Annoyances.org
Home » Windows Me Discussion Forum » Message 1086172031 » Entire Thread Search | Help | Home
  
About Blank
Showing all messages in thread #1086172031
Windows Me Annoyances Discussion Forum

The following are all of the messages in this thread (18 in all), shown in chronological order. Click any message subject to view that message by itself or to view the thread hierarchy.
About Blank
Wednesday, June 2, 2004 at 3:27 am
Posted by Dan (20 messages posted)

I know this question has been asked a lot, but the problem persists. I already have CWS, and Ad aware installed, when I remove it, it comes back the other day, every time with a different dll(spyware guard tells me so), maybe there is another file doing this? I need help, I hate spyware. thanks, Dan

[Reply or follow-up to this message]

Tip: Run a free scan for common Windows errors ad

re: About Blank
Wednesday, June 2, 2004 at 3:42 pm
Posted by MrCharlie (4133 messages posted) 

   

Post a HijackThis log to see which one you have.

HiJackThis and Instructions

When and if you do, please check the 'preserve spacing button' on the posting page 
so we can understand the log.  MrC






On Wednesday, June 2, 2004 at 3:27 am, Dan wrote:

>I know this question has been asked a lot, but the problem persists. I already have 

>CWS, and Ad aware installed, when I remove it, it comes back the other day, every 

>time with a different dll(spyware guard tells me so), maybe there is another file 

>doing this? I need help, I hate spyware. 

>

>thanks,

>

>Dan

[Reply or follow-up to this message]

re: About Blank
Wednesday, June 2, 2004 at 10:58 pm
Posted by darlene (90 messages posted)

Hi, It sounds like you have the newest Tojan named Prockill. It's a process killer of Windows. You will need to clean out your _RESTORE. I don't know how to do this so I finally deleted it and a file named RECYCLED. They're gone, but at what cost I do not know. Look for a blacked out Computor icon with a red X across it hiding by your clock when you sign off of the Net. It will only be there for a second, so you'll have to stare at that point until you're back to Windows. Let me know if you have it, I can't get rid of it and I think it's connected somehow. Do a file search for Killwind, TERMINATOR, HideWindows, and FondleWindows. If any one of these are there delete them, clean out your _RESTORE and delete RECYCLED until someone finds a fix. Do not delete them from your Recycle bin until we know that it's safe to do so. Hope this helps. Have a great day, Darlene


On Wednesday, June 2, 2004 at 3:27 am, Dan wrote:
>I know this question has been asked a lot, but the problem persists. I already have
>CWS, and Ad aware installed, when I remove it, it comes back the other day, every
>time with a different dll(spyware guard tells me so), maybe there is another file
>doing this? I need help, I hate spyware.
>
>thanks,
>
>Dan

[Reply or follow-up to this message]

re: About Blank
Friday, June 4, 2004 at 2:25 am
Posted by Dan (20 messages posted) 

Logfile of HijackThis v1.97.7
Scan saved at 11:18:40 AM, on 6/4/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SCARDSVR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WININET.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
C:\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\DANIEL\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.megavision.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LCPG.DLL/sp.html 
(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 
(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 
(obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LCPG.DLL/sp.html 
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = provided by Community 
Internet Systems, Inc.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 
5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL 
(disabled by BHODemon)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} 
- C:\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {F87E1054-EE16-4370-A9EA-9CA1CC222057} - C:\WINDOWS\SYSTEM\GDOC.DLL 
(disabled by BHODemon)
O2 - BHO: (no name) - {92A46B72-99DD-451E-91E4-020A27932BDE} - C:\WINDOWS\SYSTEM\GDOC.DLL 
(disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL 
(disabled by BHODemon)
O2 - BHO: (no name) - {B8C39D6B-D02A-4E60-9057-1E4578A87D17} - C:\WINDOWS\SYSTEM\PNMKE.DLL 
(disabled by BHODemon)
O2 - BHO: (no name) - {A502D346-A554-4E9E-97FE-092DD3B7A9FA} - C:\WINDOWS\SYSTEM\GDLNH.DLL 
(disabled by BHODemon)
O2 - BHO: (no name) - {AA6279C6-B442-4322-8D95-98C48A3BADA3} - C:\WINDOWS\SYSTEM\BPHHJ.DLL 
(disabled by BHODemon)
O2 - BHO: (no name) - {4F440DB5-616A-4FC8-9A7E-51EB117FB7F4} - C:\WINDOWS\SYSTEM\JABCPBA.DLL 
(disabled by BHODemon)
O2 - BHO: (no name) - {01CAF2AB-A29F-45E1-9245-941F89D78324} - C:\WINDOWS\SYSTEM\NJCPM.DLL 
(disabled by BHODemon)
O2 - BHO: (no name) - {8B29B43E-E86B-4913-8E12-53CF51EB08B6} - C:\WINDOWS\SYSTEM\OIBA.DLL 
(disabled by BHODemon)
O2 - BHO: (no name) - {21C0DD84-817D-4765-9600-5C945A21AA8E} - C:\WINDOWS\SYSTEM\OIBA.DLL 
(disabled by BHODemon)
O2 - BHO: (no name) - {38CE9B28-D020-4ECF-9256-7EA97F549E35} - C:\WINDOWS\SYSTEM\HGOM.DLL 
(disabled by BHODemon)
O2 - BHO: (no name) - {52D46487-0543-4FDB-B042-ED05234EA64A} - C:\WINDOWS\SYSTEM\LCPG.DLL 
(disabled by BHODemon)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} 
- C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL__BHODemonDisabled 
(file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN 
TOOLBAR\01.01.1601.0\EN-US\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 
 -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec 
Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" 
/detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wininet.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection 
OfotoNow
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe
O9 - Extra button: Hoteles (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {72B09CA7-1B59-454E-95D9-461A9227B785} (UIWrapper Class) - http://webcomp1.mediaring.com/orion/consumer/pcphone/ver1.2.5.0/wbsc125.cab
O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://voizfone.mediaring.com/webcomp/pcphone/ver3.0.5.0/wbaxuiph305.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program 
Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program 
Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program 
Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program 
Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38105.3232175926
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - 
http

Is that what you wanted to see? 

thanks, 

Dan







On Wednesday, June 2, 2004 at 3:42 pm, MrCharlie wrote:

>   

>

>Post a HijackThis log to see which one you have.

>

>HiJackThis and Instructions

>

>When and if you do, please check the 'preserve spacing button' on the posting page 

>so we can understand the log.  MrC

>

>

[Reply or follow-up to this message]

re: About Blank
Friday, June 4, 2004 at 9:10 am
Posted by MrCharlie (4133 messages posted) 

   
Yes, that's the log we want, first thing to be done is clean up some of the other 
crap on the system.
With only HJT running fix these by placing a check mark in the box next to eack of 
these and then hit FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LCPG.DLL/sp.html 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LCPG.DLL/sp.html 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing 

O2 - BHO: (no name) - {F87E1054-EE16-4370-A9EA-9CA1CC222057} - C:\WINDOWS\SYSTEM\GDOC.DLL 

O2 - BHO: (no name) - {92A46B72-99DD-451E-91E4-020A27932BDE} - C:\WINDOWS\SYSTEM\GDOC.DLL 

O2 - BHO: (no name) - {B8C39D6B-D02A-4E60-9057-1E4578A87D17} - C:\WINDOWS\SYSTEM\PNMKE.DLL 

O2 - BHO: (no name) - {A502D346-A554-4E9E-97FE-092DD3B7A9FA} - C:\WINDOWS\SYSTEM\GDLNH.DLL 

O2 - BHO: (no name) - {AA6279C6-B442-4322-8D95-98C48A3BADA3} - C:\WINDOWS\SYSTEM\BPHHJ.DLL 

O2 - BHO: (no name) - {4F440DB5-616A-4FC8-9A7E-51EB117FB7F4} - C:\WINDOWS\SYSTEM\JABCPBA.DLL 

O2 - BHO: (no name) - {01CAF2AB-A29F-45E1-9245-941F89D78324} - C:\WINDOWS\SYSTEM\NJCPM.DLL 

O2 - BHO: (no name) - {8B29B43E-E86B-4913-8E12-53CF51EB08B6} - C:\WINDOWS\SYSTEM\OIBA.DLL 

O2 - BHO: (no name) - {21C0DD84-817D-4765-9600-5C945A21AA8E} - C:\WINDOWS\SYSTEM\OIBA.DLL 

O2 - BHO: (no name) - {38CE9B28-D020-4ECF-9256-7EA97F549E35} - C:\WINDOWS\SYSTEM\HGOM.DLL 

O2 - BHO: (no name) - {52D46487-0543-4FDB-B042-ED05234EA64A} - C:\WINDOWS\SYSTEM\LCPG.DLL 

 O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE

 O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wininet.exe

O4 - Startup: PowerReg Scheduler.exe

 O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab

Reboot into SafeMode 
and delete these files:
HowToShowHiddenFiles 
- if needed

C:\WINDOWS\SYSUPD.EXE

C:\WINDOWS\System\wininet.exe

PowerReg Scheduler.exe <---may be anywhere


Reboot and run Ad-Aware as outlined below:


