Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Some Kind of about:blank virus


  • Please log in to reply

#1
sKratch

sKratch

    New Member

  • Member
  • Pip
  • 2 posts
I just got home from college yesterday, and totally forgot that I had absolutely no protection on my mom's computer (she doesn't use the internet except for email, she doesn't know how to do anything else). Lo and behold, I go to a webpage and 23854 popups come up and stuff gets installed on my computer. Initially, it looked like the about:blank virus; my home page got switched and it was some search page. I downloaded adaware, spybot, and adware away, and installed norton (although norton didn't help much). After running all of these programs countless times, I eventually seemed to be clean, until I updated some definition files and I turned up to be a mess again. For a while, the web redirection was fixed but this morning it's back again. I have a feeling there's some hidden file on my computer that none of my programs can detect that keeps resurrecting the spyware. It also keeps installing a dialer on my computer, but I luckily have broadband so it can't do anything. Anyways, here is my highjack this log. Thanks a lot if you can help:

Logfile of HijackThis v1.98.2
Scan saved at 12:32:11 PM, on 9/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\golumm\services.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\AIM\aim.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\MgtS.exe
C:\WINDOWS\System32\Tpws.exe
C:\mIRC\mirc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://other.thenews...com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://other.thenews...com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenews...com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenews...com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenews...com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 50.dll (file missing)
O2 - BHO: (no name) - {5384A6C4-CDCD-4725-AA79-0016C028AE84} - C:\WINDOWS\system32\efoikh.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 50.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [golumm] C:\WINDOWS\System32\golumm\services.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winxmh32.exe
O4 - HKLM\..\Run: [36@ASLK3HGJAQK] C:\WINDOWS\System32\Ozkx1Xc1.exe
O4 - HKLM\..\Run: [xF3j35g] dusui1.exe
O4 - HKLM\..\RunOnce: [KB824141] rundll32.exe apphelp.dll,ShimFlushCache
O4 - HKLM\..\RunOnce: [WMC_0] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\System32\wmpcore.dll"
O4 - HKLM\..\RunOnce: [WMC_1] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\System32\msdxm.ocx"
O4 - HKLM\..\RunOnce: [WMC_2] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\System32\dxmasf.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [sysinit] C:\WINDOWS\System32\golumm\services.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: v2cab - http://13213.searchm...m/cab/v2cab.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://2awm.com/pop/...m::/on-line.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.250...othersearch.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...84f880889783bc3
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
First, we need to remove the pepper trojan. Download this file, run, and let terminate (it'll just blink briefly on your screen and won't appeared to have done much--this is normal):
http://www.geekstogo...=download&id=18

Reboot your PC.

If you would please, rescan with HijackThis, post a fresh log in this same topic, and we'll continue cleaning. <_<
  • 0

#3
sKratch

sKratch

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Ugh... I ran into some problems with SP2 crashing during install, and my system would no longer boot after uninstalling it, so I was unfortunately forced to reformat. But hey, at least the spyware's gone! Made sure to install all windows updates + SP2 and norton before I used the computer for anything.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP