Hijackthis.log to be read to get rid of about:blank

From: shak (emailshak_at_gmail.com)
Date: 02/22/05

  • Next message: Duane Arnold: "Re: Hijackthis.log to be read to get rid of about:blank"
    Date: 21 Feb 2005 18:20:38 -0800
    
    

    Hi,
       about:blank has taken over my homepage. Don't know how it got to my
    machine. Can someone tell me what to get rid off from this log which I
    got from Hijackthis software.

    Thanks in advance.
    shak

    Logfile of HijackThis v1.99.1
    Scan saved at 9:09:03 PM, on 2/21/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\ati2evxx.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\WinIogon.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\Atiptaxx.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
    C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
    C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    C:\WINDOWS\system\lsvchost.exe
    C:\WINDOWS\System32\ldbyehij.exe
    C:\WINDOWS\System32\systcpm.exe
    C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
    C:\WINDOWS\blah.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    C:\WINDOWS\xqyvrhovbs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Verizon Online\bin\mpbtn.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\DOCUME~1\Shak\LOCALS~1\Temp\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.sony.com/vaiopeople
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\DOCUME~1\Shak\LOCALS~1\Temp\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
    about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
    about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyOverride = 127.0.0.1
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\WinIogon.exe
    F3 - REG:win.ini: run=tgikuwdeufy.exe, ocgptgcpw.exe, ocwpiha.exe,
    jcyicrqxjcicr.exe, omrxgao.exe, mlsqtxtdjnhiv.exe, jehdu.exe,
    anrhctbxfcymu.exe, ixfe.exe, pjnogytodbwmn.exe, yljfskxb.exe,
    oxrdvshell.exe, pfxbmculn.exe, exromosx.exe, gsirxd.exe, vkxtoxcx.exe,
    xqyvrhovbs.exe
    N3 - Netscape 7: user_pref("browser.search.defaultengine",
    "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
    (C:\Documents and Settings\Shak\Application
    Data\Mozilla\Profiles\default\m0o2rdr1.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SideStep Browser Helper -
    {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program
    Files\SbCIe027.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program
    Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: (no name) - {AD30A5B2-87C6-45D1-A150-76BDEE393C9E} -
    C:\WINDOWS\System32\fhla.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
    C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
    Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program
    files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [EM_EXEC]
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
    Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program
    Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EPSON Stylus C84 Series]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON
    Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
    O4 - HKLM\..\Run: [EPSON Stylus C84 Series (Copy 1)]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P32 "EPSON
    Stylus C84 Series (Copy 1)" /O6 "USB001" /M "Stylus C84"
    O4 - HKLM\..\Run: [Motive SmartBridge]
    C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN
    Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program
    Files\HighCriteria\TotalRecorder\TotRecSched.exe"
    O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe
    O4 - HKLM\..\Run: [Microsoft WinUpdate] ldbyehij.exe
    O4 - HKLM\..\Run: [System32 TCP Manager] systcpm.exe
    O4 - HKLM\..\Run: [AS00_Gear511] C:\Program
    Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
    O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\WinIogon.exe
    O4 - HKLM\..\Run: [blah] C:\WINDOWS\blah.exe /nomsg
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
    Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [sp] rundll32
    C:\DOCUME~1\Shak\LOCALS~1\Temp\se.dll,DllInstall
    O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
    O4 - HKLM\..\RunServices: [Microsoft WinUpdate] ldbyehij.exe
    O4 - HKLM\..\RunServices: [System32 TCP Manager] systcpm.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
    Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Microsoft WinUpdate] ldbyehij.exe
    O4 - HKCU\..\Run: [System32 TCP Manager] systcpm.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
    Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
    Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program
    Files\Verizon Online\bin\matcli.exe
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program
    Files\Nikon\PictureProject\NkbMonitor.exe
    O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} -
    C:\WINDOWS\Downloaded Program Files\SbCIe027.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
    C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links -
    {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
    C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
    Advantage Validation Tool) -
    http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
    -
    http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104203257446
    O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} -
    http://download.sidestep.com/get/k00719/sb027.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
    lads.is.lmco.com
    O17 - HKLM\Software\..\Telephony: DomainName = lads.is.lmco.com
    O17 -
    HKLM\System\CCS\Services\Tcpip\..\{070F32A3-6DA0-4FE3-BDB8-F1941F0A1BE2}:
    Domain = lads.is.lmco.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
    lads.is.lmco.com
    O18 - Filter: text/html - {8F1677D9-FBAB-4B98-BBF1-C953746E3B4A} -
    C:\WINDOWS\System32\fhla.dll
    O18 - Filter: text/plain - {8F1677D9-FBAB-4B98-BBF1-C953746E3B4A} -
    C:\WINDOWS\System32\fhla.dll
    O23 - Service: Ati HotKey Poller - Unknown owner -
    C:\WINDOWS\System32\ati2evxx.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation -
    C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


  • Next message: Duane Arnold: "Re: Hijackthis.log to be read to get rid of about:blank"

    Relevant Pages

    • Ad Serve
      ... Internet Explorer v6.00 SP1 ...
      (microsoft.public.security)
    • NIS (please help)
      ... I run NIS 2003. ... Internet Explorer provided by Compaq ... O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft ... O9 - Extra button: Messenger (HKLM) ...
      (comp.security.firewalls)
    • problems with IE 6
      ... Internet Explorer v6.00 SP1 ... Internet Explorer provided by Shaw High Speed Internet ... O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft ... O4 - Global Startup: SECRETMAKER.lnk = C:\Program ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • hijacked!
      ... Internet Explorer provided by Virgin.net ... O4 - Global Startup: DataViz Messenger.lnk = ... O12 - Plugin for .spop: C:\Program Files\Internet ...
      (alt.computer.security)
    • adblocker hijacked, I think
      ... Internet Explorer provided by Compaq ... O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft ... O9 - Extra button: Messenger (HKLM) ... and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab ...
      (comp.security.firewalls)