Member Avatar for Element150

i've never fully gotten rid of about:blank, so I constantly use cwshredder to fix the hidden dll, but now I have another thing that changed my homepage to http://0ml.net/cat and i get pop ups now even with yahoo popup blocker and i get them whether ie is open or not. here is my hjt log, i can't clear any of the 0ml.net/cat things, they just reappear.

Logfile of HijackThis v1.97.7
Scan saved at 5:35:21 PM, on 1/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\wizard\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://0ml.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://0ml.net/cat
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://0ml.net/searchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://0ml.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://0ml.net/searchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://0ml.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0ml.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0ml.net/cat
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://0ml.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0ml.net/searchasst.html
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CC036691-17AC-4CEB-A63A-33BB8432ECBB} - C:\WINDOWS\system32\imolaa.dll
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10020} - C:\WINDOWS\system32\2g8oxrryue.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: The Simple Toolbar Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB} - C:\WINDOWS\system32\fipprudp0h.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - Global Startup: MA101 Configuration Utility .lnk = ?
O4 - Global Startup: Microsoft Office.hta
O4 - Global Startup: RealAudio.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: The Simple Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: The Simple Toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - file://D:\Installers\QuickTime\qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

  • 2 Contributors
  • 1 Reply
  • 115 Views
  • 14 Hours Discussion Span
  • Latest Post Latest Post by dlh6213
Member Avatar for dlh6213

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://0ml.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://0ml.net/cat
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://0ml.net/searchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://0ml.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://0ml.net/searchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://0ml.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0ml.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0ml.net/cat
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://0ml.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0ml.net/searchasst.html
O2 - BHO: (no name) - {CC036691-17AC-4CEB-A63A-33BB8432ECBB} - C:\WINDOWS\system32\imolaa.dll
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10020} - C:\WINDOWS\system32\2g8oxrryue.dll
O3 - Toolbar: The Simple Toolbar Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB} - C:\WINDOWS\system32\fipprudp0h.dll
O4 - Global Startup: RealAudio.exe
O9 - Extra button: The Simple Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: The Simple Toolbar (HKLM)

Close all windows other than HJT before hitting the Fix button

Reboot into Safe Mode

Go to:
C:\WINDOWS\system32 and delete imolaa.dll
C:\WINDOWS\system32 and delete 2g8oxrryue.dll
C:\WINDOWS\system32 and delete fipprudp0h.dll

Reboot normally

Download the Hoster from here:
http://members.aol.com/toadbee/hoster.zip
Run Hoster and press Restore Original Hosts, OK, and Exit Program. Reboot.

Update your hijackthis to version 1.99. Close all browser windows, scan with the updated HJT, and post a new log please.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.