Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

about:blank IE home page, popups


  • Please log in to reply
1 reply to this topic

#1 AL56

AL56

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 03 October 2005 - 10:59 PM

IE home page keeps changing to about:blank. popups with only the best in the title bar keep coming up, which is then directed to search4fun.net. Tried Spybot, Ad-Aware, CWShredder, StartDreck, Stopsign and probably a few others.
I fixed part of the log in HijackThis but it comes right back.

This is that part that keeps returning.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768

I also went into RegEdit in StartDreck and tried to get rid of all instances of the above files references. But it returns there too.
I'm not sure what else to do so I'd rather leave it for the professionals.
please help!
Thanks Al56

Logfile of HijackThis v1.99.1
Scan saved at 11:11:53 PM, on 10/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\D3IU32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPHA1MON.EXE
C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE
C:\PROGRAM FILES\COMMON FILES\EACCELERATION\EANTHOLOGY.EXE
C:\WINDOWS\SYSTEM\ADDTQ32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\HPHIPM07.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = remote.brooklyn.cuny.edu:80
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE.DLL
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {36243423-46FC-6AA3-B7B1-00B9FB828A5F} - C:\WINDOWS\SYSTEM\APPQE.DLL
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN3\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [zzzHPSETUP] S:\Setup.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPHA1MON] C:\WINDOWS\SYSTEM\HPHA1MON.EXE
O4 - HKLM\..\Run: [mdac_runonce] DISABLED:C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] DISABLED:"C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [TkBellExe] DISABLED:"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [CitiVAN] DISABLED:C:\PROGRA~1\CITIVI~1\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [ccApp] DISABLED:"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] DISABLED:C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] DISABLED:C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [QuickTime Task] DISABLED:"C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IEXPLORE.EXE] DISABLED:C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [NETKZ.EXE] C:\WINDOWS\NETKZ.EXE
O4 - HKLM\..\Run: [webscan] "C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE" -k
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\SGINST.EXE /upd
O4 - HKLM\..\Run: [dguard] C:\PROGRAM FILES\ACCELERATION SOFTWARE\DOWNLOADGUARD\DGUARD.EXE
O4 - HKLM\..\Run: [ADDTQ32.EXE] C:\WINDOWS\SYSTEM\ADDTQ32.EXE
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] DISABLED:"C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\RunServices: [Machine Debug Manager] DISABLED:C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] DISABLED:c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] DISABLED:"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] DISABLED:"C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ISSVC] DISABLED:"C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] DISABLED:C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] DISABLED:"C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [D3IU32.EXE] C:\WINDOWS\D3IU32.EXE /s
O4 - HKCU\..\Run: [Yahoo! Pager] DISABLED:C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] DISABLED:C:\PROGRA~1\SIMPLE~1\PHOTOS~1\DATA\XTRAS\MSSYSMGR.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Save to &Xdrive - C:\Program Files\Xdrive\Skip the Download\std.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\INSTANTMESSAGEAOL\AIM.EXE (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\PROGRA~1\CITIVI~1\CitiVAN.exe
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE.DLL
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE.DLL
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup141.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - http://lssbrc01.bankofny.com/sametime/java...STConnAgent.cab
O16 - DPF: JavaConnect - http://lssbrc01.bankofny.com/sametime/java...JavaConnect.cab
O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...printathome.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {459729AC-727D-4D97-B18A-72EE224EFEC0} (MDefControl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {C398F337-51D5-40C3-AA3B-684E833D8888} (Tetra Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab




I don't know if this helps but here's the STARTDRECK log:

