Can't remove "about:blank" homepage. Please help.

Question

jbroad70 0 Newbie Poster

20 Years Ago

Hi All,

I'm new here and have the same problem with the About:Blank homepage. Here is my Hijack This report.

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\msrexe.exe
C:\WINNT\winh.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Washer Pro\iw.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\cflb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\cflb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\cflb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\cflb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\cflb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/en-us/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\cflb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {61C18940-A85F-4DE9-A8F4-3CF30E1A99F2} - C:\WINNT\System32\cflb.dll
O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem214.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System Service] C:\WINNT\System32\msrexe.exe
O4 - HKLM\..\Run: [Winhost] C:\WINNT\winh.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKCU\..\Run: [Internet Washer Pro] C:\Program Files\Internet Washer Pro\iw.exe min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [ACMWrapperV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\ACMWrapperV2.dll"
O4 - HKLM\..\RunOnce: [MediaPlayerV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\MediaPlayerV2.dll"
O4 - HKLM\..\RunOnce: [driversV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\driversV2.dll"
O4 - HKLM\..\RunOnce: [Cdbootable.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Cdbootable.dll"
O4 - HKLM\..\RunOnce: [cdDataPS.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdDataPS.dll"
O4 - HKLM\..\RunOnce: [cdExtra.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdExtra.dll"
O4 - HKLM\..\RunOnce: [cdmp3.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdmp3.dll"
O4 - HKLM\..\RunOnce: [database.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\database.dll"
O4 - HKLM\..\RunOnce: [ISO9660.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\ISO9660.dll"
O4 - HKLM\..\RunOnce: [Joliet.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Joliet.dll"
O4 - HKLM\..\RunOnce: [Udf.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Udf.dll"
O4 - HKLM\..\RunOnce: [creator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\creator.dll"
O4 - HKLM\..\RunOnce: [Translator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Translator.dll"
O4 - HKLM\..\RunOnce: [CDEngine.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\CDEngine.dll"
O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINNT\inf\unregmp2.exe /FixUps
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://c.coolshader.com/download/dialer/us_cax.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/21a2d5aa2b87f266a205/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38091.7978472222
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://centra.dukerealty.com/main/Install/en/US/CentraDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_US.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dukerealty.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E003707-25DC-499B-8119-128BAB44CB9B}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dukerealty.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dukerealty.com

I also have been trying to delete an xxx toolbar in the add/delete progams file, but that's not working. Any help would be greatly appreciated. Thanks.

windows-virus

7 Contributors
18 Replies
360 Views
7 Months Discussion Span
Latest Post 19 Years Ago Latest Post by mcleanmarg

All 18 Replies

MAD_DOG 35 Practically a Master Poster

20 Years Ago

Looks to me liked you got really hi-jacked good luck to you.

crunchie 990 Most Valuable Poster

20 Years Ago

Hi All,
I'm new here and have the same problem with the About:Blank homepage. Here is my Hijack This report.
I also have been trying to delete an xxx toolbar in the add/delete progams file, but that's not working. Any help would be greatly appreciated. Thanks.

Please do the following.
go to http://housecall.trendmicro.com/ for an on-line scan & set it to autoclean for you.

Download & instal Adaware from http://majorgeeks.com/download.php?det=506
& update it B4 scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
Also in tweaks under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion.'
Remove what it finds by placing a check in the box to the left of the object.

Download & instal Spybot S&D from http://www.safer-networking.org/index.php?page=download Update it B4 scanning. Go into settings & have it check for Beta releases also & download if available.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. Download that & you can keep it updated by selecting the same link that you use to download it.

Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs & windows, including IE, before running CWShredder.

Reboot after doing this & post another log please.

crunchie 990 Most Valuable Poster

20 Years Ago

Thanks Crunchy. Everything worked out fine. If you're ever in NYC I'll either buy you dinner or give you some free guitar lessons.

Cool. I taught my brother how to play though. LOL. Will you buy me the ticket to get there too?? lol.

Your next step is to go here & install ALL critical updates required for your system.
http://windowsupdate.microsoft.com/

caperjack 875 I hate 20 Questions

20 Years Ago

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

TallCool1 81 Practically a Posting Shark

20 Years Ago

The About:Blank homepage problem is back.

You have been hijacked again!
LolaWeb.winhost--and a dialer. You also might want to install some free prevention measures, including SpywareBlaster and SpywareGuard. These will stop malicious ActiveX installs, a major part of your problem.

