I'm dying over here

Discussion in 'adware, spyware & hijack cleaning' started by djenk23, May 15, 2004.

Thread Status:
Not open for further replies.
  1. djenk23

    djenk23 Registered Member

    Joined:
    May 15, 2004
    Posts:
    4
    I'm having issues with my browser being hijacked by about:blank. I have Spy Sweeper guarding my homepage and something always tries to change it to about:blank. I have run AdAware, Spybot, Hijack-This and CWS Shredder. I think this is also stopping Spyware Blaster from being installed on my computer.This is my Hijack This log.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:32:26 PM, on 05/15/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\WILD FILE\GOBACK\GBPOLL.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\PROGRAM FILES\MOTIVE\TUNER\BIN\MOTMON.EXE
    C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\SMARTBRIDGE\MOTIVESB.EXE
    C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPCLIENT.EXE
    C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPMON32.EXE
    C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
    C:\WINDOWS\SYSTEM\WINREGSE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\HPZTSB07.EXE
    C:\PROGRAM FILES\CANON\MULTIPASS\MONITR32.EXE
    C:\PROGRAM FILES\CANON\MULTIPASS\MPTBOX.EXE
    C:\PROGRAM FILES\WILD FILE\GOBACK\GBMENU.EXE
    C:\PROGRAM FILES\SILICON PRAIRIE SOFTWARE\MEMTURBO\MEMTURBO.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\FXREDIR.EXE
    C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPCLIENT.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=292&
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=292&
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=12784&
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\RDXPH.DLL
    O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - (no file)
    O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [MotiveMonitor] "C:\Program Files\Motive\Tuner\bin\motmon.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPMon32.exe"
    O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
    O4 - HKLM\..\Run: [winregse] C:\WINDOWS\SYSTEM\winregse.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
    O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Wild File\GoBack\GBPoll.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
    O4 - Startup: GoBack.lnk = C:\Program Files\Wild File\GoBack\GBMenu.exe
    O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - User Startup: GoBack.lnk = C:\Program Files\Wild File\GoBack\GBMenu.exe
    O4 - User Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
    O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/1297.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
    O16 - DPF: {A2ECDF87-BFE5-4EBA-852A-45E4F881377F} (icePlayer Class) - http://www.flashants.com/codebase/iceplayer.cab
    O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.microsoft.com/controls/iptdweb/ikcntrls.cab
    O16 - DPF: {5242A5A1-EF1E-11D5-B3EE-0050DAC5EBD0} (printQuick Browser Add In (Ver4)) - http://www.pqpc.com/plugin/axversion/1410/printQuick1410.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} - http://adlogix.com/pop/InPop.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB

    Any help would be greatly appreciated.
     
    djenk23, May 15, 2004
    #1
  2. LoPhatPhuud

    LoPhatPhuud Spyware Fighter

    Joined:
    Jul 19, 2003
    Posts:
    45
    Location:
    Albuquerque, NM
    Download the following: (freeware)
    'Winfile.zip' from:
    http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

    Registrar Lite:
    http://www.resplendence.com/reglite


    Setting up:
    Unzip Winfile.zip to its own folder.

    Unzip Find-All.zip to its own folder.

    Install Registrar Lite.


    Begin:
    Run Registrar Lite.

    Copy and paste this line to reglite's address bar. Then press 'Go':
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

    And hit the "go" tab .
    Find: "Appinit_Dlls" value on the right side
    panel, DoubleClick, copy and post here
    the following fields:
    -Size:
    -Value:


    Post the above results in this thread.
     
    LoPhatPhuud, May 16, 2004
    #2
  3. djenk23

    djenk23 Registered Member

    Joined:
    May 15, 2004
    Posts:
    4
    That key isn't in my registry. It only goes up to this:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
     
    djenk23, May 16, 2004
    #3
  4. LoPhatPhuud

    LoPhatPhuud Spyware Fighter

    Joined:
    Jul 19, 2003
    Posts:
    45
    Location:
    Albuquerque, NM
    Sorry, I saw the Windows 98 and still posted the XP fix. Some days it pays to stay in bed.

    Try this instead:

    Download: "StartDreck", from here:
    http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/startdreck.htm

    Unzip to its own folder and start the program,

    Press 'Config'
    Press 'Unmark All'

    Check the following boxes only:
    Registry -> Run Keys
    System/drivers> Running processes
    Press 'Ok'

    Press 'Save' and select hte location to save the log file
    (default is the same folder as the application)

    Post the log in this thread.
     
