Options

about:blank or searchmeup

Hi,
Not the first and unlikely the last to get this.

Am being constantly redirected to about:blank which in most cases seems to be searchmeup etc. like previous posts- Internet explorer is disabled, so currently using Netscape. Had updated McAfee 7.0 and this cleared a few trojans etc, and used WindowWasher from Webroot, but to no avail.
Have installed Mcafee internet suite 6.0 since infected and although that was intially working, now it is not able to run Virus scan or to update virus definitions, but the firewall is working happily to tell me about everytime the virus tries to change my browser home page, which is about every 3 minutes..
"McAfee help" have not been any.
Just downloaded Ad-aware and this cleared 6 adwares

Here is the latest Hijack This file:
Logfile of HijackThis v1.97.7
Scan saved at 18:04:53, on 12/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Edd Pratt\My Documents\download progs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Edd Pratt\Application Data\Mozilla\Profiles\default\jc5jxrah.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A1A2E1AE-B5CA-4EDC-820C-31D7455DB6B4} - C:\WINDOWS\mrhop.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int339890.exe -auto
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE USB
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MISAggregator] C:\PROGRA~1\McAfee\MCAFEE~3\MisAgg.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Privacy Bar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38036.0759722222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks for any help.
Seriously considering formatting the whole hard drive, as have had enough!
Eduardo

Comments

  • mmonninmmonnin Centreville, VA
    edited May 2004
    The Obvoius ones I see are:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank

    Gonna have to leave it to the pros for anything else. But those above are bad.
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    Do the ones mmonnin suggests. Make sure to boot up in SAFE MODE first. Also have HJT fix the following:

    O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int339890.exe -auto

    (This is a known spyware re-installer file.)


    O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe

    (This file is bogus, and is used by several different viruses, which means you may have a virus.)


    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE

    (Just a couple of registration reminders - not necessary.)


    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe

    (Associated with known Trojan Viruses! Acts as a password stealer!)


    After fixing those in HJT, stay in SAFE MODE. Manually locate those files listed above, and move them to a new folder, call it Quarantine. Make a subfolder called "Exe's" and drop them in there. Then rename each from *.exe to *.xxx.

    Next, run a full virus scan in SAFE MODE (make sure you have first updated your virus defs in normal mode, do that step first before rebooting to safe mode.) Fix any virus problems found.

    Then reboot in normal mode, and see how things look. Come back and let us know, post a fresh HJT log if you like.

    Dexter...
  • edited May 2004
    Dexter - partial result.

    After did the above, also ran Adware, which still kept finding coolwebsearch, but now seems to have gone after a wash with Windowasher 5 with bleach.
    Virus scanner still finds win32.bmp which it says is adware, but now erased.
    Virus scanner and fire wall seem to be working.
    still get the about blank but can't redirect to an actual page.
    Seems to attempt to redirect every two or three minutes, which internet suite 6.0 blocks. Internet explorer won't load any pages still.

    Latest HJT:
    Logfile of HijackThis v1.97.7
    Scan saved at 21:02:02, on 13/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
    C:\Program Files\Winamp\Winampa.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\QuickTime\qttask.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Edd Pratt\My Documents\download progs\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Edd Pratt\Application Data\Mozilla\Profiles\default\jc5jxrah.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Edd Pratt\Application Data\Mozilla\Profiles\default\jc5jxrah.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
    O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
    O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE USB
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Privacy Bar (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38036.0759722222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Any more ideas.
    Must be a file that is not recognised by mcAfee virus scanner - or it is preventing virus scanner updating.

    Cheers,
    Eduardo
  • edited May 2004
    Dexter:
    Addition:
    Just updated Adware 6.0. picked up two more strings in the registry which it deleted, which were labelled about:blank. Restarted in safe mode and ran HJT. Log the same as in previous post.
    Booted up normally and everything works except:Still getting messages that something is still trying to redirect IE, but blocked by internet suite 6.0. IE still doesn't work.
    Default page for IE is:
    http://www.microsoft.com/isapi/redir.dll?prd=ie&clcid=0x0809&pver=6.0&ar=home
    but it won't load. No other page loads either.
    Maybe all I have to do is re-install IE now?
    Cheers,
    Eduardo
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    OK, yu are going to need a few more tools...and by the way, virus scanners don't target this stuff, as they are not considered viruses.

    One is CWShredder: http://www.spywareinfo.com/~merijn/downloads.html

    Run that (from SAFE MODE) and kill anything it finds that is CW related.

    Then run HJT again in SAFE MODE. If these entries are still here, I recommend deleting them:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Edd Pratt\Application Data\Mozilla\Profiles\default\jc5jxrah.slt\prefs.js)

    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Edd Pratt\Application Data\Mozilla\Profiles\default\jc5jxrah.slt\prefs.js)

    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

    Some of those first oines may be legit entires, but no problem, they will be easily resettable from within Netscape.

