[misskoreanninja]

jebus this has got to stop -.-.
every time i open my browser, it reverts to about: blank, which transfers you to onemoresearch.net. then avg keeps popping up telling me i have uber amounts of trojan virusus being downloaded at that moment WHILE i am bombarded with popups at the same time.

is there something wrong with my log file?
if nott....then what else could possibly be making my computer so retarded?

mmm. i have avg, adaware, easyclean, some popup blocker -.- they are all doing shat for me:

Logfile of HijackThis v1.98.2
Scan saved at 6:53:24 PM, on 21/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\QTFont.qfn:hntaq
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\PopUpBlockerPro\popblock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis1982.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B565180E-43E9-0FC9-ADEC-D0371DC88C69} - C:\WINDOWS\system32\atlpd.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pop Up Blocker Pro 2004.lnk = C:\Program Files\PopUpBlockerPro\popblock.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

[Advertisements]

Is this your entire log or did you already edit some entries before posting it?

Are you running Norton and AVG or do you just have remnants of Norton. Try to uninstall one. You don't want two antivirus programs running.

Please uninstall popblock in your add/remove programs. It is suspected that it is spyware-related and is causing you to have more problems. Did you purchase this?

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O2 - BHO: (no name) - {B565180E-43E9-0FC9-ADEC-D0371DC88C69} - C:\WINDOWS\system32\atlpd.dll

O4 - Global Startup: Pop Up Blocker Pro 2004.lnk = C:\Program Files\PopUpBlockerPro\popblock.exe

Please reboot into safe mode - How do I boot into "Safe" mode?.
Be sure you're able to view hidden files, and remove the following files (if found):

C:\WINDOWS\system32\atlpd.dll <<this file
C:\Program Files\PopUpBlockerPro<<this file
C:\WINDOWS\QTFont.qfn:hntaq (right-click on this and tell me what properties before we delete it)


Even though you're run it before, please run it again:

Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

• Automatically save log-file
• Automatically quarantine objects prior to removal
• Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

• Scan Within Archives
• Scan Active Processes
• Scan Registry
• Deep Scan Registry
• Scan my IE favorites for banned URL’s
• Scan my Hosts file
• Under Click here to select drives + folders, choose:
• All of your hard drives

-> Click on the Advanced button on the left and select:

• Include additional process information
• Include additional file information
• Include environment information
• Include additional object details

-> Click the Tweak button and select:

• Under the Scanning Engine:
  • Unload recognized processes during scanning
  • Include basic Ad-aware settings in logfile
  • Include additional Ad-aware settings in logfile
• Under the Cleaning Engine:
  • Let Windows remove files in use at next reboot

-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

• Use Custom Scanning Options

-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).


Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

> Reboot your computer.

If you would please, rescan with HijackThis and post a fresh log in this same topic.

[coachwife6]

Is this your entire log or did you already edit some entries before posting it?

Are you running Norton and AVG or do you just have remnants of Norton. Try to uninstall one. You don't want two antivirus programs running.

Please uninstall popblock in your add/remove programs. It is suspected that it is spyware-related and is causing you to have more problems. Did you purchase this?

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O2 - BHO: (no name) - {B565180E-43E9-0FC9-ADEC-D0371DC88C69} - C:\WINDOWS\system32\atlpd.dll

O4 - Global Startup: Pop Up Blocker Pro 2004.lnk = C:\Program Files\PopUpBlockerPro\popblock.exe

Please reboot into safe mode - How do I boot into "Safe" mode?.
Be sure you're able to view hidden files, and remove the following files (if found):

C:\WINDOWS\system32\atlpd.dll <<this file
C:\Program Files\PopUpBlockerPro<<this file
C:\WINDOWS\QTFont.qfn:hntaq (right-click on this and tell me what properties before we delete it)


Even though you're run it before, please run it again:

Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

• Automatically save log-file
• Automatically quarantine objects prior to removal
• Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

• Scan Within Archives
• Scan Active Processes
• Scan Registry
• Deep Scan Registry
• Scan my IE favorites for banned URL’s
• Scan my Hosts file
• Under Click here to select drives + folders, choose:
• All of your hard drives

-> Click on the Advanced button on the left and select:

• Include additional process information
• Include additional file information
• Include environment information
• Include additional object details

-> Click the Tweak button and select:

• Under the Scanning Engine:
  • Unload recognized processes during scanning
  • Include basic Ad-aware settings in logfile
  • Include additional Ad-aware settings in logfile
• Under the Cleaning Engine:
  • Let Windows remove files in use at next reboot

-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

• Use Custom Scanning Options

-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).


Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

> Reboot your computer.

If you would please, rescan with HijackThis and post a fresh log in this same topic.

[misskoreanninja]

thanks for replying =)
yeah i did delete a few entries, ones that keep coming back -.-.
it's all about default pages being about:blank and whatnot.
hmm...will be trying out what you wrote out there for me thank you.

and about that popup blocker program...i downloaded it after i started having this problem..i'm quite sure it's not adware related since i downloaded it off download.com...hmm. will remove it though.

thanks again

[misskoreanninja]

amm, well i checked offall the boxes on hijack this like you said...ran a scan and whatnot...every time i open a browser though, things go wonky again. here's my new log:

Logfile of HijackThis v1.98.2
Scan saved at 6:02:37 PM, on 22/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\QTFont.qfn:hntaq
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis1982.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lixpi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lixpi.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lixpi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lixpi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lixpi.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lixpi.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5994FD3E-5FC2-9A72-EE68-06292ACBFC71} - C:\WINDOWS\system32\ntsg32.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

pretty ugly 0.o
everything keeps restoring itself.

[coachwife6]

Did you ever find out what the properties of this entry were?

C:\WINDOWS\QTFont.qfn:hntaq

Were these some of the entries that you deleted initially? If so, that is why your computer did not get fixed with the first Hijack This fix.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lixpi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lixpi.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lixpi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lixpi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lixpi.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lixpi.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5994FD3E-5FC2-9A72-EE68-06292ACBFC71} - C:\WINDOWS\system32\ntsg32.dll

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files (if found):

C:\WINDOWS\system32\lixpi.dll
C:\WINDOWS\system32\ntsg32.dll

Please run adaware again as per previous instructions and clean out your temp. files. Let us know how the system is working and post a new log. Good luck.