    LoPhatPhuud, May 16, 2004
    #4
  5. djenk23

    djenk23 Registered Member

    Joined:
    May 15, 2004
    Posts:
    4
    StartDreck (build 2.1.5 public BETA) - 2004-05-16 @ 23:12:44
    Platform: Windows 98 SE (Win 4.10.2222 A)

    »Registry
    »Run Keys
    »Current User
    »Run
    *SpySweeper=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    *Ashampoo PopUpBlocker=C:\PROGRAM FILES\ASHAMPOO\ASHAMPOO WINOPTIMIZER PLATINUM SUITE\PopUpKiller.exe
    »RunOnce
    »Default User
    »Run
    *Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    *RealDownload Express=C:\WINDOWS\SYSTEM\npnzdad.exe /t
    *MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=c:\windows\scanregw.exe /autorun
    *TaskMonitor=c:\windows\taskmon.exe
    *SystemTray=SysTray.Exe
    *Multi-function Keyboard=GWHotKey.exe
    *MotiveMonitor="C:\Program Files\Motive\Tuner\bin\motmon.exe"
    *Motive SmartBridge=C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    *IPInSightLAN 01="C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPClient.exe" -l
    *IPInSightMonitor 01="C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPMon32.exe"
    *a-winpoet-service="C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
    *winregse=C:\WINDOWS\SYSTEM\winregse.exe
    *ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    *ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    *HPDJ Taskbar Utility=C:\WINDOWS\SYSTEM\hpztsb07.exe
    *QuickFinder Scheduler="C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    *MP_STATUS_MONITOR="C:\Program Files\Canon\MultiPASS\monitr32.exe" I
    *MPTBox="C:\Program Files\Canon\MultiPASS\MPTBox.exe"
    *TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    *QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    *Installed=1
    *NoChange=1
    *Installed=1
    *Installed=1
    »RunOnce
    »RunServices
    *GoBack Polling Service=C:\Program Files\Wild File\GoBack\GBPoll.exe
    *ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    *ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    *SchedulingAgent=mstask.exe
    »RunServicesOnce
    **z=rundll32 C:\WINDOWS\SYSTEM\WDMGMPO.DLL,StreamingDeviceSetup
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *FFEF3287=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFF0BE7=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFF73DF=C:\WINDOWS\SYSTEM\SPOOL32.EXE
    *FFFF6A67=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFE0E833=C:\PROGRAM FILES\WILD FILE\GOBACK\GBPOLL.EXE
    *FFE0D537=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    *FFE001B3=C:\WINDOWS\SYSTEM\MSTASK.EXE
    *FFE1389F=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFE2BCDB=C:\WINDOWS\EXPLORER.EXE
    *FFE3A06F=C:\WINDOWS\TASKMON.EXE
    *FFE3A8C3=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFE3E953=C:\WINDOWS\GWHOTKEY.EXE
    *FFE34ECF=C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\SMARTBRIDGE\MOTIVESB.EXE
    *FFE47E3B=C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPCLIENT.EXE
    *FFE323EB=C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPMON32.EXE
    *FFE31E7F=C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
    *FFE368A7=C:\WINDOWS\SYSTEM\WINREGSE.EXE
    *FFE44B13=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    *FFE25323=C:\WINDOWS\SYSTEM\HPZTSB07.EXE
    *FFE8AF77=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    *FFE673C3=C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    *FFE5EE2B=C:\PROGRAM FILES\WILD FILE\GOBACK\GBMENU.EXE
    *FFEA1F8B=C:\WINDOWS\SYSTEM\WMIEXE.EXE
    *FFEB1893=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FFE62747=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    *FFE6132F=C:\WINDOWS\SYSTEM\PSTORES.EXE
    *FFEBCA9F=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
    *FFE61483=C:\WINDOWS\SYSTEM\RNAAPP.EXE
    *FFEB0B7B=C:\WINDOWS\SYSTEM\TAPISRV.EXE
    *FFE0AAF7=C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPCLIENT.EXE
    *FFE66D93=C:\STARTDRECK\STARTDRECK.EXE
    »Application specific
     
    djenk23, May 16, 2004
    #5
  6. LoPhatPhuud

    LoPhatPhuud Spyware Fighter

    Joined:
    Jul 19, 2003
    Posts:
    45
    Location:
    Albuquerque, NM
    Download: "Win98Fix.zip" from here:
    http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

    Unzip to its own folder.

    Open Folder and double click on RunFix.reg file.
    Hit 'Yes' to merge it into your registry.
    Restart your computer.

    The bad file should now be visible so you can delete it.
    Browse to Download: "Win98Fix.zip" from here:
    http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

    Unzip to its own folder.

    Open Folder and double click on RunFix.reg file.
    Hit 'Yes' to merge it into your registry.
    Restart your computer.

    The bad file should now be visible so you can delete it.
    Browse to Download: "Win98Fix.zip" from here:
    http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

    Unzip to its own folder.

    Open Folder and double click on RunFix.reg file.
    Hit 'Yes' to merge it into your registry.
    Restart your computer.

    The bad file should now be visible so you can delete it.
    Browse to Download: "Win98Fix.zip" from here:
    http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

    Unzip to its own folder.

    Open Folder and double click on RunFix.reg file.
    Hit 'Yes' to merge it into your registry.
    Restart your computer.

    The bad file should now be visible so you can delete it.

    Browse to C:\WINDOWS\SYSTEM\WDMGMPO.DLL <-- this is the bad file.

    Right click on it and select 'Properties', remove check mark from 'Read Only' (if present), then press 'OK'.

    Right click on it again, select 'Delete', then answer 'Yes'.

    (If you cannot find the file, run the 'Who.bat' file in the folder.
    The file will be found and listed.)

    Please Download CoolWebShredder, from
    http://www.merijn.org/files/cwshredder.zip
    http://www.zerosrealm.com/downloads/CWShredder.zip

    Extract CWShredder to its own folder,
    Click the 'Fix ->' button.
    Make sure you let it fix all CWS Remnants.

    Afterwards Reboot.

    Then, please Post a fresh Hijack This log in this thread.
     
    LoPhatPhuud, May 16, 2004
    #6
  7. djenk23

    djenk23 Registered Member

    Joined:
    May 15, 2004
    Posts:
    4
    Logfile of HijackThis v1.97.7
    Scan saved at 11:38:30 AM, on 05/17/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\WILD FILE\GOBACK\GBPOLL.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\PROGRAM FILES\MOTIVE\TUNER\BIN\MOTMON.EXE
    C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\SMARTBRIDGE\MOTIVESB.EXE
    C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPCLIENT.EXE
    C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPMON32.EXE
    C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
    C:\WINDOWS\SYSTEM\WINREGSE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\HPZTSB07.EXE
    C:\PROGRAM FILES\CANON\MULTIPASS\MONITR32.EXE
    C:\PROGRAM FILES\CANON\MULTIPASS\MPTBOX.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
    C:\PROGRAM FILES\WILD FILE\GOBACK\GBMENU.EXE
    C:\PROGRAM FILES\SILICON PRAIRIE SOFTWARE\MEMTURBO\MEMTURBO.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\FXREDIR.EXE
    C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPCLIENT.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\NFOFJLC.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\NFOFJLC.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=292&
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\NFOFJLC.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=292&
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\NFOFJLC.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\NFOFJLC.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\NFOFJLC.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=12784&
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\RDXPH.DLL
    O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - (no file)
    O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
    O2 - BHO: (no name) - {93FDB990-A7F3-11D8-873C-00602D5AF708} - C:\WINDOWS\SYSTEM\NFOFJLC.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [MotiveMonitor] "C:\Program Files\Motive\Tuner\bin\motmon.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPMon32.exe"
    O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
    O4 - HKLM\..\Run: [winregse] C:\WINDOWS\SYSTEM\winregse.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
    O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Wild File\GoBack\GBPoll.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: GoBack.lnk = C:\Program Files\Wild File\GoBack\GBMenu.exe
    O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - User Startup: GoBack.lnk = C:\Program Files\Wild File\GoBack\GBMenu.exe
    O4 - User Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
    O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/1297.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
    O16 - DPF: {A2ECDF87-BFE5-4EBA-852A-45E4F881377F} (icePlayer Class) - http://www.flashants.com/codebase/iceplayer.cab
    O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.microsoft.com/controls/iptdweb/ikcntrls.cab
    O16 - DPF: {5242A5A1-EF1E-11D5-B3EE-0050DAC5EBD0} (printQuick Browser Add In (Ver4)) - http://www.pqpc.com/plugin/axversion/1410/printQuick1410.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} - http://adlogix.com/pop/InPop.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
     
    djenk23, May 17, 2004
    #7
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi djenk23,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\NFOFJLC.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\NFOFJLC.DLL/sp.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\NFOFJLC.DLL/sp.html (obfuscated)

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\NFOFJLC.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\NFOFJLC.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\NFOFJLC.DLL/sp.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\RDXPH.DLL
    O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - (no file)
    O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
    O2 - BHO: (no name) - {93FDB990-A7F3-11D8-873C-00602D5AF708} - C:\WINDOWS\SYSTEM\NFOFJLC.DLL

    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPMon32.exe"

    O4 - HKLM\..\Run: [winregse] C:\WINDOWS\SYSTEM\winregse.exe

    O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} - http://adlogix.com/pop/InPop.CAB

    Then reboot and delete:
    C:\WINDOWS\SYSTEM\winregse.exe <= http://vil.nai.com/vil/content/v_99564.htm

    Regards,

    Pieter
     
    Pieter_Arntz, May 17, 2004
    #8
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...