|
Home > Archive > IIS Server Security > January 2005 > about:blank SPYWARE... help me!!!
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
about:blank SPYWARE... help me!!!
|
|
|
| ok, so about a week and a half ago i contracted a vicious
spyware that I call the "about:blank" spyware. this
thing changed my homepage to the URL "about:blank" but a
webpage that is titled "Seach For..." with various
subjects like "art," "cars," and "shopping."
now, im no fool. i tried basic anti-spyware programs
like Webroot and Spybot Search and Destroy, but nothing
changed. So i got Hijack This and ran it. I found what
the spyware was, deleted it and changed my homepage back
to Google. Everything went fine for maybe 24 hours and
then it re-appeared. So i ran Hijack This again and
found the spyware's file in the System32 folder and
deleted it in SAFE MODE. for a while, everything went
well, but now it's back and angry.
its given me two Trojan viruses and now i get
two "about:blank" popups everytime i start up IE along
with my homepage URL being "about:blank". so, does
anyone know how to stop the "about:blank" spyware? if so,
please help me and the many other victims.
i run Windows XP on a Falcon NorthWest Fragbox. i have
NAV.
| |
| chris 2004-05-08, 10:41 am |
| I am having same problem....I have tried many of the same things as
you, but with no success. I can't even get to the Trendmicro free
online virus / worm scan....not sure if this is caused by this thing.
I will post if I find a fix.
.....frustrating
"Bmac" <bmac8903@yahoo.com> wrote in message news:<90aa01c432fd$66ccd0b0$a001280a@phx.gbl>...
> ok, so about a week and a half ago i contracted a vicious
> spyware that I call the "about :blank" spyware. this
> thing changed my homepage to the URL "about :blank" but a
> webpage that is titled "Seach For..." with various
> subjects like "art," "cars," and "shopping."
>
> now, im no fool. i tried basic anti-spyware programs
> like Webroot and Spybot Search and Destroy, but nothing
> changed. So i got Hijack This and ran it. I found what
> the spyware was, deleted it and changed my homepage back
> to Google. Everything went fine for maybe 24 hours and
> then it re-appeared. So i ran Hijack This again and
> found the spyware's file in the System32 folder and
> deleted it in SAFE MODE. for a while, everything went
> well, but now it's back and angry.
>
> its given me two Trojan viruses and now i get
> two "about :blank" popups everytime i start up IE along
> with my homepage URL being "about :blank". so, does
> anyone know how to stop the "about :blank" spyware? if so,
> please help me and the many other victims.
>
> i run Windows XP on a Falcon NorthWest Fragbox. i have
> NAV.
| |
| Bummer 2004-05-11, 8:01 pm |
| Bummer. But wrong group, try an Internet Explorer group.
----- Bmac wrote: -----
ok, so about a week and a half ago i contracted a vicious
spyware that I call the "about:blank" spyware. this
thing changed my homepage to the URL "about:blank" but a
webpage that is titled "Seach For..." with various
subjects like "art," "cars," and "shopping."
now, im no fool. i tried basic anti-spyware programs
like Webroot and Spybot Search and Destroy, but nothing
changed. So i got Hijack This and ran it. I found what
the spyware was, deleted it and changed my homepage back
to Google. Everything went fine for maybe 24 hours and
then it re-appeared. So i ran Hijack This again and
found the spyware's file in the System32 folder and
deleted it in SAFE MODE. for a while, everything went
well, but now it's back and angry.
its given me two Trojan viruses and now i get
two "about:blank" popups everytime i start up IE along
with my homepage URL being "about:blank". so, does
anyone know how to stop the "about:blank" spyware? if so,
please help me and the many other victims.
i run Windows XP on a Falcon NorthWest Fragbox. i have
NAV.
| |
| alex211220@yahoo.com 2004-05-14, 5:38 am |
| Yep me too.I've tried different things to get this crap off my PC with no success.I'm really starting to get anoid.Someone please help us!!If I find something that works I'll let you know.
****************************************
******************************
Sent via Fuzzy Software @ http://www.fuzzysoftware.com/
Comprehensive, categorised, searchable collection of links to ASP & ASP.NET resources...
| |
| Marcos 2004-05-16, 9:34 am |
| ok, i have EXACTLY THE SAME THAN YOU, so, i'm using ad-aware 6 and of
course i find the register keys and files some times and erase it, and
not much later it come up again, below i send you the log of my
ad-aware erasing action, you are gonna see in some places the keys
founded and tha "about :blank" key , the ad-aware 6 name it as a
possible browser jacked, or something (i have it in spanish), i know
is not very useful, but maybe with it you can ask for more help as i'm
doing, thanks and sorry i didn't help you more
Lavasoft Ad-aware Personal Build 6.181
Logfile creado:Sábado, 15 de Mayo de 2004 03:00:14 p.m.
Created with Ad-aware Personal, free for private use.
Usando archivo de referencia:01R303 08.05.2004
________________________________________
______________
Ad-aware Settings
=========================
Juego : Activar escaneo en profundidad
Juego : Modo seguro (siempre pide una confirmación)
Juego : Escanear procesos activos
Juego : Escanear registro
Juego : Escanear registro a fondo
Juego : Escanear Favorito de IE para los sitios prohibidos
Juego : Scan my Hosts file
15-05-04 03:00:14 p.m. - Scan started. (Smart mode)
Listando procesos activos
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
#:1 [kernel32.dll]
FilePath : D:\WINDOWS\SYSTEM\
ProcessID : 4291769917
Threads : 4
Priority : High
FileSize : 460 KB
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
Copyright : Copyright (C) Microsoft Corp. 1991-1999
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 01/01/01
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 23/04/99 08:22:00 p.m.
#:2 [msgsrv32.exe]
FilePath : D:\WINDOWS\SYSTEM\
ProcessID : 4294903813
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 01/01/01
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 23/04/99 08:22:00 p.m.
#:3 [mprexe.exe]
FilePath : D:\WINDOWS\SYSTEM\
ProcessID : 4294932793
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright (C) Microsoft Corp. 1993-1998
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 01/01/01
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 23/04/99 08:22:00 p.m.
#:4 [mmtask.tsk]
FilePath : D:\WINDOWS\SYSTEM\
ProcessID : 4294922617
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 01/01/01
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 23/04/99 08:22:00 p.m.
#:5 [explorer.exe]
FilePath : D:\WINDOWS\
ProcessID : 4294718737
Threads : 8
Priority : Normal
FileSize : 176 KB
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
Copyright : Copyright (C) Microsoft Corp. 1981-1997
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows NT(R) Operating System
Created on : 23/04/99 08:22:00 p.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 23/04/99 08:22:00 p.m.
#:6 [avgcc32.exe]
FilePath : D:\PROGRAM FILES\GRISOFT\AVG6\
ProcessID : 4294776201
Threads : 2
Priority : Normal
FileSize : 337 KB
FileVersion : 6, 0, 0, 515
ProductVersion : 6, 0, 0, 0
Copyright : Copyright
CompanyName : GRISOFT s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC32
OriginalFilename : AvgCC32.EXE
ProductName : AVG Anti-Virus System
Created on : 26/04/04 01:48:21 p.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 21/04/04 04:00:00 a.m.
#:7 [realsched.exe]
FilePath : D:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4294799841
Threads : 3
Priority : Normal
FileSize : 176 KB
FileVersion : 0.1.0.3018
ProductVersion : 0.1.0.3018
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 12/05/04 12:35:33 a.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 12/05/04 12:35:34 a.m.
#:8 [msnmsgr.exe]
FilePath : D:\PROGRAM FILES\MSN MESSENGER\
ProcessID : 4294798149
Threads : 16
Priority : Normal
FileSize : 4572 KB
FileVersion : 6.1.0211
ProductVersion : Version 6.1
Copyright : Copyright (c) Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr
OriginalFilename : msnmsgr.exe
ProductName : Messenger
Created on : 04/03/04 01:01:00 p.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 04/03/04 01:01:00 p.m.
#:9 [echocon.exe]
FilePath : D:\WINDOWS\SYSTEM\
ProcessID : 4294806545
Threads : 2
Priority : Normal
FileSize : 290 KB
FileVersion : 4.06.1
ProductVersion : 4.06.1
Copyright : Echo Audio. Copyright
CompanyName : Echo Digital Audio
FileDescription : Echo Console for Darla/Gina/Layla
InternalName : 4.06.1
OriginalFilename : EchoCon.Exe
ProductName : Echo Console (Darla\Gina\Layla)
Created on : 01/02/04 02:15:35 a.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 01/06/99 12:59:42 p.m.
#:10 [pstores.exe]
FilePath : D:\WINDOWS\SYSTEM\
ProcessID : 4294119969
Threads : 5
Priority : Normal
FileSize : 79 KB
FileVersion : 5.00.1877.3
ProductVersion : 5.00.1877.3
Copyright : Copyright (C) Microsoft Corp. 1981-1998
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
OriginalFilename : Protected storage server
ProductName : Microsoft(R) Windows NT(R) Operating System
Created on : 02/05/04 08:44:23 p.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 23/04/99 08:22:00 p.m.
#:11 [ad-aware.exe]
FilePath : D:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4293932885
Threads : 3
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 01/05/04 07:29:02 p.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 12/07/03 07:00:20 p.m.
Resultados Escaneo de la memoria:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Nuevos objetos: 0
Objetos encontrados hasta ahora: 0
Inicio escaneo del Registro
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
CoolWebSearch Objeto reconocido!
Tipo : RegValor
Fecha :
Rootkey : HKEY_LOCAL_MACHINE
Objeto : SOFTWARE\Microsoft\Internet Explorer\Main
Valor : HOMEOldSP
Resultados Escaneo del registro:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Nuevos objetos: 1
Objetos encontrados hasta ahora: 1
Inicio escaneo profundo del Registro
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Posible secuestro del navegador : Software\Microsoft\Internet
Explorer\MainStart Pageabout :blank
Possible Browser Hijack attempt Objeto reconocido!
Tipo : RegFecha
Fecha : "about :blank"
Rootkey : HKEY_CURRENT_USER
Objeto : Software\Microsoft\Internet Explorer\Main
Valor : Start Page
Fecha : "about :blank"
Posible secuestro del navegador : Software\Microsoft\Internet
Explorer\MainStart Pageabout :blank
Possible Browser Hijack attempt Objeto reconocido!
Tipo : RegFecha
Fecha : "about :blank"
Rootkey : HKEY_LOCAL_MACHINE
Objeto : Software\Microsoft\Internet Explorer\Main
Valor : Start Page
Fecha : "about :blank"
Posible secuestro del navegador : .Default\Software\Microsoft\Internet
Explorer\MainStart Pageabout :blank
Possible Browser Hijack attempt Objeto reconocido!
Tipo : RegFecha
Fecha : "about :blank"
Rootkey : HKEY_USERS
Objeto : .Default\Software\Microsoft\Internet
Explorer\Main
Valor : Start Page
Fecha : "about :blank"
CoolWebSearch Objeto reconocido!
Tipo : RegKey
Fecha :
Rootkey : HKEY_CLASSES_ROOT
Objeto : CLSID\{4169B121-A680-11D8-BA6F-0010A1B3D817}
CoolWebSearch Objeto reconocido!
Tipo : Archivo
Fecha : iaen.dll
Objeto : d:\windows\system\
FileSize : 30 KB
Created on : 15/05/04 12:58:07 p.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 15/05/04 12:58:08 p.m.
CoolWebSearch Objeto reconocido!
Tipo : RegKey
Fecha :
Rootkey : HKEY_CLASSES_ROOT
Objeto : CLSID\{4169B122-A680-11D8-BA6F-001051614660}
CoolWebSearch Objeto reconocido!
Tipo : RegKey
Fecha :
Rootkey : HKEY_CLASSES_ROOT
Objeto : PROTOCOLS\Filter\text/html
CoolWebSearch Objeto reconocido!
Tipo : RegKey
Fecha :
Rootkey : HKEY_CLASSES_ROOT
Objeto : PROTOCOLS\Filter\text/plain
CoolWebSearch Objeto reconocido!
Tipo : RegKey
Fecha :
Rootkey : HKEY_LOCAL_MACHINE
Objeto :
SOFTWARE\Microsoft\Windows\CurrentVersio
n\Explorer\Browser Helper
Objects\{4169B122-A680-11D8-BA6F-001051614660}
Resultados Escaneo Profundo del registro:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Nuevos objetos: 8
Objetos encontrados hasta ahora: 10
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Tracking Cookie Objeto reconocido!
Tipo : Archivo
Fecha : marcos di paolo@doubleclick[1].txt
Objeto : D:\WINDOWS\Cookies\
Created on : 14/05/04 11:38:53 p.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 14/05/04 11:38:54 p.m.
Tracking Cookie Objeto reconocido!
Tipo : Archivo
Fecha : marcos di paolo@fastclick[1].txt
Objeto : D:\WINDOWS\Cookies\
Created on : 14/05/04 11:56:02 p.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 14/05/04 11:56:04 p.m.
Tracking Cookie Objeto reconocido!
Tipo : Archivo
Fecha : marcos di paolo@atdmt[2].txt
Objeto : D:\WINDOWS\Cookies\
Created on : 15/05/04 12:12:05 a.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 15/05/04 12:12:06 a.m.
Tracking Cookie Objeto reconocido!
Tipo : Archivo
Fecha : marcos di paolo@advertising[1].txt
Objeto : D:\WINDOWS\Cookies\
Created on : 14/05/04 11:57:57 p.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 14/05/04 11:57:58 p.m.
Tracking Cookie Objeto reconocido!
Tipo : Archivo
Fecha : marcos di paolo@ads.addynamix[2].txt
Objeto : D:\WINDOWS\Cookies\
Created on : 14/05/04 11:56:45 p.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 14/05/04 11:56:46 p.m.
Tracking Cookie Objeto reconocido!
Tipo : Archivo
Fecha : marcos di paolo@servedby.advertising[1].txt
Objeto : D:\WINDOWS\Cookies\
Created on : 14/05/04 11:57:57 p.m.
Last accessed : 14/05/04 10:00:00 p.m.
Last modified : 14/05/04 11:57:58 p.m.
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Escaneando y examinando archivos en profundidad (D
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Scanning Hosts file(D:\WINDOWS\hosts)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Hosts file scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
1 entries scanned.
Nuevos objetos:0
Objetos encontrados hasta ahora: 16
Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
CoolWebSearch Objeto reconocido!
Tipo : RegValor
Fecha :
Rootkey : HKEY_CURRENT_USER
Objeto : Software\Microsoft\Internet
Explorer\Toolbar\WebBrowser
Valor : ITBarLayout
Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Nuevos objetos: 1
Objetos encontrados hasta ahora: 17
03:03:04 p.m. Escaneo completo
Resumen Del escaneo
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total tiempo escaneo:00:02:50:270
Objetos Escaneados:38404
Objetos identificados:17
Objetos ignorados:0
Nuevos objetos:17
"Bmac" <bmac8903@yahoo.com> wrote in message news:<90aa01c432fd$66ccd0b0$a001280a@phx.gbl>...
> ok, so about a week and a half ago i contracted a vicious
> spyware that I call the "about :blank" spyware. this
> thing changed my homepage to the URL "about :blank" but a
> webpage that is titled "Seach For..." with various
> subjects like "art," "cars," and "shopping."
>
> now, im no fool. i tried basic anti-spyware programs
> like Webroot and Spybot Search and Destroy, but nothing
> changed. So i got Hijack This and ran it. I found what
> the spyware was, deleted it and changed my homepage back
> to Google. Everything went fine for maybe 24 hours and
> then it re-appeared. So i ran Hijack This again and
> found the spyware's file in the System32 folder and
> deleted it in SAFE MODE. for a while, everything went
> well, but now it's back and angry.
>
> its given me two Trojan viruses and now i get
> two "about :blank" popups everytime i start up IE along
> with my homepage URL being "about :blank". so, does
> anyone know how to stop the "about :blank" spyware? if so,
> please help me and the many other victims.
>
> i run Windows XP on a Falcon NorthWest Fragbox. i have
> NAV.
| |
|
| Marco Wrote
marcos_dipaolo@hotmail.com (Marcos) wrote in message news:<a272553d.0405160544.7a5e316c@posting.google.com>...
> ok, i have EXACTLY THE SAME THAN YOU, so, i'm using ad-aware 6 and of
> course i find the register keys and files some times and erase it, and
> not much later it come up again, below i send you the log of my
> ad-aware erasing action, you are gonna see in some places the keys
> founded and tha "about :blank" key , the ad-aware 6 name it as a
> possible browser jacked, or something (i have it in spanish), i know
> is not very useful, but maybe with it you can ask for more help as i'm
> doing, thanks and sorry i didn't help you more
>
I have the same problem. No Virus is found by Nortons or AVG
Anti-virus. Spy bot & AdAware find nothing. Trying to do a remote scan
from Nortons and Mcafee both hang after about 30 sec. IE and outlook
express crash if they start and there is no internet connection I also
have random reboots and other apps crash. It is driving me crazy Is
there anyone who knows the answer.
Ron
| |
| history2b 2004-05-19, 12:35 am |
| I have the same problem and here is a log from Hijackthis:
Logfile of HijackThis v1.97.7
Scan saved at 9:39:45 PM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\NOOBZ-~1\LOCALS~1\Temp\Rar$EX00.954\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hpb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hpb.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hpb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hpb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hpb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hpb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9790FDBD-4421-4382-9D65-7E1ECCE47352} - C:\WINDOWS\System32\hpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Ultimate Popup Blocker] C:\Program Files\Ultimate Pop-up Blocker\Ultimate Pop-up Blocker.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Interne
t Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Interne
t Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Save As Scholar's Aid WebNote (HKLM)
O9 - Extra 'Tools' menuitem: Save As Scholar's Aid WebNote (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...81/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8051.0659490741
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/s...,19/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
If anyone out there can give me instructions as to what to do that would be great. | |
| antjaw 2004-05-23, 3:11 pm |
| Simple fix
run ad-aware and delete all finds
reboot in safe mode by holding down F8 key durring reboot.
go to c/windows/system 32
Delete jdkgj.dll
reboot normally
IE will not work anymore at this point.
Re-run ad-aware and delete all finds
reboot normally
Fixed. | |
| rtgrimm 2004-05-26, 9:05 am |
| Has anyone tried this routine with any success? When you say "IE will not work anymore at this point," once you reboot, will IE operate properly or will you need to re-install anything, etc.?
quote:
Originally posted by antjaw
Simple fix
run ad-aware and delete all finds
reboot in safe mode by holding down F8 key durring reboot.
go to c/windows/system 32
Delete jdkgj.dll
reboot normally
IE will not work anymore at this point.
Re-run ad-aware and delete all finds
reboot normally
Fixed.
| |
| antjaw 2004-05-31, 11:12 am |
| quote:
Originally posted by rtgrimm
Has anyone tried this routine with any success? When you say "IE will not work anymore at this point," once you reboot, will IE operate properly or will you need to re-install anything, etc.?
I had to figure this out on my own.. I did it and it worked... There is no need to re-install anything to make I.E. Work again. Just re-boot and it works.. Please post your results. | |
| donmega 2004-06-01, 3:58 am |
| Just do a system restore to a date prior to getting "aboutblank". | |
| auntiegene 2004-06-03, 12:06 pm |
| First off, I must point out that I can't take credit for this fix; I found it on another board.
Also bear in mind that the recurring dll in each of these lines may not be called "fkkb". Mine was called "nief", someone else on this board had one called "hpb". Just have a look and you'll see that the guilty dll is in each of the registry locations listed.
So, here's the fix.
Run HJThis 1.97 and click scan.
Tick the checkbox in front of these lines and click "fix checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
O2 - BHO: (no name) - {A48F37B3-CBC1-4E1A-8DA6-6C6CF49579C8} - C:\WINDOWS\System32\fkkb.dll
The last one is the culprit of all your problems.
I carried this procedure out in Safe Mode (Windows XP Pro) and it worked a treat.
Good luck! | |
| MysticSpirit 2004-06-03, 3:26 pm |
| *screams*
Now that is out of my system... I have the same problem right at this moment been working on it for 12 hours straight with some sleep in between scans. I have tried the "simple fix" but it seems there is no file called "jdkgj.dll" in Windows XP Pro so that went out the door.
I have tried getting gone by clearing the reg of unknown objects, cleaning the harddrive of unknown files and what not. I have used Ad-ware, Spy Search & Destory, Anity-Ghost, Norton... Norton doesnt picking anything up so go figure. I have tried going to Trend House Call Online Scan but it gives me an error when I get to the scanning page.  I have recently used Hijack This and the log isnt too clear about it so here:
Logfile of HijackThis v1.97.7
Scan saved at 12:12:11 PM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\NeoWatch\NWSERVICE.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NeoWatch\NeoWatchTray.exe
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egehfg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egehfg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egehfg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egehfg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egehfg.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egehfg.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {95FAEBDA-D26F-4FE2-984C-0C1BD8C0E3B0} - C:\WINDOWS\System32\egehfg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: NeoWatch Startup.lnk = C:\Program Files\NeoWatch\NeoWatchTray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMe
nuImg.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NeoWatch\NTXcontext.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20d011c...ip/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gi...in/mgaxctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.frightmistress.com/AxisCamControl.ocx
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8020.3860763889
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16FC13B0-6A38-4292-A66E-51C43EEDAD3E}: NameServer = 24.221.30.3,24.221.30.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EB35868-ED19-4A41-A9E4-2E69124794C9}: NameServer = 68.2.16.30,68.2.16.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{733B3CC8-B9D0-4FF9-91F4-D28511B57918}: NameServer = 24.221.30.3,24.221.30.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{972D5F31-A695-433D-92C4-5FC610B88A2B}: NameServer = 68.2.16.30,68.2.16.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{2EB35868-ED19-4A41-A9E4-2E69124794C9}: NameServer = 68.2.16.30,68.2.16.25
O17 - HKLM\System\CS2\Services\Tcpip\..\{16FC13B0-6A38-4292-A66E-51C43EEDAD3E}: NameServer = 24.221.30.3,24.221.30.4
O17 - HKLM\System\CS3\Services\Tcpip\..\{16FC13B0-6A38-4292-A66E-51C43EEDAD3E}: NameServer = 24.221.30.3,24.221.30.4
If you can make it out go ahead and give me the heads up cause I'm either clueless at the moment or I need more sleep.... And if you guys got any other ideas to kill this thing please drop a line. | |
| meripete 2004-06-08, 8:29 pm |
| I booted used the following steps to solve the same problem:
1. Run Adaware 6.0 and delete anything it finds.
2. Boot in Safe Mode (F8 during startup).
3. Deleted a bunch of files that had a time-stamp matching the time when my problems started. For my system, it meant the following files from system32: bhbpk.dll, dwspyvb.dll, fjfklm.dll, imh.dll i think this was the culprit), lcpjl.dll, lihnkmc.dll, mhim.dll, wpa.dbl; from windows: dict.dat, zaebalinah.exe, winh.exe, iun6002.exe.
4. Still in safe mode, I ran Adaware again. It found one more piece of spyware.
5. Ran HijackThis.exe and removed anything that was related to Internet Explorer except google toolbar stuff.
6. Rebooted in normal mode. Launched IE and set my homepage to google.
7. Closed IE and launched it again to see if the home page would revert back to about:blank. Luckily, it didn't.
8. Rebooted and tried closing and opening IE a couple of time to be entirely sure. | |
| donato 2004-06-09, 8:14 am |
| I have EXACTLY THE SAME THAN YOU too!!
but, i installed the rial software: Kaspersky Anti-Virus Personal 4.5
and 5.0
( http://www.kaspersky.com/trials )
This found and delete the Trojan: "Trojan.WIN32.StartPage.gv"
Now i have no problem like this !!
Before, i tried to solve this Problem with "Adaware", "Spybot - Search
& Destroy", but it didn´t help !!
by
donato
| |
| rjandacek 2004-06-10, 5:12 pm |
| I had the same exact problem and this is how I solved it.
1) I determined when (at what time) the machine was infected by
searching for modified files on that date.
2) I then found 2 files created on that date that weren't installed
with any user interaction (because that user said they didn't install
any programs on that date)....which I verified. The two files that are
in question in my case were ipolon.dll and iun6002.exe.
ipolon.dll was located in C:\windows\system32 (XP Pro is the O/S)
iun6002.exe was located in the root of the O/S install ( c:\windows)
I renamed both these files to .old
I then rebooted into safe mode and reran Spybot S&D and Adaware and
deleted any results found with these programs....
This seemed to solve the problem, and I hope it helps someone
else....until this particular problem becomes "well-known" by spyware
defender's, a manual hack maybe the only choice. --Robert
meripete <meripete.17l3de@mail.webservertalk.com> wrote in message news:<meripete.17l3de@mail.webservertalk.com>...
> I booted used the following steps to solve the same problem:
> 1. Run Adaware 6.0 and delete anything it finds.
> 2. Boot in Safe Mode (F8 during startup).
> 3. Deleted a bunch of files that had a time-stamp matching the time
> when my problems started. For my system, it meant the following files
> from system32: bhbpk.dll, dwspyvb.dll, fjfklm.dll, imh.dll i think this
> was the culprit), lcpjl.dll, lihnkmc.dll, mhim.dll, wpa.dbl; from
> windows: dict.dat, zaebalinah.exe, winh.exe, iun6002.exe.
> 4. Still in safe mode, I ran Adaware again. It found one more piece of
> spyware.
> 5. Ran HijackThis.exe and removed anything that was related to Internet
> Explorer except google toolbar stuff.
> 6. Rebooted in normal mode. Launched IE and set my homepage to google.
> 7. Closed IE and launched it again to see if the home page would revert
> back to about :blank. Luckily, it didn't.
> 8. Rebooted and tried closing and opening IE a couple of time to be
> entirely sure.
| |
| paulito 2004-06-15, 5:58 pm |
| I had the exact same problem. Ad-aware has a fix for it now. Just run it
and get the most recent update (06/14/2004). I ran it and fixed everything.
rjandacek@cox.net (rjandacek) wrote in message news:<a06da062.0406101319.7e719944@posting.google.com>...[vbcol=seagreen]
> I had the same exact problem and this is how I solved it.
> 1) I determined when (at what time) the machine was infected by
> searching for modified files on that date.
> 2) I then found 2 files created on that date that weren't installed
> with any user interaction (because that user said they didn't install
> any programs on that date)....which I verified. The two files that are
> in question in my case were ipolon.dll and iun6002.exe.
> ipolon.dll was located in C:\windows\system32 (XP Pro is the O/S)
> iun6002.exe was located in the root of the O/S install ( c:\windows)
> I renamed both these files to .old
> I then rebooted into safe mode and reran Spybot S&D and Adaware and
> deleted any results found with these programs....
>
> This seemed to solve the problem, and I hope it helps someone
> else....until this particular problem becomes "well-known" by spyware
> defender's, a manual hack maybe the only choice. --Robert
>
>
>
> meripete <meripete.17l3de@mail.webservertalk.com> wrote in message news:<meripete.17l3de@mail.webservertalk.com>...
| |
| Ranger 2004-06-16, 8:13 pm |
| Probably I am a little too late with 'my help', but if you haven't been able to fix your problem yet, here is what I found in your logfile:
O2 - BHO: (no name) - {9790FDBD-4421-4382-9D65-7E1ECCE47352} - C:\WINDOWS\Sy
stem32\hpb.dll
This entry is highly suspicious and I am pretty sure this is the root of the problem. Fix it with HijackThis (keep a back up, just in case), restart and you are done.
Of course I had the same problem, tried many, many software programs, but HijackThis is the smallest, fastest and easiest program that did it!
Good luck and it would be nice to know how you fared.
quote:
Originally posted by history2b
I have the same problem and here is a log from Hijackthis:
Logfile of HijackThis v1.97.7
Scan saved at 9:39:45 PM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\NOOBZ-~1\LOCALS~1\Temp\Rar$EX00.954\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hpb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hpb.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hpb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hpb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hpb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hpb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9790FDBD-4421-4382-9D65-7E1ECCE47352} - C:\WINDOWS\System32\hpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Ultimate Popup Blocker] C:\Program Files\Ultimate Pop-up Blocker\Ultimate Pop-up Blocker.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Interne
t Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Interne
t Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Save As Scholar's Aid WebNote (HKLM)
O9 - Extra 'Tools' menuitem: Save As Scholar's Aid WebNote (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...81/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8051.0659490741
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/s...,19/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
If anyone out there can give me instructions as to what to do that would be great.
| |
| Ranger 2004-06-16, 8:59 pm |
| You probably have the bug out of your system by now, but if not this may help.
BHOs are little helper programs (Browser Helper Objects) that extend MIE. Hijackers often use them to display ads and/or track your internet activities. I am sure this is the villain:
O2 - BHO: (no name) - {95FAEBDA-D26F-4FE2-984C-0C1BD8C0E3B0} - C:\WINDOWS\Sy
stem32\egehfg.dll
Fix it with HijackThis, but read on first!
Of course, not all BHOs are evil. Look carefully at the name before deleting. Make a back up (HijackThis does this for you) so you can reinstall it if necessary.
Good luck!
quote:
Originally posted by MysticSpirit
*screams*
Now that is out of my system... I have the same problem right at this moment been working on it for 12 hours straight with some sleep in between scans. I have tried the "simple fix" but it seems there is no file called "jdkgj.dll" in Windows XP Pro so that went out the door.
I have tried getting gone by clearing the reg of unknown objects, cleaning the harddrive of unknown files and what not. I have used Ad-ware, Spy Search & Destory, Anity-Ghost, Norton... Norton doesnt picking anything up so go figure. I have tried going to Trend House Call Online Scan but it gives me an error when I get to the scanning page. I have recently used Hijack This and the log isnt too clear about it so here:
Logfile of HijackThis v1.97.7
Scan saved at 12:12:11 PM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\NeoWatch\NWSERVICE.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NeoWatch\NeoWatchTray.exe
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egehfg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egehfg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egehfg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egehfg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egehfg.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egehfg.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {95FAEBDA-D26F-4FE2-984C-0C1BD8C0E3B0} - C:\WINDOWS\System32\egehfg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: NeoWatch Startup.lnk = C:\Program Files\NeoWatch\NeoWatchTray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMe
nuImg.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NeoWatch\NTXcontext.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20d011c...ip/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gi...in/mgaxctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.frightmistress.com/AxisCamControl.ocx
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8020.3860763889
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16FC13B0-6A38-4292-A66E-51C43EEDAD3E}: NameServer = 24.221.30.3,24.221.30.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EB35868-ED19-4A41-A9E4-2E69124794C9}: NameServer = 68.2.16.30,68.2.16.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{733B3CC8-B9D0-4FF9-91F4-D28511B57918}: NameServer = 24.221.30.3,24.221.30.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{972D5F31-A695-433D-92C4-5FC610B88A2B}: NameServer = 68.2.16.30,68.2.16.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{2EB35868-ED19-4A41-A9E4-2E69124794C9}: NameServer = 68.2.16.30,68.2.16.25
O17 - HKLM\System\CS2\Services\Tcpip\..\{16FC13B0-6A38-4292-A66E-51C43EEDAD3E}: NameServer = 24.221.30.3,24.221.30.4
O17 - HKLM\System\CS3\Services\Tcpip\..\{16FC13B0-6A38-4292-A66E-51C43EEDAD3E}: NameServer = 24.221.30.3,24.221.30.4
If you can make it out go ahead and give me the heads up cause I'm either clueless at the moment or I need more sleep.... And if you guys got any other ideas to kill this thing please drop a line.
| |
| cva101 2004-06-24, 3:35 pm |
| quote:
Originally posted by antjaw
I had to figure this out on my own.. I did it and it worked... There is no need to re-install anything to make I.E. Work again. Just re-boot and it works.. Please post your results.
Do you have a fix for Windows2000Pro? I was not able to locate de .dll file on the specified directory or elsewhere. Please advise, thanks! | |
|
| cva101 <cva101.18grac@mail.webservertalk.com> wrote in message news:<cva101.18grac@mail.webservertalk.com>...
> antjaw wrote:
>
>
> Do you have a fix for Windows2000Pro? I was not able to locate de .dll
> file on the specified directory or elsewhere. Please advise, thanks!
I have the same problem and Adware seems not to resolve it. I
downloaded the latest definitions and still keeps poping up.
I'll check for exe files from that date when it first was "infected"
to check if I can stop it. The registry is being changed also, even
after ADware seems to remove the problem.
What is interesting though, is that at 5:51PM a new dll is added to
wiondows\system32 folder, of course I renamed ir first . They come
with weird names ( posibbly randomly created ).
I will post something after I track more deeply.
| |
| Tom Pepper Willett 2004-06-30, 6:01 pm |
| And, since this is a Microsoft IIS web server newsgroup, you might have a
problem getting an answer, as it's not related to your problem. ;-)
Tom
"jcva" <jcvel@canada.com> wrote in message
news:d8af645d.0406301123.678f1986@posting.google.com...
| cva101 <cva101.18grac@mail.webservertalk.com> wrote in message
news:<cva101.18grac@mail.webservertalk.com>...
| > antjaw wrote:
| > > *I had to figure this out on my own.. I did it and it worked... There
| > > is no need to re-install anything to make I.E. Work again. Just
| > > re-boot and it works.. Please post your results. *
| >
| >
| > Do you have a fix for Windows2000Pro? I was not able to locate de .dll
| > file on the specified directory or elsewhere. Please advise, thanks!
|
| I have the same problem and Adware seems not to resolve it. I
| downloaded the latest definitions and still keeps poping up.
| I'll check for exe files from that date when it first was "infected"
| to check if I can stop it. The registry is being changed also, even
| after ADware seems to remove the problem.
| What is interesting though, is that at 5:51PM a new dll is added to
| wiondows\system32 folder, of course I renamed ir first . They come
| with weird names ( posibbly randomly created ).
|
| I will post something after I track more deeply.
| |
| Martin 2004-06-30, 8:52 pm |
| Holy Underpants Batman - This one is a beauty!
Finally got it cleaned. None of the major Spyware cleaners could fix
it and the virus checkers (latest sigs from 30th June 2004) missed it
too.
Thanks for all you guys help!
Using HijackThis I removed the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://qca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://srch-qca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://qca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://srch-qca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about :blank
Not sure what the sp.html was but it didn't look right. I made a
backup first though I also removed this:
O2 - BHO: (no name) - {BE42890D-84C7-4FBE-B861-0182E923C1E3} -
C:\WINDOWS\System32\jljnlop.dll
I went into c:\windows\system32 and noticed it had also moved
notepad.exe to notepad.exe.bak and put a new notepad.exe in the
c:\windows. I removed these plus the other file created around the
same time (that was the jljnlop.dll), did a reboot and all is fine now
Seems like it corrupts a few programs, not just IE. I'm going to
search for files around the same date to make sure it hasn't done
anything else. - Thanks again people!
| |
| radrickdavis 2004-07-03, 8:31 pm |
| Hey Martin,
I've been following this thread for the past week trying to find solutions to this problem. You seem to have discovered all the same things I've found on my system including the odd sp.html, and the movement of the notepad file. Yesterday I thought I solved the problem by using hijackthis, and attacked the suspicious registry files. My homepage was restored at first, but it soon creeped back to about:blank, and now everything has returned to it's infected state once again.
Is your system still bug free? Otherwise let me know exactly what procedure you followed to clean up this mess.
Anyone else have similar results or fixes? | |
| Martin 2004-07-09, 12:01 pm |
| Hey Radrick,
Sadly, yes, I am infected again I cleaned it again and it came back
- I am on my third infection! I will clean it again this weekend. I
think the shortcut "My Computer" on the start menu might have it as
well, but am not sure.
I'll post again after the next cleaning! I don't have time during the
week and to be honest I rarely use the PC (gimme Unix or Mac any day!)
Martin
| |
| Tom Pepper Willett 2004-07-09, 12:01 pm |
| You should try one of the security or virus newsgroups, since it's not an
IIS web server issue ;-)
Tom
"Martin" <smiffy@smiffysbooks.com> wrote in message
news:664a2a.0407081151.709cfeae@posting.google.com...
| Hey Radrick,
|
| Sadly, yes, I am infected again I cleaned it again and it came back
| - I am on my third infection! I will clean it again this weekend. I
| think the shortcut "My Computer" on the start menu might have it as
| well, but am not sure.
|
| I'll post again after the next cleaning! I don't have time during the
| week and to be honest I rarely use the PC (gimme Unix or Mac any day!)
|
| Martin
| |
| gomer123 2004-07-11, 2:24 pm |
| I just busted my hump with this same issue.
1. Close all apps including IE
2. Search your registy for mfplay.dll and (to be safe) rename all occurences to mfplay.junk).
3. Search all of your local hard drives for mfplay*.* and rename everything. As far as my research goes, these files have no use with MS.
4. Clean out your temp folders (TEMP, Windows\temp, temporary internet files, local settings...etc).
You should know be able to set your home page without having any issues. I had to use regmon.exe to trace this down.
Happy 'Puting...
-Sid | |
| Gnildir 2004-07-16, 12:57 am |
| hmmm, I had the exact same problem like everyone else. the about :blank in the address bar, even I tried to set it to my favorite page, and the 2 pop-ups (one of them look like bugs having an orgy). I got rid of it all in 1 easy step, not exactly 1. I downloaded CWShredder. The about :blank is a Cool Web Search spyware or a variant of it. the CWShredder restored my Internet Explorer, and now, any programs that I use that depends on IE for the web now is free of that pop-up...
now, I get to tell my dumb boss (who is a certified Micro$oft technician) on how I fixed it.
any questions, email me... awridling@hotmail.com | |
|
| Is your computer still clean? I'm about to give it a try and your fix is by far the simplest. Thanks.
quote:
Originally posted by Gnildir
hmmm, I had the exact same problem like everyone else. the about :blank in the address bar, even I tried to set it to my favorite page, and the 2 pop-ups (one of them look like bugs having an orgy). I got rid of it all in 1 easy step, not exactly 1. I downloaded CWShredder. The about :blank is a Cool Web Search spyware or a variant of it. the CWShredder restored my Internet Explorer, and now, any programs that I use that depends on IE for the web now is free of that pop-up...
now, I get to tell my dumb boss (who is a certified Micro$oft technician) on how I fixed it.
any questions, email me... awridling@hotmail.com
| |
| Tom Pepper Willett 2004-07-20, 8:56 pm |
| Unfortunately, this has nothing to do with the IIS Web Server ;(
Tom
"HIP" <HIP.19ps92@mail.webservertalk.com> wrote in message
news:HIP.19ps92@mail.webservertalk.com...
|
| Is your computer still clean? I'm about to give it a try and your fix
| is by far the simplest. Thanks.
|
| Gnildir wrote:
| > *hmmm, I had the exact same problem like everyone else. the
| > about :blank in the address bar, even I tried to set it to my favorite
| > page, and the 2 pop-ups (one of them look like bugs having an orgy).
| > I got rid of it all in 1 easy step, not exactly 1. I downloaded
| > CWShredder. The about :blank is a Cool Web Search spyware or a
| > variant of it. the CWShredder restored my Internet Explorer, and
| > now, any programs that I use that depends on IE for the web now is
| > free of that pop-up...
| >
| > now, I get to tell my dumb boss (who is a certified Micro$oft
| > technician) on how I fixed it.
| >
| > any questions, email me... awridling@hotmail.com *
|
|
|
| --
| HIP
| ------------------------------------------------------------------------
| Posted via http://www.webservertalk.com
| ------------------------------------------------------------------------
| View this thread: http://www.webservertalk.com/message213986.html
|
| |
| imagine 2004-07-24, 1:48 pm |
| I dont know if this really did anything, but when I deleted about:blank out of my Offline Webpages folder, IE6 stopped reverting the hompage to about:blank.
Just a thought, I am still getting the popups when I run Yahoo or other IE-dependent programs. | |
| imagine 2004-07-24, 1:58 pm |
| Holy Crap!!!
The CWS Shredder Worked, and after I spent $30 on Spyware removal software the free one is the one that works.
Thanks HIP. | |
| Tom Pepper Willett 2004-07-24, 8:55 pm |
| Glad to hear it, even though it has nothing to do with IIS
Tom
"imagine" <imagine.19x6x1@mail.webservertalk.com> wrote in message
news:imagine.19x6x1@mail.webservertalk.com...
|
| Holy Crap!!!
|
| The CWS Shredder Worked, and after I spent $30 on Spyware removal
| software the free one is the one that works.
|
| Thanks HIP.
|
|
|
| --
| imagine
| ------------------------------------------------------------------------
| Posted via http://www.webservertalk.com
| ------------------------------------------------------------------------
| View this thread: http://www.webservertalk.com/message213986.html
|
| |
| mmmatt 2004-08-06, 2:23 pm |
| quote:
Originally posted by antjaw
Simple fix
run ad-aware and delete all finds
reboot in safe mode by holding down F8 key durring reboot.
go to c/windows/system 32
Delete jdkgj.dll
reboot normally
IE will not work anymore at this point.
Re-run ad-aware and delete all finds
reboot normally
Fixed.
Thank you for the help with this. I came accross this forum with a google search. I did as listed above, except I did not find the dll file this person listed. While in safe mode I did a "find file" for *.dll I listed by date, and I found a .dll file that was from the date that I first started having problems. The name of this file was ncm.dll and I found it in c:\windows\system . I deleted this file and rebooted... problem solved. I run win 98. As a side note, when the original poster said "ie will not run" he means that in safe mode ie will not run, but deleting this file will not hamper the use of ie in any way... just reboot into normal mode and you will be fine.
Matt | |
| Shamirum 2004-08-24, 7:05 pm |
| I ran the Kaspersky Anti-Virus Personal 5.0 and it 'seemed' to be a
miracle. It found seven viruses and asked me to delete all of them, but
it didn't save a backup!!! Now my 'Search' option in Windows XP (Media
Center Edition) and my System Restore won't work at all. I'm not sure,
but I believe I may have deleted an important system file. I can't even
run these programs in Safe Mode. Can someone please help me?
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
| |
| Tom Pepper Willett 2004-08-27, 6:17 pm |
| Nothing to do with the IIS web server.
Try a Windows XP newsgroup?
Tom
"Shamirum" <assyriana@yahoo.com> wrote in message
news:%23WowsMgiEHA.1356@TK2MSFTNGP09.phx.gbl...
| I ran the Kaspersky Anti-Virus Personal 5.0 and it 'seemed' to be a
| miracle. It found seven viruses and asked me to delete all of them, but
| it didn't save a backup!!! Now my 'Search' option in Windows XP (Media
| Center Edition) and my System Restore won't work at all. I'm not sure,
| but I believe I may have deleted an important system file. I can't even
| run these programs in Safe Mode. Can someone please help me?
|
|
|
| *** Sent via Developersdex http://www.codecomments.com ***
| Don't just participate in USENET...get rewarded for it!
| |
|
| quote:
Originally posted by rtgrimm
Has anyone tried this routine with any success? When you say "IE will not work anymore at this point," once you reboot, will IE operate properly or will you need to re-install anything, etc.?
Hi, I tried it, it work fine but the name of the .DLL change, for example, in my case it was found in C:\windows\system and the name was KAPKH.DLL
Beside this, I applied some security patches in my O.S.
Regards,
duke | |
| rawiloo 2005-01-15, 6:58 am |
| hey guy i can help you with this virus and i had spent abou 12 hours sitting on the same chair just to kick this search for adware .no scanner is required .... you want help mail me only on rawiloo@hotmail.com and you will get the answer in second......FREE i mean IT not a cent is required nothing at all.all you got is the answer for that Sh*t |
|
|
|
|