about:blank Warning! You're in Danger!, This is the dribble I'm getting Options

[Erotic-Sludge]

Great work you're doing here guys, keep it up

Heres my problem

I have had problems a few times before with "about:blank" but have managed to overcome them by browsing through these forums and finding the answer, unfortunately this time the problem won't go away and I have had to make a post

I use Windows XP, have used the most recently updated versions of Ad Aware and Spybot, used my updated Symantec AV and also used Cwshredder and rebooted after using all these programmes. All to no avail Although Cwshredder does recognize CWS.homesearch, it can't get rid of it.

The symptoms are as follows, my homepage is now about:blank with annoying pop ups every few minutes when I browse the net, also my desktop wallpaper has been changed to the following picture:-


(resized)


Here’s the contents of my HijackThis log, although I would like to point out when runnig HijackThis, two unexpected errors occurred, I hope this doesn’t make matters worse.

Logfile of HijackThis v1.99.1
Scan saved at 19:48:44, on 06/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\sdkeg32.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Creative\TaskBar\CTLTray.exe
C:\Program Files\Creative\TaskBar\CTLTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hookdump.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Mr Sausage\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1503
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1503
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1503
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {71E7D52D-B823-C3C8-463F-905929086C42} - C:\WINDOWS\crel.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Class - {D6FB4062-6BF9-178C-68C4-0DA115E430B5} - C:\WINDOWS\system32\iepc32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BackgroundSwitcher] C:\WINDOWS\System32\bgswitch.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sdkeg32.exe] C:\WINDOWS\system32\sdkeg32.exe
O4 - HKLM\..\RunOnce: [javart32.exe] C:\WINDOWS\system32\javart32.exe
O4 - HKLM\..\RunOnce: [netge32.exe] C:\WINDOWS\netge32.exe
O4 - HKLM\..\RunOnce: [mfcor32.exe] C:\WINDOWS\mfcor32.exe
O4 - HKLM\..\RunOnce: [msxm32.exe] C:\WINDOWS\system32\msxm32.exe
O4 - HKLM\..\RunOnce: [d3ep32.exe] C:\WINDOWS\system32\d3ep32.exe
O4 - HKLM\..\RunOnce: [cruv.exe] C:\WINDOWS\system32\cruv.exe
O4 - HKLM\..\RunOnce: [mfcpo32.exe] C:\WINDOWS\mfcpo32.exe
O4 - HKLM\..\RunOnce: [msic32.exe] C:\WINDOWS\msic32.exe
O4 - HKLM\..\RunOnce: [javait.exe] C:\WINDOWS\javait.exe
O4 - HKLM\..\RunOnce: [iprv32.exe] C:\WINDOWS\iprv32.exe
O4 - HKLM\..\RunOnce: [addwq32.exe] C:\WINDOWS\addwq32.exe
O4 - HKLM\..\RunOnce: [atlhl.exe] C:\WINDOWS\system32\atlhl.exe
O4 - HKLM\..\RunOnce: [msmf32.exe] C:\WINDOWS\system32\msmf32.exe
O4 - HKLM\..\RunOnce: [ntah.exe] C:\WINDOWS\ntah.exe
O4 - HKLM\..\RunOnce: [netvl.exe] C:\WINDOWS\netvl.exe
O4 - HKLM\..\RunOnce: [winut.exe] C:\WINDOWS\winut.exe
O4 - HKLM\..\RunOnce: [javazn.exe] C:\WINDOWS\system32\javazn.exe
O4 - HKLM\..\RunOnce: [addbt32.exe] C:\WINDOWS\system32\addbt32.exe
O4 - HKLM\..\RunOnce: [mfchb32.exe] C:\WINDOWS\system32\mfchb32.exe
O4 - HKLM\..\RunOnce: [iend.exe] C:\WINDOWS\iend.exe
O4 - HKLM\..\RunOnce: [ipsz.exe] C:\WINDOWS\system32\ipsz.exe
O4 - HKLM\..\RunOnce: [appgc.exe] C:\WINDOWS\system32\appgc.exe
O4 - HKLM\..\RunOnce: [iewj.exe] C:\WINDOWS\iewj.exe
O4 - HKLM\..\RunOnce: [ntbl32.exe] C:\WINDOWS\system32\ntbl32.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...bridge-c283.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113732624481
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javart32.exe" /s (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Hope you can help

Regards,

Eroticus Sludgeous

[Erotic-Sludge]

[QuietFusion]

Hi,

First make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Copy all my instructions into wordpad and save to your desktop. You can't have any open browser windows.

Please close all your internet explorer browsers > Next Click Start > go to Run > type regedit and hit enter > go to 'Edit' > Scroll Down to 'Find' > paste the following in the 'Find What' Box > 11Fßä #•ºÄÖ`I

When regedit finds your search right-click on the right panel and select delete. Keep searching until nothing is found.


