home page hijacked Need Help

Please help. my homepage is now constantly about:blank. Here are my hijackthis and TDS logs
Scan Control Dumped @ 18:21:03 20-06-04
Suspicious Filename: HTA file in suspicious location
File: c:\program files\microsoft money\system\discover.hta

Suspicious Filename: HTA file in suspicious location
File: c:\program files\microsoft money\system\lnpg.hta

Suspicious Filename: HTA file in suspicious location
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp12\a0000937.hta

Logfile of HijackThis v1.97.7
Scan saved at 6:28:00 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\System32\winhlp32.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Online Services\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8E71EC01-D3F1-4D4F-B3B8-37D34DC04AAB} - C:\WINDOWS\System32\gcp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

 

Hi there Higginb, welcome to the forum!
I see you posted the HJT log also overhere https://www.wilderssecurity.com/showthread.php?t=37284 so let's suggest to let the HJT experts do that part of the job with you and overhere we concentrate on the HTA alerts with TDS.

 

Hi,

Those HTA files are fine. You can ignore the detection of this HTA file, Microsoft use a lot of these now in wizards and the help system in Windows 2000/XP

We will be revising the suspicious detection reports of HTA files for TDS-4, as this old detection is now a little too sensitive.

 

You are having the same issue I am in the R0 and R1 entries (sp.html). I have
used CWShredder which is constantly finding CWS.Searchx on my machine. After cleaning registy and rebooting, the browser is OK the first time in but SpywareGuard reports hijack attempt on the second time in during the same session (no reboot)... and we go through the process again. Spybot reports a clean system as does Norton. I am running XP with SP1a and have installed all MS critical updates. SpywareBlaster 3.1 will install but WILL NOT RUN on my machine. Error message is "Program corrupted - reinstall". I have downloaded from 3 different sites and installed into different directories with the same result. Any ideas? I am convinced that there is a malicious dll or trojan in the registry which is causing this. Please help.

 

Problem solved. After searching other forums I found a genius who has discovered that indeed there is a hidden dll in the HKLM\Software\microsoft\windowsNT\Currentversion\windows\\AppInt_DLLs path.

Following the instructions on how to blow away the dll resulted in SpywareBlaster 3.1 running like a charm and "cool search" no longer getting me hot and bothered.

 

Hi Ice,
have seen that thing mentioned here as well somewhere; can you please find back the place where you found your help so our techs can have a look if they want too? Thank you soo much for this information!

EDIT:
Did you mean this thread?
http://www.computing.net/windowsxp/wwwboard/forum/107986.html
In another thread at that same forum it did not help the user for some reasons.
Here in Wilders forum i see what sounds a safer way:
https://www.wilderssecurity.com/showthread.php?t=29350&highlight=AppInt_DLL*

Navigate to this key next:
*HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows NT\CurrentVersion\Windows
Find this value on the right panel:
"Appint_Dlls"< RightClick and rename to:
->'Appinit_Dlls1'
Close regedit, reopen it to the same key, Hilite the
'Windows' key there,
Export it the same way and save.

And i see in a few places a link to the dllfix as explained step by step on Subratam's forum with screenshots.
http://forums.subratam.org/index.php?showtopic=583

I do advice though do such things all step by step with the experts who have the overview over your HJT log etc. for very understandable reasons.

 

dllfix is now pulled up by shadowwar , the developer.
This particular infection R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html will now be done by FAL's FINDnFIX but take help as already said from "experts" only.

Regards

 

Was the other tool not adequate enough anymore for the current attacks?
FAL's Fix is a beauty from what i've seen in the HJT logs but really needs very experts hands!
I've not half an idea what is possible with it, but what i saw is very promissing.