    Reboot normally and see what happens.

    If that does not solve it, there is a good fix just posted by another of our users here:
    http://www.short-media.com/forum/showthread.php?t=13743

    His fix was for Windows 98, but the methodology is sound and should be applicable to Windows XP. Try the steps he has outlined. If they do not work, there is a more complex method to try involving some Reg editing...but I would like to see if Varagon's solution works on XP.

    So, try the easy stuff I just listed: CW Shredder, kill a few values in HJT and see what happens. If that fails, please let me know and then try Varagon's method. If that fails, we'll take you to the harder method.

    Dexter...
  • edited May 2004
    Dexter,
    thanks for your work on this.
    Just found out that my virus scanner update was disabled so that even though it appeared to be checking for update files they were actually out of date. Got the files and manually installed update DAT files from mcafee site (for info in case anyone else is getting caught out the same.) and it found three trojans. Been through the whole cycle again, but still same problem - so will try above and let you know.
    Cheers,
    Eduardo
  • edited May 2004
    Result - no more about:blank or searchme up! :)

    Dexter thank for the work :Rocker: You is da MAN (or da CAAAT!)

    So for any other virus-ridden destitutes.
    Heres what I did:

    Had to download "Hyjack This" to post the logs; Download WebRoot "Windowswasher" Don't know if this helped but did it anyway; download CWshredder; downoad "Adware 6.0"; downloaded "Netscape navigator" so I could still use the internet.
    Downloaded the latest DAT virus files from mcafee and manually install (see the site instructions)

    In safe mode - ran
    cleared all temporary internet files and cookies,
    cleared Dexter's suggested logs from (both above posts above) in HJT,
    ran Adware
    ran Windowswasher,
    ran CWshredder,

    This allowed me to re-install and fix mcafee internet suite 6.0
    ran virus scan which cleared some trojans

    and then rebooted in normal mode.

    Now clear of about:blank and searchmenup

    Only glitch is that "msn" seem to be redirecting my IE to their web site if I change to my preferred yahoo home page - have they gone into the spyware business?!

    Also windows messenger not working.

    But if I don't run IE, which I can live without, now that I am using netscape navigator, then no problems - yet!

    Will leave it at that for the moment as I have had enough, unless you have any more ides.

    Cheers,
    So long and thanks for all the fish!
    Eduardo from Sunny Singapore.






    ,
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    Post another HJT log so we can check on the MSN problem, and reinstall Messenger to try and get it working again.

    Dexter...
  • edited May 2004
    Dexter,
    latest HJT log:
    Logfile of HijackThis v1.97.7
    Scan saved at 22:32:25, on 14/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\QuickTime\qttask.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Edd Pratt\My Documents\download progs\HijackThis.exe

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Edd Pratt\Application Data\Mozilla\Profiles\default\jc5jxrah.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Edd Pratt\Application Data\Mozilla\Profiles\default\jc5jxrah.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
    O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE USB
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Privacy Bar (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38036.0759722222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    eduardo
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    On the MSN thing: you may just need to reset all values to get the entires back, then manually change the home page later.

    Go into Internet Explorer, Tools > Internet Options > Programs and click on "Reset Web Settings. Make sure that "Also reset my home page" is checked.

    This re-establishes all the default entries, and then you should be to overwrite them with your own choices later.

    Dexter...
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Please post your log in its own thread to avoid confusion. Toxicgreen, I put your log here.
  • edited May 2004
    Dexter,
    Reset the home page as suggested then changed to my preferred page, but keeps resetting to MSN.
    Internet suite will then continue to alert me that home page is being reset enery three or four minutes,even if I don't keep changing it.
    Nothing left to clear with adware, virus scanner, and HJT log is the same as last.

    If when I start up - I don't go near IE, then the reset alerts don't happen, but as soon as I go open IE or change the settings via the control panel then it keepr resetting home page.

    Looking through the windows and system folders the only possible file that has similar name to previous erased adware is in the Prefetch file and that is: Wininet32.exe-00E98923.pf
    Could this be relevent?

    Cheers,
    Eduardo
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    Hmmmm...that's a possibility. I just checked my prefetch and I don't have one of those. Try quaranting that file temporarily, reboot, and see what happens.

    If all else fails, do a repair re-install of IE.

    Dexter...
  • edited May 2004
    Finally sorted.
    Still had a virus, which was eluding detection by McAfee internet suite 6.0 via the normal program.
    Here is the help from McAfee

    Check for Viruses Using DailyScan
    Go to http://bin.mcafee.com/molbin/iss-loc/vso/cmdscan/dailyscan.zip
    A File Download box appears. Click OK.
    Save dailyscan.zip to your Desktop.
    Once downloaded, close all windows.
    Right-click dailyscan.zip on your desktop.
    Click Extract to or double-click the file and click Extract.
    In the "Extract to" field, type C:\SCAN
    Click Extract.
    Restart the computer in DOS mode (depending on your operating system).