Now Download the following Cleanup! About:Buster, CWshredder, Ad-aware, & Spy-Bot.

• Updating Ad-aware:
  Double-Click the Desktop Icon > Click 'Check For Updates Now' > Click 'Connect'
• Updating Spybot:
  Double-Click the Desktop Icon > Click Update > Drop-Down Box UniDo(Europe) > Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'

Please Copy ALL My Notes Below Into Notepad and Save the File to Your Desktop. You Need to be Offline and In Safe Mode to Remove Everything in your Log

Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net. You MUST be in safe mode to remove the About:Blank Bug on your system.

Run Hijackthis and place a check next to the following

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1503
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1503
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1503
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gbnnx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {71E7D52D-B823-C3C8-463F-905929086C42} - C:\WINDOWS\crel.dll
O2 - BHO: Class - {D6FB4062-6BF9-178C-68C4-0DA115E430B5} - C:\WINDOWS\system32\iepc32.dll
O4 - HKLM\..\Run: [sdkeg32.exe] C:\WINDOWS\system32\sdkeg32.exe
O4 - HKLM\..\RunOnce: [javart32.exe] C:\WINDOWS\system32\javart32.exe
O4 - HKLM\..\RunOnce: [netge32.exe] C:\WINDOWS\netge32.exe
O4 - HKLM\..\RunOnce: [mfcor32.exe] C:\WINDOWS\mfcor32.exe
O4 - HKLM\..\RunOnce: [msxm32.exe] C:\WINDOWS\system32\msxm32.exe
O4 - HKLM\..\RunOnce: [d3ep32.exe] C:\WINDOWS\system32\d3ep32.exe
O4 - HKLM\..\RunOnce: [cruv.exe] C:\WINDOWS\system32\cruv.exe
O4 - HKLM\..\RunOnce: [mfcpo32.exe] C:\WINDOWS\mfcpo32.exe
O4 - HKLM\..\RunOnce: [msic32.exe] C:\WINDOWS\msic32.exe
O4 - HKLM\..\RunOnce: [javait.exe] C:\WINDOWS\javait.exe
O4 - HKLM\..\RunOnce: [iprv32.exe] C:\WINDOWS\iprv32.exe
O4 - HKLM\..\RunOnce: [addwq32.exe] C:\WINDOWS\addwq32.exe
O4 - HKLM\..\RunOnce: [atlhl.exe] C:\WINDOWS\system32\atlhl.exe
O4 - HKLM\..\RunOnce: [msmf32.exe] C:\WINDOWS\system32\msmf32.exe
O4 - HKLM\..\RunOnce: [ntah.exe] C:\WINDOWS\ntah.exe
O4 - HKLM\..\RunOnce: [netvl.exe] C:\WINDOWS\netvl.exe
O4 - HKLM\..\RunOnce: [winut.exe] C:\WINDOWS\winut.exe
O4 - HKLM\..\RunOnce: [javazn.exe] C:\WINDOWS\system32\javazn.exe
O4 - HKLM\..\RunOnce: [addbt32.exe] C:\WINDOWS\system32\addbt32.exe
O4 - HKLM\..\RunOnce: [mfchb32.exe] C:\WINDOWS\system32\mfchb32.exe
O4 - HKLM\..\RunOnce: [iend.exe] C:\WINDOWS\iend.exe
O4 - HKLM\..\RunOnce: [ipsz.exe] C:\WINDOWS\system32\ipsz.exe
O4 - HKLM\..\RunOnce: [appgc.exe] C:\WINDOWS\system32\appgc.exe
O4 - HKLM\..\RunOnce: [iewj.exe] C:\WINDOWS\iewj.exe
O4 - HKLM\..\RunOnce: [ntbl32.exe] C:\WINDOWS\system32\ntbl32.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...bridge-c283.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javart32.exe" /s (file missing)

and click fix.

Remain in safe mode for the next part of the removal.

- First Run the Cleanit! Program

- Unzip the contents of AboutBuster.zip to it's own folder.
- Navigate to the AboutBuster folder and double-click on AboutBuster.exe.
- Click Update to begin the update process.
- If any updates exist please install them.
- Close AboutBuster by clicking on Exit. AboutBuster will be used later.

--->note: AboutBuster should be run in Safe Mode <---

Browse to where you saved AboutBuster and double click AboutBuster.exe.
- Click Begin removal to allow AboutBuster to scan.
- When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK.
- Another information window will open. Click on Exit.
- AboutBuster will inform you that a log has been created. Click OK.

Reboot normally and post the AboutBuster log along with a fresh HJT log.


now the program will start to run, it will take a few minutes, once the program is complete go ahead and run the program again.

- Double-Click CWShredder and click 'Fix'

• Close CWShredder, open Ad-aware and make the following changes to the settings in Ad-aware.
  • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
    check: "Unload recognized processes during scanning."
  • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
    Check: "Let Windows remove files in use at next reboot."

