Sober
It doesn't matter what url I type into the space for the homepage, about.blank comes up after 5 seconds or so.
Link to comment
Share on other sites
WordWolf
So, what is the URL that is displayed in that line when you open the
homepage address as specified above in a previous post?
We ARE trying to figure out how to help you. I understand you're
frustrated, but getting evasive will get you no closer to a solution.
I still say download FireFox while trying to work this out.
================
There's other things you can do, but I don't want to just start shouting
ideas randomly.
Link to comment
Share on other sites
Steve!
about:blank is just sort of a placeholder, that one is kind of meaningless. A lot of popups start out with about:blank.
What's the page that opens AFTER that? because if you wait a few seconds, a new page loads.
Link to comment
Share on other sites
pawtucket
Steve! and WW
It comes up About:blank and then automatically loads a few seconds later the other stuff.
Kit:
Run Hijack this again and take out the files that I put an X next to.
C:WINDOWSSYSTEMKERNEL32.DLL
C:WINDOWSSYSTEMMSGSRV32.EXE
C:WINDOWSSYSTEMmmtask.tsk
C:WINDOWSSYSTEMMPREXE.EXE
C:WINDOWSSYSTEMMSTASK.EXE
C:WINDOWSSYSTEMSSDPSRV.EXE
C:WINDOWSSYSTEMMDM.EXE
C:PROGRAM FILESCOMMON FILESAOLACSACSD.EXE
C:WINDOWSEXPLORER.EXE
C:WINDOWSSYSTEMRESTORESTMGR.EXE
C:WINDOWSTASKMON.EXE
C:WINDOWSSYSTEMSYSTRAY.EXE
C:PROGRAM FILESROXIOEASY CD CREATOR 6DRAGTODISCDRGTODSC.EXE
C:PROGRAM FILESTHUNK DATE WINTONSMEMO.EXE
C:WINDOWSSYSTEMWMIEXE.EXE
C:PROGRAM FILESAMERICA ONLINE 9.0AOLTRAY.EXE
C:PROGRAM FILESAOL COMPANIONCOMPANION.EXE
C:WINDOWSSYSTEMSPOOL32.EXE
C:WINDOWSSYSTEMTAPISRV.EXE
C:WINDOWSSYSTEMDDHELP.EXE
C:PROGRAM FILESTREND MICROINTERNET SECURITYPCCIOMON.EXE
C:PROGRAM FILESTREND MICROINTERNET SECURITYPCCPFW.EXE
C:PROGRAM FILESTREND MICROINTERNET SECURITYTMPROXY.EXE
C:PROGRAM FILESTREND MICROINTERNET SECURITYPCCLIENT.EXE
C:PROGRAM FILESTREND MICROINTERNET SECURITYPCCGUIDE.EXE
C:PROGRAM FILESTREND MICROINTERNET SECURITYTMOAGENT.EXE
C:PROGRAM FILESAMERICA ONLINE 9.0WAOL.EXE
C:PROGRAM FILESAMERICA ONLINE 9.0SHELLMON.EXE
C:PROGRAM FILESAMERICA ONLINE 9.0AOLWBSPD.EXE
C:WINDOWSSYSTEMRNAAPP.EXE
C:WINDOWSRUNDLL32.EXE
C:WINDOWSTEMPORARY INTERNET FILESCONTENT.IE5GHAJ0LQVHIJACKTHIS[1]HIJACKTHIS.EXE
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = Xhttp://look-today.com/searchbar.html
XR1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = Xhttp://look-today.com/searchbar.html
XR1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = Xhttp://look-today.com/searchbar.html
XR1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = Xhttp://look-today.com/searchbar.html
XR1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = Xhttp://look-today.com/searchbar.html
XR0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = Xhttp://look-today.com/searchbar.html
XR1 - HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
XR1 - HKLMSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
XO2 - BHO: (no name) - {89B28CC7-CCEC-4A0A-9F21-F555DC7C42CD} - (no file)
XO2 - BHO: Windows OleServer - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:WINDOWSSYSTEMMSMK.DLL (file missing)
O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:WINDOWSUDPMOD.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:PROGRAM FILESADOBEACROBAT 6.0READERACTIVEXACROIEHELPER.DLL
O2 - BHO: (no name) - {64818568-29E0-487B-8355-352595A9919A} - C:WINDOWSSYSTEMKIKFAD.DLL
XO2 - BHO: holejoybase - {A0315BB8-C7F3-5DCF-35D6-668B0E65AF11} - C:PROGRAM FILESFAST XTHEGRIMERROR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSYSTEMMSDXM.OCX
XO3 - Toolbar: DentMeet - {9423BB96-BEB0-4960-9066-CE077B7382A1} - C:PROGRAM FILESFAST XTHEGRIMERROR.DLL
O4 - HKLM..Run: [scanRegistry] C:WINDOWSscanregw.exe /autorun
O4 - HKLM..Run: [TaskMonitor] C:WINDOWStaskmon.exe
O4 - HKLM..Run: [PCHealth] C:WINDOWSPCHealthSupportPCHSchd.exe -s
O4 - HKLM..Run: [systemTray] SysTray.Exe
O4 - HKLM..Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..Run: [projselector] "C:Program FilesCommon FilesRoxio SharedProject Selectorprojselector.exe" -r
O4 - HKLM..Run: [RoxioEngineUtility] "C:Program FilesCommon FilesRoxio SharedSystemEngUtil.exe"
O4 - HKLM..Run: [RoxioDragToDisc] "C:Program FilesRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe"
O4 - HKLM..Run: [RoxioAudioCentral] "C:Program FilesRoxioEasy CD Creator 6AudioCentralRxMon.exe"
O4 - HKLM..Run: [Type readme] C:PROGRA~1THUNKD~1Tonsmemo.exe
O4 - HKLM..Run: [pccguide.exe] "C:Program FilesTrend MicroInternet Securitypccguide.exe"