First thing to do is click on "Check For Updates Now", download the lastest updates.

Then:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C: 

Now press "Next" to let Ad-aware scan your drives... 
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again 
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

Post a fresh HJT log back here when done . MrC















On Friday, June 4, 2004 at 2:25 am, Dan wrote:

>Logfile of HijackThis v1.97.7

>Scan saved at 11:18:40 AM, on 6/4/2004

>Platform: Windows ME (Win9x 4.90.3000)

>MSIE: Internet Explorer v5.50 (5.50.4134.0100)

>

>Running processes:

>C:\WINDOWS\SYSTEM\KERNEL32.DLL

>C:\WINDOWS\SYSTEM\MSGSRV32.EXE

>C:\WINDOWS\SYSTEM\mmtask.tsk

>C:\WINDOWS\SYSTEM\MPREXE.EXE

>C:\WINDOWS\SYSTEM\MSTASK.EXE

>C:\WINDOWS\SYSTEM\SCARDSVR.EXE

>C:\WINDOWS\SYSTEM\STIMON.EXE

>C:\WINDOWS\SYSTEM\DEVLDR16.EXE

>C:\WINDOWS\EXPLORER.EXE

>C:\WINDOWS\TASKMON.EXE

>C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

>C:\WINDOWS\SYSTEM\SYSTRAY.EXE

>C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

>C:\WINDOWS\SYSTEM\HIDSERV.EXE

>C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE

>C:\WINDOWS\SYSTEM\WMIEXE.EXE

>C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

>C:\WINDOWS\SYSTEM\QTTASK.EXE

>C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

>C:\WINDOWS\SYSTEM\WININET.EXE

>C:\WINDOWS\RUNDLL32.EXE

>C:\WINDOWS\SYSTEM\DDHELP.EXE

>C:\SPYWAREGUARD\SGMAIN.EXE

>C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE

>C:\SPYWAREGUARD\SGBHP.EXE

>C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

>C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

>C:\DANIEL\HIJACKTHIS\HIJACKTHIS.EXE

>

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 

>(obfuscated)

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 

>(obfuscated)

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.megavision.com

>R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LCPG.DLL/sp.html 

>(obfuscated)

>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 

>(obfuscated)

>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 

>(obfuscated)

>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LCPG.DLL/sp.html 

>(obfuscated)

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = provided by Community 

>Internet Systems, Inc.

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

>R3 - Default URLSearchHook is missing

>O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 

>5.0\READER\ACTIVEX\ACROIEHELPER.OCX

>O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL 

>(disabled by BHODemon)

>O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} 

>- C:\SPYWAREGUARD\DLPROTECT.DLL

>O2 - BHO: (no name) - {F87E1054-EE16-4370-A9EA-9CA1CC222057} - C:\WINDOWS\SYSTEM\GDOC.DLL 

>(disabled by BHODemon)

>O2 - BHO: (no name) - {92A46B72-99DD-451E-91E4-020A27932BDE} - C:\WINDOWS\SYSTEM\GDOC.DLL 

>(disabled by BHODemon)

>O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL 

>(disabled by BHODemon)

>O2 - BHO: (no name) - {B8C39D6B-D02A-4E60-9057-1E4578A87D17} - C:\WINDOWS\SYSTEM\PNMKE.DLL 

>(disabled by BHODemon)

>O2 - BHO: (no name) - {A502D346-A554-4E9E-97FE-092DD3B7A9FA} - C:\WINDOWS\SYSTEM\GDLNH.DLL 

>(disabled by BHODemon)

>O2 - BHO: (no name) - {AA6279C6-B442-4322-8D95-98C48A3BADA3} - C:\WINDOWS\SYSTEM\BPHHJ.DLL 

>(disabled by BHODemon)