Remove these, boot in to Safe Mode, and remove the associated files, if present:

O2 - BHO: (no name) - {8EA3B1C3-CC54-4508-803E-F13A26275DED} - c:\winnt\system32\efabfa.dll (file missing)

O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)

O4 - HKLM\..\Run: [Winhost] C:\WINNT\winh.exe

O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_US.cab

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Resource wasters, remove:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/21a2d5aa2b87f2...ip/RdxIE601.cab

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For security reasons, you will also want to update Adobe Reader to v6.01 and WinZip to v9.0--or, better still, try the free 7-Zip instead.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

jbroad70 0 Newbie Poster · Answer 1 · 2004-04-15T22:09:18+00:00

Thanks Crunchy. Everything worked out fine. If you're ever in NYC I'll either buy you dinner or give you some free guitar lessons.

jbroad70 0 Newbie Poster · Answer 2 · 2004-04-18T00:13:59+00:00

Hi Again Crunchie,

The About:Blank homepage problem is back. I downloaded and installed everything that you told me about and it actually worked for two days and this morning my old friend was back. Here is my latest Hijack This report:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8EA3B1C3-CC54-4508-803E-F13A26275DED} - c:\winnt\system32\efabfa.dll (file missing)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winhost] C:\WINNT\winh.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/21a2d5aa2b87f266a205/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38091.7978472222
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://centra.dukerealty.com/main/Install/en/US/CentraDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_US.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dukerealty.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dukerealty.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dukerealty.com

If you have any ideas please let me know. Thanks.

jbroad70 0 Newbie Poster · Answer 3 · 2004-04-19T05:01:24+00:00

OK guys,

I think that I've removed all of the viruses from my PC- the about:blank homepage problem seems to be fixed (once again). Here's my latest hijack this report- please let me know if you see anything weird in there. Thanks again.

JB

C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\winnt\system32\fcakddh.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38091.7978472222
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://centra.dukerealty.com/main/Install/en/US/CentraDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dukerealty.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E003707-25DC-499B-8119-128BAB44CB9B}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dukerealty.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dukerealty.com

zenfulcreations 1 Retired DAM & Technical Architect · Answer 4 · 2004-04-19T05:33:50+00:00

Rurun Hijack This again and get rid of these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\winnt\system32\fcakddh.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Other then those, you look like you are in the clear :)

TallCool1 81 Practically a Posting Shark Team Colleague · Answer 5 · 2004-04-19T06:12:18+00:00

I think that I've removed all of the viruses from my PC- the about:blank homepage problem seems to be fixed (once again). Here's my latest hijack this report- please let me know if you see anything weird in there.

Nope, you are still hijacked by a morphing program that changes the DLL name each time it installs. You are going to have to go deeper to rid yourself of this one.

* First, turn off System Restore before removing stuff. Some of your problems may be sneaking back in that way.

* Then make sure that HijackThis is the only thing running.

* Next, go into the folder C:\Windows\Prefetch, and look at the files there. Are any of them suspect? List the files here. You may even want to reboot your computer into Safe Mode and then delete all the files in your Prefetch folder at this time, just to be safe. Viruses hide there.

* While you are in Safe Mode, go into the C:\WINNT\system32 folder and remove those wierd-named DLL files that have been piling up.

* I would also manually clean out your Temporary Internet Files, as well. See Microsoft's Really Hidden Files for more on this issue (warning: potentially offensive site-name and email address). Though the article was written for Windows 98, it still applies.

Here's some more prevention tools:

SpywareBlaster -- blocks malware installation. Not a removal tool, helps keep adware and spyware off your PC by blocking ActiveX for known malware. Updates available on a regular basis.

IE-SPYAD: Restricted Sites List for Internet Explorer. Registry add-in that moves known malware sites to the "Restricted" zone in IE to block the nasties.

XP Anti-Spy -- turn off the "phone home" functions in XP. Did you know that Windows XP, by default, monitors your computer usage and reports back to Microsoft? Slow it down, at least, with this tool.

Try again to remove these. Note that it's the same old stuff with a new name:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\winnt\system32\fcakddh.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\efje.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

zenfulcreations 1 Retired DAM & Technical Architect · Answer 6 · 2004-04-19T06:33:50+00:00

I stand corrected... thank you Michael.

I have been assessing logs for a year, and never had any recurring problems when it came to the (obfuscated) entries.

However, I am enlightened today.

;)

jbroad70 0 Newbie Poster · Answer 7 · 2004-04-19T08:54:47+00:00

Thanks for the advice. I'm not sure that I have a system restore feature due to the fact that I have Windows 2000 and not XP. Is there something different I should do?