Press 'Proceed'

Press 'Start'

• Select option 'Use Custom scanning options'
• Click 'Activate in-depth scan'
• Press 'Select drives\folders to scan' Select the active partition which is usually C:

Click 'Customize'

• Make sure the following are all are Checked:
  • 'Scan Within Archives'
  • 'Scan Active Processes'
  • 'Scan Registry'
  • 'Deep Scan Registry'
  • 'Scan My IE Favorites For Banned URL'S
  • 'Scan My Hosts File'

Click 'Proceed'

• Now press "Next" to let Ad-aware scan your drives.
• Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
• Now Click 'Next' and Finally Click 'OK'

Close Out Ad-aware

Open Spybot.

• Click 'Search & Destroy'
• Click 'Check for problems' (the program will now search your HDD)
• Make sure all finding are checked and click 'Fix Selected Problems'

Close SpyBot!

Now Delete the following Files.

Files:
C:\WINDOWS\system32\sdkeg32.exe
C:\WINDOWS\system32\javart32.exe
C:\WINDOWS\netge32.exe
C:\WINDOWS\mfcor32.exe
C:\WINDOWS\system32\msxm32.exe
C:\WINDOWS\system32\d3ep32.exe
C:\WINDOWS\system32\cruv.exe
C:\WINDOWS\mfcpo32.exe
C:\WINDOWS\msic32.exe
C:\WINDOWS\javait.exe
C:\WINDOWS\iprv32.exe
C:\WINDOWS\addwq32.exe
C:\WINDOWS\system32\atlhl.exe
C:\WINDOWS\system32\msmf32.exe
C:\WINDOWS\ntah.exe
C:\WINDOWS\netvl.exe
C:\WINDOWS\winut.exe
C:\WINDOWS\system32\javazn.exe
C:\WINDOWS\system32\addbt32.exe
C:\WINDOWS\system32\mfchb32.exe
C:\WINDOWS\iend.exe
C:\WINDOWS\system32\ipsz.exe
C:\WINDOWS\system32\appgc.exe
C:\WINDOWS\iewj.exe
C:\WINDOWS\system32\ntbl32.exe
C:\WINDOWS\system32\hookdump.exe
C:\WINDOWS\system32\javart32.exe



Reboot back into normal mode
Download the Hoster from here: http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.


Once complete post a fresh Hijackthis log in your thread.

[Erotic-Sludge]

Hi Quietfusion, thanks for replying

After following your instructions, heres my latest log

Logfile of HijackThis v1.99.1
Scan saved at 22:57:34, on 10/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Creative\TaskBar\CTLTray.exe
C:\Program Files\Creative\TaskBar\CTLTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mr Sausage\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BackgroundSwitcher] C:\WINDOWS\System32\bgswitch.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113732624481
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

thanks

[QuietFusion]

Your log looks great. How's the computer performing now?

[Erotic-Sludge]

Hi QuietFusion

about:blank is no longer my homepage and there are no more annoying pop ups, thankyou very much for that

However, I still have this annoying desktop wallpaper that just won't budge

[QuietFusion]

Try resetting your desktop and see if it disappears.

[Erotic-Sludge]

Tried using other pictures to set as desktop background but to no avail. Upon right clicking on my desktop and selecting properties I noticed the source was screen.html in my WINDOWS folder.

I actually deleted this, the picture has gone but I'm left with a white screen and still can't change my desktop background.

I've also noticed my google toolbar has vanished and reinstalling has no effect, it just won't appear.

This post has been edited by Erotic-Sludge: Jul 11 2005, 05:09 AM

[QuietFusion]

Can you please post a fresh Hijackthis log. Also, try uninstalling the google toolbar via add/remove programs and reinstalling it see if that works.


Finally, see if you can find this file and delete it c:\searchpage.html if you find it.

[QuietFusion]

Are you still having problems?

[Erotic-Sludge]

Sorry QuietFusion,

The weather has been so nice over here that we decided to go away for 2 days,

The removing and reinstalling of the google toolbar worked a treat, many thanks for that

While on our very short "getaway" I decided that I'm going to completely update this PC, which means there won't be very much of the original bits left, including the harddrive. This means I can put up with the desktop problem until tomorrow when I buy new parts etc.

I want to thankyou for your help as you did manage to get rid of all the coolwebsearch carp** off my computer.

Thanks for your help again

[QuietFusion]

Okay I'll leave your thread open for a few days. If you have any more problems please post.

[QuietFusion]

To prevent the hijackers from taking over your system, increase the level of security on your system. Don't allow the hijackers to take you over!! Review these articles to increase the level of security.

http://www.computercops.biz/postt7736.html
http://www.markusjansson.net/eienbid.html

Also reset your restore points

Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot.

Turn System Restore Back On.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK


If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.