0

Hi,
I have that bloody Blank Trusted start Page. I feel a bit stupid about not starting a new thread but tagging on last nite. :o I followed Crunchies detailed and greatly appreciated instructions and here is my HijackThis log.

Logfile of HijackThis v1.98.2
Scan saved at 9:18:35 PM, on 28/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\acer\KnobService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\Aspire\WFTVFM\WFWIZ.exe
C:\acer\KnobMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\SpyBlocker Software\spyblocker.exe
C:\WINDOWS\System32\csrs.exe
C:\WINDOWS\System32\bling.exe
C:\index.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iprimus.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by iPrimus
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [SSER] sser.exe
O4 - HKLM\..\Run: [Aspire Schedule] C:\Program Files\Aspire\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [Microsoft Security Management] csrs.exe
O4 - HKLM\..\Run: [MSNMSGR5] bling.exe
O4 - HKLM\..\Run: [REEGRUN] C:\index.exe
O4 - HKLM\..\RunServices: [Microsoft Security Management] csrs.exe
O4 - HKLM\..\RunServices: [MSNMSGR5] bling.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\POPUPCOP\popupcop.dll/imagenew
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/113a9ba4f3e94f738702/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

4
Contributors
4
Replies
5
Views
13 Years
Discussion Span
Last Post by deonnanicole
0

Hi,
I have that bloody Blank Trusted start Page.

These are the bad processes:

C:\WINDOWS\System32\csrs.exe
C:\WINDOWS\System32\bling.exe
C:\index.exe

You are going to have to stop these processes before going further, because they deliberately interfere with the tools neded to deal with them. For example, Task Manager and Regedit are probably disabled while they run.

Fortunately, there are alternative tools available, including CodeStuff Starter and PrcView. Either of them should work; Starter has a "nicer" interface.

Once those processes are stopped, get rid of the following (use HijackThis to check these off and "fix checked"):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by iPrimus
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SSER] sser.exe
O4 - HKLM\..\Run: [Microsoft Security Management] csrs.exe
O4 - HKLM\..\Run: [MSNMSGR5] bling.exe
O4 - HKLM\..\Run: [REEGRUN] C:\index.exe
O4 - HKLM\..\RunServices: [Microsoft Security Management] csrs.exe
O4 - HKLM\..\RunServices: [MSNMSGR5] bling.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/113a9ba...ip/RdxIE601.cab

Once fixed, use the Windows Find function to track down the files and remove them. The IgfxTray utility can be replaced by the better MultiRes.

0

hey guys...my name is rafael and i have the same problem this guy had...

i dont know exactly where to start, i tried what this guy did, but as i looked for the processes that are supposed to be "stopped" i couldnt find them and i also wouldnt know what it would mean to "stop" them...

i'm sorry if i seem clueless, but uhm, i kinda just found this page by searchin for information on the "trusted start page", i figured if you guys helped this guy out, maybe you could help me out?

do you mind? where should i start?

0

Hi Romanflux...the first thing you should do is start your own thread and post a hijackthis log there. By tagging on to someone else's thread, it causes confusion and your problem may not get the attention it deserves. You might also consider running Adaware and Spybot scans and letting them fix what they find. Reboot and scan with Hijackthis (version 1.98.2), being sure all other browser windows are closed when you do so. Then post your log in your own thread. :)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.