O4 - HKLM..Run: [PCCIOMON.exe] "C:Program FilesTrend MicroInternet SecurityPCCIOMON.exe"
O4 - HKLM..Run: [PCClient.exe] "C:Program FilesTrend MicroInternet SecurityPCClient.exe"
O4 - HKLM..Run: [TM Outbreak Agent] "C:Program FilesTrend MicroInternet SecurityTMOAgent.exe" /run
O4 - HKLM..RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..RunServices: [schedulingAgent] mstask.exe
O4 - HKLM..RunServices: [*StateMgr] C:WINDOWSSystemRestoreStateMgr.exe
O4 - HKLM..RunServices: [sSDPSRV] C:WINDOWSSYSTEMssdpsrv.exe
O4 - HKLM..RunServices: [Machine Debug Manager] C:WINDOWSSYSTEMMDM.EXE
O4 - HKLM..RunServices: [AolAcsDaemon1] "C:PROGRAM FILESCOMMON FILESAOLACSACSD.EXE"
O4 - HKLM..RunServices: [PCCIOMON.exe] "C:Program FilesTrend MicroInternet SecurityPCCIOMON.exe"
O4 - HKLM..RunServices: [PccPfw] C:Program FilesTrend MicroInternet SecurityPccPfw.exe
O4 - HKLM..RunServices: [tmproxy] C:Program FilesTrend MicroInternet Securitytmproxy.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:Program FilesAmerica Online 9.0aoltray.exe
O4 - Startup: AOL Companion.lnk = C:Program FilesAOL Companioncompanion.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:PROGRA~1MESSEN~1MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:PROGRA~1MESSEN~1MSMSGS.EXE
XO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSSYSTEMShdocvw.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:MAIN.MHT!http://d.dialer2004.com//tv/main.chm::/load.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O17 - HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net
O18 - Filter: text/html - {EDD4D320-8415-40CF-A658-781F63120D95} - C:WINDOWSSYSTEMKIKFAD.DLL
O18 - Filter: text/plain - {EDD4D320-8415-40CF-A658-781F63120D95} - C:WINDOWSSYSTEMKIKFAD.DLL
Try those.
Here is the page I promised you. I have already gone ahead and put your hijackthis file up there I should get a response sometime in the next day or so.
http://computercops.biz/forum67.html
When you run hijackthis, run it in safe mode. The way to get to safe mode is to start up the computer and click on F8 every second or so from the initial start up and you will get a screen that will give you some options, pick safe mode at the top (not safe mode with networking and NOT safe mode prompt)
And take two aspirin and let me know what happens
:)-->
Link to comment
Share on other sites
Steve!
All I'm saying is that the About:blank page is irrelevant - it's a common occurrence with popups, both malignant and benign.
Link to comment
Share on other sites
WordWolf
I'm stepping aside and letting the heavyweights tackle this one.
Link to comment
Share on other sites
Kit Sober
thanks for your help.
about.blank keeps popping back up, no matter when.
I have put the whole kit-n-kaboodle on hold. I think the hard drive needs to be reformatted.
I'm printing this out if he wants to follow any of your wonderful suggestions.
It's Fred's pc, and I'm letting him fix it.
Thanks, again. Learning is such an exciting adventure, and we sure are learning from this one
Kit
Link to comment
Share on other sites
An Apple a Day
Paw, you missed this one. Most likely the cause of most of the problems:
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:MAIN.MHT!http://d.dialer2004.com//tv/main.chm::/load.exe
This one is called "TrojanDownloader/dropper.Win32.Small.cw"
Its whole purpose in life is to retrieve and install additional files, when run. Most will be configured to retrieve files/images from a designated web or FTP site. Notice the "dialer2000" website part of it, probly "adult content" is associated with it. Do you see the /load.exe?
I would suggest checking that O16 entry as well for fixing while in safe mode. If it (the browser hijacking) does not go away, a number of file deletions and registry editing might be in order. This one is probly getting loaded at boot. There are a number of other bed-bugs present as well (such as odd browser helper objects (BHO's)) But will let you drive the bus
Also very very important
C:WINDOWSTEMPORARY INTERNET FILESCONTENT.IE5GHAJ0LQVHIJACKTHIS[1]HIJACKTHIS.EXE
One last thing, never run Hijackthis from a "temp file" always make a folder, preferably on your root directory..(ie c:hijackthis) put the program exe in it and run it from there.
Reason being is that Hijackthis does make a back up should you need to put back what you deleted/fixed. If you run it from a temp file you will lose everything when you reboot.
Now back to your regularly schedualed program....
Edited by kazzooLink to comment
Share on other sites
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.