    Win95/98 Users
    From the taskbar, click Start.
    Click Shutdown.
    Select Shutdown and click OK.
    Wait for the computer to shut down and turn off the computer.
    Turn the power back on and immediately begin pressing the F8 key on the
    keyboard once every second repeatedly.
    Note: If you get a keyboard or key stuck error press the F1 key to
    continue booting, then immediately begin pressing the F8 key repeatedly
    until the Windows Startup Menu appears.
    Select Safe Mode Command Prompt Only. Press the Enter key.
    The computer boots to a C:\ prompt.

    WinME Users

    From the taskbar, click Start. Click Shutdown.
    Select Shutdown and click OK. Wait for the computer to shut down and
    turn off the computer.
    Insert the Windows Millennium Startup Disk and turn on the computer.
    Note: If you cannot find your original Windows ME Startup Disk and need
    to create a new one, please check the windows helps for directions on
    creating a starup disk.
    A Windows Startup menu appears.
    Select the Command prompt and press Enter.
    When the computer is finished booting, the A:\ prompt appears.
    At the A:\ prompt, type C:Press Enter.

    Win2000/XP Users (FAT Partitions only)
    From the taskbar, click Start. Click Shutdown.
    Select Shutdown and click OK.
    Wait for the computer to shut down and turn off the computer.
    Turn the power back on. When you see the opening splash screen,
    Gateway, Compaq, whatever it says, hold down F8 key on the keyboard or hold
    down the Ctrl key.
    Note: On some computers if you press F8 too soon you'll get a keyboard
    error. If this happens press the F1 key to continue.
    The Windows 2000 (or XP) Advanced Options Menu appears.
    Choose Safe Mode with Command Prompt Only.
    Enter your username and password if necessary.
    At the prompt, type CD\ Press Enter. At the C:\ prompt, type CD SCAN
    Press the Enter key.
    At the C:\SCAN prompt, type SCAN /ADL /CLEAN /ALL /REPORT REPORT.TXT
    Press the Enter key.
    Note: The scanner will look at all files on all local drives and
    attempt to clean the files.
    An activity report called REPORT.TXT will also be created in the
    C:\DAILYS~1 directory.
    To view the report in DOS, type REPORT.TXT and press Enter.

    Once the scan finishes, exit DOS and restart the computer by pressing
    Ctrl+Alt+Del on your keyboard.
    Restart the computer, your system is now clean.



    This cleared out the following Proxy-agent trojan:
    C:\Documents and Settings\Edd Pratt\Application Data\Microsoft\sr64\sr32.dll

    Then re-ran in safe mode : WindowsWasher and adware 6.0 which seemed to pick up another anomoly in the registry "Alexa" Don't know if that had been unmasked by removing trojan or was something new.

    Latest HCT
    Logfile of HijackThis v1.97.7
    Scan saved at 22:39:06, on 17/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\QuickTime\qttask.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Edd Pratt\My Documents\download progs\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://uk.yahoo.com"); (C:\Documents and Settings\Edd Pratt\Application Data\Mozilla\Profiles\default\jc5jxrah.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Edd Pratt\Application Data\Mozilla\Profiles\default\jc5jxrah.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
    O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE USB
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Privacy Bar (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38036.0759722222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Rather satisfyingly the first time my desired home page has been found!
    Seems clear.
    Good luck to everyone else.
    Cheers,
    Eduardo
  • edited May 2004
    Hello,

    I found the answer to fix the about_:blank virus. I got the virus on my computer about a week ago and tried everything. I finally found the solution: you need to run CWShredder in safe mode. Safe Mode being the key. I ran it in regular mode first and it didn't fix the problem, then I ran it in SAFE MODE and I haven't had a problem since. Give it a try and see what happens. Don't forget, run CWShredder in SAFE MODE.

    Link for CWShredder:

    http://www.spywareinfo.com/download.../CWShredder.exe

    Access Safe Mode by hitting F8 while computer is starting.
  • edited May 2004
    I'm having a similar problem. My home page keeps changing although I've run McAfee's Anti-Spyware and Hijack This. I kept a log from Hijack This. I'm new here so I didn't know if I could post here, or do I have to start a new thread to get help??
  • profdlpprofdlp The Holy City Of Westlake, Ohio
    edited May 2004
    ...I'm new here so I didn't know if I could post here, or do I have to start a new thread to get help??
    Start a new thread and we'll be happy to help you out. Welcome to Short-Media! :wave:
Sign In or Register to comment.