1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

about blank home page highjack (hjt log attached)

Discussion in 'Malware and Virus Removal Archive' started by stitch, 2005/02/22.

Thread Status:
Not open for further replies.
  1. 2005/02/22
    stitch

    stitch Inactive Thread Starter

    Joined:
    2003/09/13
    Messages:
    302
    Likes Received:
    0
    Well here I am again this time with a works computer, I'v had to put the log onto a disk and bring home due to the fact that the computer with the problem keps getting pop ups and is getting very iratating.
    Can anyone please help me with thiis log.
    Many thanks
    stitch
    Logfile of HijackThis v1.99.1
    Scan saved at 14:08:46, on 22/02/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\MKSC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\PROGRAM FILES\CLOCKSYNC\SYNC.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGWB.DAT
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - C:\Program Files\Copernic 2000\CopernicFind.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {8298B1C1-75D1-11D9-9386-0002952BC261} - C:\WINDOWS\SYSTEM\MPMI.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\SYSTEM\autorun.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [OSS] c:\windows\system\mksc.exe -boot
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Search Using Copernic - file://C:\Program Files\Copernic 2000\Search Extension.htm
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
    O9 - Extra 'Tools' menuitem: Launch Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
    O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
    O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
    O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mov: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPQTW32.DLL
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
    O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/stx/install.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/03e724cadcacc6597406/netzip/RdxIE601.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O18 - Filter: text/html - {8298B1C0-75D1-11D9-9386-0002FA6767FA} - C:\WINDOWS\SYSTEM\MPMI.DLL
    O18 - Filter: text/plain - {8298B1C0-75D1-11D9-9386-0002FA6767FA} - C:\WINDOWS\SYSTEM\MPMI.DLL
     
    stitch,
    #1
  2. 2005/02/22
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Uninstall ClockSync and reboot.

    Remove these items in HJT with all internet browsers, and Windows Explorer windows closed. Rescan with HJT and remove these items.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {8298B1C1-75D1-11D9-9386-0002952BC261} - C:\WINDOWS\SYSTEM\MPMI.DLL
    O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\SYSTEM\autorun.exe
    O4 - HKLM\..\Run: [OSS] c:\windows\system\mksc.exe -boot
    O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/...stx/install.cab
    O18 - Filter: text/html - {8298B1C0-75D1-11D9-9386-0002FA6767FA} - C:\WINDOWS\SYSTEM\MPMI.DLL
    O18 - Filter: text/plain - {8298B1C0-75D1-11D9-9386-0002FA6767FA} - C:\WINDOWS\SYSTEM\MPMI.DLL

    Restart in Dos Mode, and do these commands. These will delete files in a way not possible in windows.
    smartdrv
    deltree c:\windows\temp
    deltree c:\windows\tempor~1
    Type a Y that you want to delete, check for typos at this time.

    Reboot into Safe Mode, and delete these files.
    C:\WINDOWS\SYSTEM\MPMI.DLL
    c:\windows\system\mksc.exe

    Delete this folder.
    C:\Program Files\ClockSync

    The following file could be anything, but it usually is present only on a CD. The existence of it raises flags with me, but it could be legit. Right click on it and select Properties and see if it identifies as to who created this one.
    C:\WINDOWS\SYSTEM\autorun.exe

    If you want to clean up some items which are unncessary, remove these.
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    Then delete all the files located in the following folder, it is hidden.
    C:\Windows\Applog
     
    markp62,
    #2


  3. to hide this advert.

  4. 2005/03/11
    stitch

    stitch Inactive Thread Starter

    Joined:
    2003/09/13
    Messages:
    302
    Likes Received:
    0
    Hi Mark
    I'm still having problems with that computer, i have posted a new log along with an error box that pops up whenever you try to click on anything at all.
    Thanks
    Stitch

    Error Message
    CALC caused an invalid page fault in
    module <unknown> at 0000:61b85d6a.
    Registers:
    EAX=7fffffff CS=0167 EIP=61b85d6a EFLGS=00010282
    EBX=00000000 SS=016f ESP=0056fcc4 EBP=0056fff4
    ECX=c14f9510 DS=016f ESI=0056fce0 FS=2cf7
    EDX=8171e464 ES=016f EDI=8171e614 GS=0000
    Bytes at CS:EIP:


    Log file

    Logfile of HijackThis v1.99.1
    Scan saved at 10:38:29, on 11/03/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\180AX.EXE
    C:\WINDOWS\SIXTYPOPSIX.EXE
    C:\WINDOWS\SYSTEM\LQMFGXL.EXE
    C:\WINDOWS\SYSTEM\WSXSVC\WSXSVC.EXE
    C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\PACKAGER.EXE
    C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {9F0D43E3-90B4-11D9-9386-0002BB71F9F7} - C:\WINDOWS\SYSTEM\BMPMCA.DLL
    O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
    O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
    O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\SIXTYPOPSIX.exe
    O4 - HKLM\..\Run: [ydar] C:\WINDOWS\ydar.exe
    O4 - HKLM\..\Run: [lqmfgxl] c:\windows\system\lqmfgxl.exe
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
    O18 - Filter: text/html - {9F0D43E2-90B4-11D9-9386-0002D43D5C6C} - C:\WINDOWS\SYSTEM\BMPMCA.DLL
    O18 - Filter: text/plain - {9F0D43E2-90B4-11D9-9386-0002D43D5C6C} - C:\WINDOWS\SYSTEM\BMPMCA.DLL

    Thanks for any help
     
    stitch,
    #3
  5. 2005/03/11
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Post a stradrek log fo Mark62 please.

    Im curious if a runservesonce is present
     
    Lonny Jones,
    #4
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...