Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

adware, spyware, spybot nothing works..

Started by colleen2426 , Apr 01 2005 02:23 PM

  • Please log in to reply

#1
colleen2426
Posted 01 April 2005 - 02:23 PM

colleen2426

    New Member

  • Member
  • Pip
  • 2 posts
When i click on internet explorer it goes to about:blank, sometimes when im on the internet imy page turns into another page, I get pop ups, and and get Messenger Service pop ups .. it says Message Service from security monitor to windows user... then it lists a bunch of different WINDOWS and which ones are affected and uneffected... WINDOWS XP is always under affected.. that is what I have.. I get these Message Serive Boxes every 5-10 min!! My computer is running slow... I am always getting errors.. Windows has encountered a problem messages... I have tried AD-aware, spyware, spybot search and destroy.. These programs always find 20 or more problems.. and it says some cant be fixed.. also if i run it every 10 min it still finds problems!!!! PLEASE HELP!!! ALL REPLYS WELCOME!!!
  • 0

Advertisements

#2
colleen2426
Posted 01 April 2005 - 03:19 PM

colleen2426

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I still am having problems.. I tried what you said... I get about:black, Windows Messenger Service, Errors, Internet pop ups when in another program.. lots of problems
please help

Logfile of HijackThis v1.99.1
Scan saved at 4:16:52 PM, on 4/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ntjv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\nthm32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\phrzk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\phrzk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\phrzk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\phrzk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\phrzk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\phrzk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0F0643E6-66C9-84AC-D29E-41B9B31BF9E6} - C:\WINDOWS\system32\sysnk32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nthm32.exe] C:\WINDOWS\nthm32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112400556311
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntjv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
  • 0

#3
xxgeniuskidxx
Posted 10 April 2005 - 08:43 AM

xxgeniuskidxx

    Member

  • Member
  • PipPip
  • 16 posts
[edited] This is a nasty about:blank infection that requires several tools to fix.

Edited by bananafanafo, 10 April 2005 - 09:00 AM.

  • 0

#4
njustice
Posted 15 April 2005 - 08:02 PM

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
colleen2426,

Hello! and welcome to G2G forums.

===============

When we're done cleaning off your system, I'd recommend that you install all the Critical Windows Updates available from Microsoft, upto Service Pack 1. This will help to make your system more secure and prevent many 'problems' from reoccuring in the future.

===============

We'll need to download these program(s) to help us deal with the "About:Blank" infection:

-

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the update".
3. When the new version has been downloaded, click "Save".
4. Exit the program.


-

Download, unzip to your desktop About:Buster and run it, then:

1. Click "Update".
2. Click "Check For Update"

(If no new version is available, skip to step #4.)

3. Click "Download Update", and wait for it to be installed.
4. Exit the program.


===============

Please put HiJackThis in it's own permanent folder....for storing important backups!!!

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which while highlighted you can rename to "HJT". Now you have C:\HJT\ folder.
Please put your HijackThis.exe there before you begin.

===============

Reboot your computer into "Safe Mode"

===============

Next, locate CWShredder that you downloaded earlier and run it, then:

1. Click "Fix ->"

===============

Next, locate About:Buster that you downloaded earlier and run it, then:

1. Click "Start".

(Wait for the initial ADS scan to complete.)

2. Click "Yes", to shutdown any IE session currently open.

(Wait for the about:blank scan to complete.)

3. Click "Ok", to scan once more.
4. Click "Yes", to shutdown any IE sessions currently open.
5. Click "Yes", to begin the second pass.

6. Click "Save log", and post this log back along with your new hijackthis log(when done with fix below).
7. Click "Exit".
8. Click "Exit".

===============

Reboot your computer normally.

===============


Go to Add/Remove programs and remove(uninstall) the following, if present:

Media Access
Viewpoint Manager

===============

Go to Start->Run and type "Services.msc" (without quotes) then hit OK
Scroll down and find the service called.

11Fßä#·ºÄÖ`I

Make sure it is selected in color. Right click on the service and click on stop. Right click on it again and go to Properties. In the Properties screen and under the General Tab, change the Startup Type to Disabled in the dropdown box. Click on Apply. Then OK. If the service isn't listed go ahead with the rest of these instructions anyway.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\phrzk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\phrzk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\phrzk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\phrzk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\phrzk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\phrzk.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0F0643E6-66C9-84AC-D29E-41B9B31BF9E6} - C:\WINDOWS\system32\sysnk32.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [nthm32.exe] C:\WINDOWS\nthm32.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntjv.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders"(rehide system files and folders when were done):

folders...

C:\Program Files\Viewpoint
C:\Program Files\Media Access


files...

C:\WINDOWS\system32\ntjv.exe
C:\WINDOWS\nthm32.exe
C:\WINDOWS\phrzk.dll
C:\WINDOWS\system32\sysnk32.dll

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Reboot your computer.

===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's done:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix.

===============

Reboot your computer.

Post back a new Hijackthis log and About:Buster log, report any problems and let me know how everything goes.

IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!

-

~Njustice~
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP