Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked..About:this!


  • Please log in to reply
3 replies to this topic

#1 Ray007

Ray007

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 07 April 2005 - 11:15 PM

I am getting pretty frustrated..change that to read I AM frustrated with the About:blank hijack. I initially ran spybot S&D and found several things to remove and did so. One I remember was the VX2 virus?? ....but still have the About:blank hijack. Excuse me if I misspeak. I am pretty ignorant as far as these issues. Please, if anyone can start me out on the road to fixing this...they will have a steak dinner If they are ever in my neck of the woods!

A MILLION thanks in advance!
Ray007

BC AdBot (Login to Remove)

 


#2 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 08 April 2005 - 08:48 PM

First of all download the following programmes:Spybot & Adaware SE

Update both of them first, then run both programmes and have them fix anything they find.

When you have run and fixed everything with Spybot Search and Destroy and AdAware, please reboot before scanning, as not everything can be removed when Windows is running

Go to this page, and download 'Hijack This!'.

click on SAVE not RUN. and save it to your C\: somewhere you can easily remember.

Unzip it, launch Hijack This, then press Scan, and press Save Log

This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

open that file
Go to Edit | Select all
Now click Edit | copy to copy it

Do not change anything just yet
Come back to the forum, Right Click and paste its contents in the THIS forum.

#3 Ray007

Ray007
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 10 April 2005 - 03:03 PM

Bricat,
Thank you for your response/hele. I've attached the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 3:48:51 PM, on 4/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\addln32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\appmx.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bdflh.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bdflh.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bdflh.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bdflh.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bdflh.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bdflh.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2B56AA49-1949-09E1-63C4-F9A683F6EB92} - C:\WINDOWS\system32\addln32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [addln32.exe] C:\WINDOWS\system32\addln32.exe
O4 - HKLM\..\RunOnce: [appmx.exe] C:\WINDOWS\appmx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: as400-logon.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {2FD74BEC-AA17-49C0-A74E-3B20BE946496} - http://www.cursorzone.com/toolbar/files/czone_bundle_p3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06949F78-C7C6-4777-B285-E5A559709920}: NameServer = 192.168.1.1,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEE4EE1-C2EC-4334-8695-ED3CA92A3F67}: NameServer = 206.165.5.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{06949F78-C7C6-4777-B285-E5A559709920}: NameServer = 192.168.1.1,4.2.2.2
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\d3gu.exe" /s (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

#4 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 10 April 2005 - 03:25 PM

Rerun HJT,and put a tick beside these :-


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bdflh.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bdflh.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bdflh.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bdflh.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bdflh.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bdflh.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2B56AA49-1949-09E1-63C4-F9A683F6EB92} - C:\WINDOWS\system32\addln32.dll
O4 - HKLM\..\Run: [addln32.exe] C:\WINDOWS\system32\addln32.exe
O4 - HKLM\..\RunOnce: [appmx.exe] C:\WINDOWS\appmx.exe
O4 - Global Startup: as400-logon.bat
O16 - DPF: {2FD74BEC-AA17-49C0-A74E-3B20BE946496} - http://www.cursorzone.com/toolbar/files/czone_bundle_p3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06949F78-C7C6-4777-B285-E5A559709920}: NameServer = 192.168.1.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{06949F78-C7C6-4777-B285-E5A559709920}: NameServer = 192.168.1.1,4.2.2.2
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\d3gu.exe" /s (file missing)

now close all windows and browsers and click FIX CHECKED


Download About:Buster from either of the following locations.

http://www.atribune.org/downloads/AboutBuster.zip
or
http://tools.zerosrealm.com/AboutBuster.zip

Make sure you close ALL Internet Explorer windows. This is a very important step!!

Run AboutBuster.exe, click ok, then start, then OK. This will scan your computer for the files responsible for hijacking your home and/or search settings/page.

ABOUT BUSTER TUTORIAL



Then boot up in SAFE MODE

Then navigate to and delete these files\folders inBOLD

C:\WINDOWS\system32\addln32.dll
C:\WINDOWS\appmx.exe


then reboot and post a fresh Hijackthis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users