Home search assistant and about:blank, HJT posted

edit note: I put one file listing in code tags to prevent it displaying as a smiley. Newt

My IE goes directly to about:blank as soon as i open it and i have started getting pop-ups everywhere. In add/remove programs there is home search assistant and shopping assistant, neither can be removed. I have run spybot, ad aware, and cw shredder all with the latest updates and i have all of the latest updates from windows. can you please help me?

Logfile of HijackThis v1.97.7
Scan saved at 5:10:05 PM, on 8/31/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe

Code:

D:\WINNT\wmprfhun.prx:ofawy

D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\WINNT\system32\atlwy.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Microsoft Money\System\mnyexpr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINNT\mxecu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINNT\mxecu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINNT\mxecu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINNT\mxecu.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINNT\mxecu.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINNT\mxecu.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINNT\mxecu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Idigi Technologies LLC
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
F2 - REG:system.ini: UserInit=D:\WINNT\System32\userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {F2AC5E68-9373-5060-9F8B-406538D3B6D0} - D:\WINNT\system32\iegd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [atlwy.exe] D:\WINNT\system32\atlwy.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "D:\Program Files\Microsoft Money\System\mnyexpr.exe "
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38230.3790393519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

thank you very much in advance.

 

Hi rb6798 and welcome to the forum,

I know you say you have the latest updates to the apps but spyware and spyware removal is changing so fast I want to double check. The Hijackthis version is not the latest so you need to download v1.98.2 and just overwrite the one you have so your next log will be generated with the latest version. Spybot should be v1.3 and you have to download the whole thing as updating the ref files won't do it. If you now have an earlier version, run it and uncheck any protections then uninstall it and install the new one then update. Ad-Aware is their new SE version.

For the rest of your problem, you have been pretty well hijacked but it can be fixed. It may take a few runs to get it all gone though.

D:\WINNT\wmprfhun.prx: ofawy
wmprfhun.prx is a system profile for Hungarian support. From Microsoft and legit if you need that language. Otherwise it's just clutter and we can get rid of it.

D:\WINNT\system32\atlwy.exe
I can't find any information about this one and that can often indicate it is a file dropped on you by a virus. Unless you know exactly what it is and are sure it is legit, you should run an online virus scan to see what it picks up. And speaking of virus scans, I don't see any signs that you have an AV program on your PC. If not you really need to get one to help protect the PC. You can find both online and free local AV programs in Quicklinks in my signature.

A critter called Troj/IEStart-J or VBS.Startpage or several names depending on which AV vendor you use, has done most of the nasty to you.

Turn off System Restore.

Run Hijackthis (the new version) and check the following for removal:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINNT\mxecu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINNT\mxecu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redi...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINNT\mxecu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINNT\mxecu.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINNT\mxecu.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINNT\mxecu.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINNT\mxecu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Idigi Technologies LLC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = <local>
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
O2 - BHO: (no name) - {F2AC5E68-9373-5060-9F8B-406538D3B6D0} - D:\WINNT\system32\iegd.dll
O4 - HKLM\..\Run: [atlwy.exe] D:\WINNT\system32\atlwy.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.co...v45/yacscom.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8230.3790393519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Note that several of the 016 items may be perfectly normal and safe but any of them will be automatically loaded again at need so no harm done and I don't want to chance missing a bad one.

Note that you have some items running at startup that really don't need to be. They just add to the load on your system for no real benefit but those can be dealt with when the bad stuff is gone.

Boot to safe mode after the Hijackthis removals are done. Try add/remove programs and see if you can now uninstall home search assistant and shopping assistant.

If D:\WINNT\mxecu.dll is still on the system, delete it.
Open C:\Temp if present, select all and delete.
Open C:\WINNT\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.

These probably need to go as well but hold off on them for a bit.
D:\WINNT\system32\atlwy.exe
D:\WINNT\system32\iegd.dll

Boot back to normal mode, run an online virus scan if you haven't already, get an AV program installed if you haven't already, and turn system restore back on. Then run Hijackthis again to generate a new log and post it here.

 

OK, I d/l all of the updated versions of ad aware etc. , I am now running zone alarm suite which detected the Winshow G trojan, which from what the description said is pretty nasty. The online virus scan showed the same thing. I was unable to remove the search assistant or the shopping assistant during safe mode. I have a new HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 11:20:09 PM, on 8/31/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\ZoneLabs\isafe.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Microsoft Money\System\mnyexpr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINNT\wmprfhun.prxfawy
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINNT\ybeby.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINNT\ybeby.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINNT\ybeby.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINNT\ybeby.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINNT\ybeby.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINNT\ybeby.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINNT\ybeby.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=D:\WINNT\System32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {570B60FA-D7C0-FB12-055B-167405DC7D68} - D:\WINNT\system32\mfcbs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "D:\Program Files\Microsoft Money\System\mnyexpr.exe "
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O19 - User stylesheet: (file missing)

also zone alarm picked up a attempted connection to the net using javass.exe, but could give no info on it. also i was unable to find system restore so maybe i didn't do things the right way?? hope this information is useful.

 

Would you please go to start>run and type services.msc, then hit enter. Look for the following services in the list and tell me which, if any, is present, and it's status. Read closely as these closely resemble legitimate services.

Workstation NetLogon Service
Network Security Service
Remote Procedure Call (RPC) Helper

 

I have the remote procedure call (rpc) helper, and it's status is started, the start up type is automatic.

 

Go back to services and right click the Remote Procedure Call (RPC) Helper service. Choose properties. Stop the service and set to disabled. Apply and OK out. Close services.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com.....Hijack of system default, but optional to fix.
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {570B60FA-D7C0-FB12-055B-167405DC7D68} - D:\WINNT\system32\mfcbs.dll (file missing)
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe........not needed at startup
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER........not needed at startup
O4 - HKCU\..\Run: [MoneyAgent] "D:\Program Files\Microsoft Money\System\mnyexpr.exe "........not needed at startup
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE........not needed at startup
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE........not needed at startup
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6
O19 - User stylesheet: (file missing)



Download About:Buster from one of the following locations.


http://www.atribune.org/downloads/AboutBuster.zip

http://tools.zerosrealm.com/AboutBuster.zip

http://www.downloads.subratam.org/AboutBuster.zip


First unzip all files from the zip folder to a folder or your desktop. Open and double click AboutBuster.exe, click ok, then update. A new screen should popup. On that screen click Check for Updates. If it says it found an update click Download Updates. If it doesn't, it will automatically tell you and exit.
Close ALL Internet Explorer windows. This is a very important step!!
Click start and then Ok. The program should start scanning. Wait for it to finish (may take a while), then hit exit and reboot. Don't run a second time at this point.

Once rebooted run About:Buster again.

Reboot and run another HijackThis scan and post the log.

 

ok, here is the latest HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 5:57:55 PM, on 9/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\ZoneLabs\isafe.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINNT\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINNT\ybeby.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINNT\ybeby.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINNT\ybeby.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINNT\ybeby.dll/sp.html#29126
F2 - REG:system.ini: UserInit=D:\WINNT\System32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

thank you for all of your your help, I know this takes a good bit of your time. I really appreciate it.

 

Download CWShredder from here. Save it to the desktop.

Open Ad-aware and check for updates.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINNT\ybeby.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINNT\ybeby.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINNT\ybeby.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINNT\ybeby.dll/sp.html#29126

Reboot to safe mode.

Open CWShredder and click fix.

Run AboutBuster again.

Run Ad-aware in full scan mode. Delete all it finds.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup.

Reboot back to Windows. Surf a bit and post a new HJT log.

 

here is the latest log, i have noticed that i am running a lot faster now, i still get a pop up window now and again, but it is blank, jus white.

Logfile of HijackThis v1.98.2
Scan saved at 9:15:27 PM, on 9/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\ZoneLabs\isafe.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=D:\WINNT\System32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

thank you

 

Looks clean. Glad I could help.

What type of window opens? Notepad, IE, Windows Explorer,......? Is it a popup within Internet Explorer, like a blank advertisement?

Still no antivirus program running. It is VERY important that you get one installed, updated and running. A firewall would be in order also. Additionally, did you install Spybot, as Newt suggested? You really should. Allow it to load SD Helper. Open it up and check for updates. Then click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install and update. Check for updates weekly.
Then download and install IESpyad.

That will give you an added layer of protection against unwanted parasites.