Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

about:blank and Only the Best popups

Started by justthekidd1 , Aug 27 2004 02:21 PM

  • Please log in to reply

#1
justthekidd1
Posted 27 August 2004 - 02:21 PM

justthekidd1

    New Member

  • Member
  • Pip
  • 2 posts
Once again my computer has been hijacked. I had this nasty little SOB before and I managed to get rid of it, however, I can not remember how I did it. The page always goes back to About:blank, when I start up it tells me I am missing a shell.dll file and the pop up ads come up all the time. This is my work PC.

Here is a copy of my hijack this log.


Logfile of HijackThis v1.98.0
Scan saved at 4:21:05 PM, on 8/27/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
c:\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\WINNT\system32\ccsrvc.exe
C:\Program Files\NavNT\DefWatch.exe
C:\PROGRA~1\Altiris\CARBON~1\shellker.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\appmy.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\NavNT\vptray.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\EFI\PrintMessenger\dsfhost.exe
C:\Documents and Settings\deshanor\Application Data\ospa.exe
C:\WINNT\system32\nesqinxv.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office 2000\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\d3sa32.exe
C:\Program Files\Microsoft Office 2000\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Rory\my c stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\achzi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\achzi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\achzi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\achzi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\achzi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\achzi.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\achzi.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7DFBE359-8BFB-9144-5953-6EFC5BAC960C} - C:\WINNT\system32\msqe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AClntUsr] c:\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [DSFHost] C:\Program Files\EFI\PrintMessenger\dsfhost.exe
O4 - HKLM\..\Run: [d3sa32.exe] C:\WINNT\system32\d3sa32.exe
O4 - HKCU\..\Run: [Awrw] C:\Documents and Settings\deshanor\Application Data\ospa.exe
O4 - HKCU\..\Run: [Yqfr] C:\WINNT\system32\nesqinxv.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://medimmune86/D...lient/setup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {b5859259-c40b-4b2a-af9d-3bf0f634b1d5} (Oracle JInitiator 1.1.8.20) - http://medimmune72/j...iator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = medimmune.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = medimmune.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = medimmune.com
  • 0

Advertisements

#2
Hemal
Posted 27 August 2004 - 05:12 PM

Hemal

    Founding Fart

  • Technician
  • 1,470 posts
Your computer has a number of spyware programs that we need to remove. For more info on spyware see the Spyware Tools link in my signature.

Let's start with a free program. Ad-aware.

Using Ad-aware: Open Ad-Aware and use the Check for updates now link. Download and accept the latest reference file. When finished click the Start button. When done scanning, the Abort button will change to Next. Click the Next button. Right-click in the Scanning Results window and click "Select all objects". Then click the "Next" button and confirm that you want to delete the selected entries.

When finished, Reboot your computer. Finally, reply to this post with a new HiJackThis log so we can look for any nasties that may have been missed. <_<

CLICK HERE to download Ad-aware
  • 0

#3
justthekidd1
Posted 30 August 2004 - 07:09 AM

justthekidd1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I updated adware 6.0 and have run it. Rebooted and this is the new log.
Thanks for your help. I recall the last time this happened I had to create a fix.reg file, start in safe mode, run that file, delete all items in some temp folder, copy and paste the shell.dll file from one location to another, run aboutbuster and hijack this... then do the same thing again.

Don't know, bu these things suck.


Logfile of HijackThis v1.98.0
Scan saved at 9:04:40 AM, on 8/30/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
c:\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\WINNT\system32\ccsrvc.exe
C:\PROGRA~1\Altiris\CARBON~1\shellker.exe
C:\Program Files\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\appmy.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\NavNT\vptray.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\EFI\PrintMessenger\dsfhost.exe
C:\WINNT\system32\d3sa32.exe
C:\Documents and Settings\deshanor\Application Data\ospa.exe
C:\WINNT\system32\nesqinxv.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Microsoft Office 2000\Office\1033\msoffice.exe
C:\Program Files\Microsoft Office 2000\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Rory\my c stuff\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7DFBE359-8BFB-9144-5953-6EFC5BAC960C} - C:\WINNT\system32\msqe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AClntUsr] c:\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [DSFHost] C:\Program Files\EFI\PrintMessenger\dsfhost.exe
O4 - HKLM\..\Run: [d3sa32.exe] C:\WINNT\system32\d3sa32.exe
O4 - HKCU\..\Run: [Awrw] C:\Documents and Settings\deshanor\Application Data\ospa.exe
O4 - HKCU\..\Run: [Yqfr] C:\WINNT\system32\nesqinxv.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://medimmune86/D...lient/setup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {b5859259-c40b-4b2a-af9d-3bf0f634b1d5} (Oracle JInitiator 1.1.8.20) - http://medimmune72/j...iator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = medimmune.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = medimmune.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = medimmune.com
  • 0

#4
admin
Posted 04 September 2004 - 08:15 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7DFBE359-8BFB-9144-5953-6EFC5BAC960C} - C:\WINNT\system32\msqe.dll
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [d3sa32.exe] C:\WINNT\system32\d3sa32.exe
O4 - HKCU\..\Run: [Awrw] C:\Documents and Settings\deshanor\Application Data\ospa.exe
O4 - HKCU\..\Run: [Yqfr] C:\WINNT\system32\nesqinxv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINNT\system32\msqe.dll
C:\WINNT\system32\winmain.exe
C:\Program Files\Common files\WinTools <- this folder
C:\WINNT\system32\d3sa32.exe
C:\Documents and Settings\deshanor\Application Data\ospa.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<
  • 0
Back to Windows XP, 2000, 2003, NT · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Retired Forums
  3. Windows XP, 2000, 2003, NT

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP