0

The problem is that my desktop (local page?) is blocked by a white page.
This line appears to be the culprit:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winxp\system32\blank.htm
I cannot delete it, very annoying. Any help?


Logfile of HijackThis v1.99.0
Scan saved at 3:14:04 PM, on 12/20/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Apoint\Apntex.exe
C:\Documents and Settings\simeon\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.utexas.edu/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winxp\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: Keyman 3.2.lnk = C:\KEYMAN\KEYMAN.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1002704326639
O23 - Service: MD Simple Burner Service - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VAIO Media Music Server (Application) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) - Unknown - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

4
Contributors
7
Replies
8
Views
12 Years
Discussion Span
Last Post by DMR
0

Did you try fixing that line with HJT? (R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winxp\system32\blank.htm)

If so, were all browser windows closed when you did it? If they weren't, or your not sure, try it again.

If it still doesn't work, try booting into Safe Mode and see if it will work from there.

I don't see anything else bad in your log.

0

The line immediately replaces itself when I delete it. In safe mode I sometimes am able to delete it for good, but when I reboot it just comes back. There are some .tmp files around my system that resist deleting as well; they don't show up in safe mode but then come right back when I reboot. The mentioned folder in the HKCU line, C:\winxp, does not exist, or is not visible (I am set up to view hidden files, so if it is there it is really really hidden somehow). Any ideas?

0

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Does BHO demon hide what it has disabled? If so, please disable it so that we can see what is disabled.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winxp\system32\blank.htm

Then still in hijackthis, hit config\misc tools\delete a file on reboot and paste c:\winxp\system32\blank.htm into the frame that appears and reboot on the prompt.

Once back in and with the above settings in place, have a look for that winxp folder.

Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool. Type winxp in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them here.

0

When I try to enter C:\winxp\system32\blank.htm it says
Path does not exist.
I cannot set HJT to delete it on reboot.
I did the registry search and came up with suspicious things. It appears perhaps to have something to do with a hidden folder in C: called RECYCLER.
The registry entries with Sony appear legit, but the others, when I look at them in regedit, have evil files like winupdt.exe and more. Can I start deleting things?

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "winxp" 12/22/2004 10:54:55 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\C07ft5Y\WinXP]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{48BE827A-2D06-4804-90C3-4F2F8460F9D4}]
"DisplayName"="Support Actions WinXP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Sony Electronics\Support Actions WinXP]

[HKEY_LOCAL_MACHINE\SOFTWARE\Sony Electronics\Support Actions WinXP\2.16]

[HKEY_USERS\S-1-5-21-1273787498-3448672365-678597630-1005\Software\Microsoft\Internet Explorer\Main]
"Local Page"="c:\\winxp\\system32\\blank.htm"

[HKEY_USERS\S-1-5-21-1273787498-3448672365-678597630-1005\Software\Microsoft\MessengerService]
"WinXPRunCount"=dword:00000007

[HKEY_USERS\S-1-5-21-1273787498-3448672365-678597630-1005\Software\Microsoft\Search Assistant\ACMru\5603]
"001"="winxp"

[HKEY_USERS\S-1-5-21-1273787498-3448672365-678597630-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop]
"TaskbarWinXP"=hex:0c,00,00,00,08,00,00,00,01,00,00,00,00,00,00,00,aa,4f,28,68

0

1. In Safe Mode, and with your Explorer's View settings set to show hidden/system folders as crunchie instructed, delete everything in the C:\Recycler folder.

2. "Local Page"="c:\\winxp\\system32\\blank.htm" <-- note the double slashes in that path; that's abnormal. Is that really the way the entry reads, or is that a typo?

3. Can you see the "hidden" winxp directory if you reboot into DOS mode (command prompt)? At the prompt, type the following command and see if the winxp directory is listed:

dir /w/p/A/O:gn

If so, see if you can access it and view the directory's contents:

cd C:\winxp
dir /w/p/A/O:gn

What's in that directory?

0

1.The recycler files deleted except for one recyle bin icon (apparently empty) which refuses to go (says it is being used by a program). Same goes for my D: drive, since my HD is partitioned.
2. The double slashes are how the thing shows up, I did not alter it.
3. I am still fooling about in DOS, bear with me. I'll be back tomorrow.
Thanks for your help!

0

1. I'm pretty sure you can't delete those remaining Recycler folders- they represent your currently-active Recycle Bins as far as I know. Every drive/partition will have one of its own. No problem as long as they're empty.

2. Interesting; I'll look in to that.

3. Cool- let us know the results.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.