StartDreck (build 2.1.7 public stable) - 2005-10-03 @ 23:37:58 (GMT -04:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Default at OEMCOMPUTER
舞egistry
舞un Keys
翟urrent User
舞un
*Yahoo! Pager=DISABLED:C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
*PhotoShow Deluxe Media Manager=DISABLED:C:\PROGRA~1\SIMPLE~1\PHOTOS~1\DATA\XTRAS\MSSYSMGR.EXE
舞unOnce
聞efault User
舞un
*Yahoo! Pager=DISABLED:C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
*PhotoShow Deluxe Media Manager=DISABLED:C:\PROGRA~1\SIMPLE~1\PHOTOS~1\DATA\XTRAS\MSSYSMGR.EXE
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*CountrySelection=pctptt.exe
*PTSNOOP=ptsnoop.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Microsoft IntelliType Pro="C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
*VortexTray=C:\WINDOWS\au10setp.exe 3
*zzzHPSETUP=S:\Setup.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*HPHA1MON=C:\WINDOWS\SYSTEM\HPHA1MON.EXE
*mdac_runonce=DISABLED:C:\WINDOWS\SYSTEM\runonce.exe
*IPInSightMonitor 01=DISABLED:"C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
*TkBellExe=DISABLED:"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*CriticalUpdate=c:\windows\SYSTEM\wucrtupd.exe -startup
*CitiVAN=DISABLED:C:\PROGRA~1\CITIVI~1\CitiVAN.exe /dontopenmycards
*ccApp=DISABLED:"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*Symantec Core LC=DISABLED:C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
*Symantec NetDriver Monitor=DISABLED:C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
*QuickTime Task=DISABLED:"C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*IEXPLORE.EXE=DISABLED:C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*NETKZ.EXE=C:\WINDOWS\NETKZ.EXE
*webscan="C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE" -k
*EanthologyApp="C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
*sginst=C:\PROGRA~1\ACCELE~1\SCRIPT~1\SGINST.EXE /upd
*dguard=C:\PROGRAM FILES\ACCELERATION SOFTWARE\DOWNLOADGUARD\DGUARD.EXE
*ADDTQ32.EXE=C:\WINDOWS\SYSTEM\ADDTQ32.EXE
*SBC Yahoo! Connection Manager=DISABLED:"C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*Machine Debug Manager=DISABLED:C:\WINDOWS\SYSTEM\MDM.EXE
*KB891711=DISABLED:c:\windows\SYSTEM\KB891711\KB891711.EXE
*ccEvtMgr=DISABLED:"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ccSetMgr=DISABLED:"C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
*ISSVC=DISABLED:"C:\Program Files\Norton Internet Security\ISSVC.exe"
*ccProxy=DISABLED:C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
*ScriptBlocking=DISABLED:"C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
*SchedulingAgent=mstask.exe
*D3IU32.EXE=C:\WINDOWS\D3IU32.EXE /s
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇ile Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" %1
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=c:\windows\WScript.exe "%1" %*
+.jse
*JSEFile=c:\windows\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=c:\windows\NOTEPAD.EXE %1
+.vbs
*VBSFile=c:\windows\WScript.exe "%1" %*
+.vbe
*VBEFile=c:\windows\WScript.exe "%1" %*
+.wsh
*WSHFile=c:\windows\WScript.exe "%1" %*
+.wsf
*WSFFile=c:\windows\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
翡rowser Helper Objects (LM)
*{6ACD11BD-4CA0-4283-A8D8-872B9BA289B6}
`InprocServer32=C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE.DLL
*Nisbho.CNisExtBho.1/{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
`InprocServer32=C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
*Class/{36243423-46FC-6AA3-B7B1-00B9FB828A5F}
`InprocServer32=C:\WINDOWS\SYSTEM\APPQE.DLL
肇iles
翠utostart Folders
翟urrent User
聞efault User
腿ocal Machine
膏NI-Files
蓄IN.INI\[windows]
*LOAD=
*RUN=
艋YSTEM.INI\[boot]
*SHELL=explorer.exe
蓉ext Files
*C:\WINDOWS\msdos.sys
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\hosts
艋ystem/Drivers
舞unning Processes
+FFEF72D1=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF457D=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFB20D=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE1191=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE033D=C:\WINDOWS\D3IU32.EXE
+FFFE7EB5=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFEF2A1=C:\WINDOWS\EXPLORER.EXE
+FFE17E8D=C:\WINDOWS\TASKMON.EXE
+FFE14971=C:\WINDOWS\ptsnoop.exe
+FFE1BE11=C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
+FFE18915=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFE1B7D1=C:\WINDOWS\SYSTEM\HPHA1MON.EXE
+FFE1EBA1=C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE
+FFE18321=C:\PROGRAM FILES\COMMON FILES\EACCELERATION\EANTHOLOGY.EXE
+FFE06E6D=C:\WINDOWS\SYSTEM\ADDTQ32.EXE
+FFE0B949=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFE081CD=C:\WINDOWS\RUNDLL32.EXE
+FFE32DB1=C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
+FFE3D929=C:\WINDOWS\SYSTEM\HPHIPM07.EXE
+FFE20C31=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
+FFE4BA01=C:\WINDOWS\SYSTEM\INTERNAT.EXE
+FFE4FD1D=C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
+FFE66CB1=C:\WINDOWS\DESKTOP\STARTDRECK.EXE
臧T Services
翠pplication specific

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:01 AM

Posted 11 October 2005 - 08:02 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Reboot your computer into Safe Mode

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\yeeyd.dll/sp.html#44768
O2 - BHO: Class - {36243423-46FC-6AA3-B7B1-00B9FB828A5F} - C:\WINDOWS\SYSTEM\APPQE.DLL
O4 - HKLM\..\Run: [zzzHPSETUP] S:\Setup.exe
O4 - HKLM\..\Run: [mdac_runonce] DISABLED:C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] DISABLED:C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [NETKZ.EXE] C:\WINDOWS\NETKZ.EXE
O4 - HKLM\..\Run: [ADDTQ32.EXE] C:\WINDOWS\SYSTEM\ADDTQ32.EXE
O4 - HKLM\..\RunServices: [D3IU32.EXE] C:\WINDOWS\D3IU32.EXE /s
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {459729AC-727D-4D97-B18A-72EE224EFEC0} (MDefControl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {C398F337-51D5-40C3-AA3B-684E833D8888} (Tetra Class) - http://activex.microsoft.com/objects/ocget.dll


Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\system\yeeyd.dll
C:\WINDOWS\SYSTEM\APPQE.DLL
C:\WINDOWS\NETKZ.EXE
C:\WINDOWS\SYSTEM\ADDTQ32.EXE
C:\WINDOWS\D3IU32.EXE

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users