TallCool1 81 Practically a Posting Shark Team Colleague · Answer 8 · 2004-04-19T09:08:50+00:00

Thanks for the advice. I'm not sure that I have a system restore feature due to the fact that I have Windows 2000 and not XP. Is there something different I should do?

Good point. It was not clear which NT version you are using, since you didn't provide that information. There are some differences under W2k. Try looking here or here, for starters.

zenfulcreations 1 Retired DAM & Technical Architect · Answer 9 · 2004-04-19T21:11:16+00:00

I think I now know what your problem is, and the source of the 'morphing' DLL... can you run Adaware again, and post the results log here so I can see something - Thanks!

jbroad70 0 Newbie Poster · Answer 10 · 2004-04-24T22:41:23+00:00

HI,

Sorry I've been away for a while. Here is my Ad-aware results log. I still have the About:Blank changing homepage problem so any help would be appreciated. Thanks.

Listing running processes

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 4-23-2004 2:11:48 AM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 4-23-2004 2:11:59 AM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4-23-2004 2:12:03 AM
BasePriority : Normal
FileSize : 87 KB
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 4/24/2004 4:26:36 PM
Last modified : 6/19/2003 7:05:04 PM
#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4-23-2004 2:12:03 AM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
OriginalFilename : lsasrv.dll and lsass.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 4/24/2004 4:26:36 PM
Last modified : 2/25/2004 11:59:07 PM
#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4-23-2004 2:12:11 AM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 4/24/2004 4:26:36 PM
Last modified : 12/7/1999 12:00:00 PM
#:6 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4-23-2004 2:12:12 AM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
OriginalFilename : spoolss.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 4/24/2004 4:26:36 PM
Last modified : 6/19/2003 7:05:04 PM
#:7 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 4-23-2004 2:12:12 AM
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 4/19/2004 11:03:20 PM
Last accessed : 4/24/2004 4:26:34 PM
Last modified : 7/17/2003 4:16:38 PM
#:8 [acsd.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\ACS\
ThreadCreationTime : 4-23-2004 2:12:20 AM
BasePriority : Normal
FileSize : 1360 KB
FileVersion : 1,0,23,5
ProductVersion : 1,0,23,5
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : AOL Connectivity Service
InternalName : acsd
OriginalFilename : acsd.exe
ProductName : AOL Connectivity Service
Created on : 12/13/2003 7:09:30 PM
Last accessed : 4/24/2004 4:26:34 PM
Last modified : 10/30/2003 10:48:46 PM
#:9 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 4-23-2004 2:12:22 AM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 4/24/2004 4:26:36 PM
Last modified : 12/7/1999 12:00:00 PM
#:10 [navapsvc.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton AntiVirus\
ThreadCreationTime : 4-23-2004 2:12:23 AM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 4/19/2004 11:02:10 PM
Last accessed : 4/24/2004 4:26:34 PM
Last modified : 11/15/2002 12:41:26 AM
#:11 [nprotect.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton Utilities\
ThreadCreationTime : 4-23-2004 2:12:29 AM
BasePriority : Normal
FileSize : 132 KB
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
Copyright : Copyright (C) 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
OriginalFilename : NPROTECT.EXE
ProductName : Norton Utilities
Created on : 4/19/2004 9:52:33 PM
Last accessed : 4/24/2004 4:26:34 PM
Last modified : 8/14/2002 11:03:00 AM
#:12 [regsvc.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4-23-2004 2:12:31 AM
BasePriority : Normal
FileSize : 66 KB
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
OriginalFilename : REGSVC.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 4/19/2004 11:42:17 PM
Last accessed : 4/24/2004 4:26:36 PM
Last modified : 6/19/2003 7:05:04 PM
#:13 [mstask.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4-23-2004 2:12:32 AM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 4.71.2195.6704
ProductVersion : 4.71.2195.6704
Copyright : Copyright (C) Microsoft Corp. 1997
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 4/19/2004 11:43:01 PM
Last accessed : 4/24/2004 4:26:36 PM
Last modified : 6/19/2003 7:05:04 PM
#:14 [nopdb.exe]
FilePath : C:\PROGRA~1\NORTON~1\SPEEDD~1\
ThreadCreationTime : 4-23-2004 2:12:33 AM
BasePriority : Normal
FileSize : 168 KB
FileVersion : 7.00.0.24
ProductVersion : 7.00.0.24
Copyright : Copyright (C) 2002
CompanyName : Symantec Corporation
FileDescription : NOPDB
InternalName : NOPDB
OriginalFilename : NOPDB.dll
ProductName : Norton Speed Disk
Created on : 4/19/2004 9:54:58 PM
Last accessed : 4/24/2004 4:26:34 PM
Last modified : 8/14/2002 11:00:00 AM
#:15 [wanmpsvc.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 4-23-2004 2:12:35 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 9, 0, 0, 0
ProductVersion : 9, 0, 0, 0
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
OriginalFilename : WanMPSvc.exe
ProductName : America Online
Created on : 5/24/2003 12:23:45 AM
Last accessed : 4/24/2004 4:26:36 PM
Last modified : 8/27/2003 3:27:44 PM
#:16 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ThreadCreationTime : 4-23-2004 2:12:36 AM
BasePriority : Normal
FileSize : 192 KB
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
Copyright : Copyright (C) Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 4/19/2004 11:41:39 PM
Last accessed : 4/24/2004 4:26:36 PM
Last modified : 6/19/2003 7:05:04 PM
#:17 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4-23-2004 2:12:38 AM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 4/24/2004 4:26:36 PM
Last modified : 12/7/1999 12:00:00 PM
#:18 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 4-23-2004 2:14:22 AM
BasePriority : Normal
FileSize : 237 KB
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 4/19/2004 11:44:02 PM
Last accessed : 4/24/2004 4:26:34 PM
Last modified : 6/19/2003 7:05:04 PM
#:19 [symtray.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 4-23-2004 2:14:30 AM
BasePriority : Normal
FileSize : 84 KB
FileVersion : 2003.6.57
ProductVersion : 2003.6.57
Copyright : Copyright (c) 1997-2002 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton SystemWorks SymTray
InternalName : SymTray.exe
OriginalFilename : SymTray.exe
ProductName : Norton SystemWorks
Created on : 4/19/2004 11:03:47 PM
Last accessed : 4/24/2004 4:26:34 PM
Last modified : 9/30/2002 2:46:14 AM
#:20 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 4-23-2004 2:14:48 AM
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 4/20/2004 1:57:36 PM
Last accessed : 4/24/2004 4:26:34 PM
Last modified : 12/2/2003 9:11:04 PM
#:21 [spysweeper.exe]
FilePath : C:\Program Files\Webroot\Spy Sweeper\
ThreadCreationTime : 4-23-2004 2:15:17 AM
BasePriority : Normal
FileSize : 639 KB
FileVersion : 2.1.0.23
ProductVersion : 1.0.0.0
Copyright : Copyright (c) 2001-2003 Webroot Software, Inc.
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper
ProductName : Spy Sweeper
Created on : 4/19/2004 7:37:41 PM
Last accessed : 4/24/2004 4:26:34 PM
Last modified : 7/10/2003 8:26:00 PM
#:22 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 4-24-2004 4:58:10 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 4/15/2004 4:43:47 PM
Last accessed : 4/24/2004 4:58:08 PM
Last modified : 7/13/2003 3:00:20 AM
Memory scan result :

New objects : 0
Objects found so far: 0

Started registry scan

CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP

Registry scan result :

New objects : 1
Objects found so far: 1

Started deep registry scan

CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{7FEF4CCD-E64B-41D5-8F40-5DEEE4B24653}

CoolWebSearch Object recognized!
Type : File
Data : ppjij.dll
Object : c:\winnt\system32\
FileSize : 36 KB
Created on : 4/24/2004 4:31:15 PM
Last accessed : 4/24/2004 4:31:15 PM
Last modified : 4/24/2004 4:31:15 PM

CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{B08FE1CA-26B1-4CE8-AFBC-8F1DB7023AC2}

CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/html

CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/plain

CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FEF4CCD-E64B-41D5-8F40-5DEEE4B24653}

Deep registry scan result :

New objects : 5
Objects found so far: 7

Tracking Cookie Object recognized!
Type : File
Data : [email="administrator@zedo"]administrator@zedo[/email][2].txt
Object : C:\Documents and Settings\administrator\Cookies\
Created on : 4/23/2004 7:18:58 PM
Last accessed : 4/24/2004 5:03:06 PM
Last modified : 4/23/2004 7:18:59 PM

Deep scanning and examining files (C:)

Scanning Hosts file(C:\WINNT\system32\drivers\etc\hosts)

Hosts file scan result:

1 entries scanned.
New objects :0
Objects found so far: 8

Performing conditional scans..

Conditional scan result:

New objects : 0
Objects found so far: 8

12:03:53 PM Scan complete
Summary of this scan

Total scanning time :00:05:11:578
Objects scanned :43394
Objects identified :8
Objects ignored :0
New objects :8

jbroad70 0 Newbie Poster · Answer 11 · 2004-04-24T22:42:52+00:00

HI,
Sorry I've been away for a while. Here is my Ad-aware results log.