>O2 - BHO: (no name) - {4F440DB5-616A-4FC8-9A7E-51EB117FB7F4} - C:\WINDOWS\SYSTEM\JABCPBA.DLL 

>(disabled by BHODemon)

>O2 - BHO: (no name) - {01CAF2AB-A29F-45E1-9245-941F89D78324} - C:\WINDOWS\SYSTEM\NJCPM.DLL 

>(disabled by BHODemon)

>O2 - BHO: (no name) - {8B29B43E-E86B-4913-8E12-53CF51EB08B6} - C:\WINDOWS\SYSTEM\OIBA.DLL 

>(disabled by BHODemon)

>O2 - BHO: (no name) - {21C0DD84-817D-4765-9600-5C945A21AA8E} - C:\WINDOWS\SYSTEM\OIBA.DLL 

>(disabled by BHODemon)

>O2 - BHO: (no name) - {38CE9B28-D020-4ECF-9256-7EA97F549E35} - C:\WINDOWS\SYSTEM\HGOM.DLL 

>(disabled by BHODemon)

>O2 - BHO: (no name) - {52D46487-0543-4FDB-B042-ED05234EA64A} - C:\WINDOWS\SYSTEM\LCPG.DLL 

>(disabled by BHODemon)

>O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} 

>- C:\WINDOWS\SYSTEM\MSDXM.OCX

>O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL__BHODemonDisabled 

>(file missing)

>O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM 
FILES\MSN 

>TOOLBAR\01.01.1601.0\EN-US\MSNTB.DLL

>O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

>O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

>O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

>O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

>O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

>O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run

>O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe

>O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

>O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE

>O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 

> -osboot

>O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

>O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE

>O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

>O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

>O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

>O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

>O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe

>O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec 

>Shared\Script Blocking\SBServ.exe" -reg

>O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE

>O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

>O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" 

>/detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"

>O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

>O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wininet.exe

>O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection 

>OfotoNow

>O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe

>O4 - Startup: PowerReg Scheduler.exe

>O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe

>O9 - Extra button: Hoteles (HKLM)

>O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

>O16 - DPF: {72B09CA7-1B59-454E-95D9-461A9227B785} (UIWrapper Class) - http://webcomp1.mediaring.com/orion/consumer/pcphone/ver1.2.5.0/wbsc125.cab

>O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://voizfone.mediaring.com/webcomp/pcphone/ver3.0.5.0/wbaxuiph305.cab

>O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program 

>Files\AutoCAD 2002\AcPreview.ocx

>O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program 

>Files\AutoCAD 2002\AcDcToday.ocx

>O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program 

>Files\AutoCAD 2002\InstBanr.ocx

>O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program 

>Files\AutoCAD 2002\InstFred.ocx

>O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab

>O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

>O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

>O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab

>O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab

>O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

>O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

>O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - 
http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab

>O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38105.3232175926

>O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - 

>http

>

>Is that what you wanted to see? 

>

>thanks, 

>

>Dan

>

>

>

[Reply or follow-up to this message]

re: About Blank
Saturday, June 5, 2004 at 12:38 pm
Posted by Dan (20 messages posted) 

did everything, thanks. This is what came up-

Logfile of HijackThis v1.97.7
Scan saved at 9:26:45 PM, on 6/5/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SCARDSVR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
C:\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\WINDOWS\TEMP\SETUP.EXE
C:\DANIEL\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eltiempo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.megavision.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = provided by Community 
Internet Systems, Inc.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} 
- C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN 
TOOLBAR\01.01.1601.0\EN-US\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 
 -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec 
Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" 
/detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection 
OfotoNow
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe
O9 - Extra button: Hoteles (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {72B09CA7-1B59-454E-95D9-461A9227B785} (UIWrapper Class) - http://webcomp1.mediaring.com/orion/consumer/pcphone/ver1.2.5.0/wbsc125.cab
O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://voizfone.mediaring.com/webcomp/pcphone/ver3.0.5.0/wbaxuiph305.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program 
Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program 
Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program 
Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program 
Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38105.3232175926
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - 
http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

thanks for the help.

Dan







On Friday, June 4, 2004 at 9:10 am, MrCharlie wrote:

>   

>Yes, that's the log we want, first thing to be done is clean up some of the other 

>crap on the system.

>With only HJT running fix these by placing a check mark in the box next to eack 
of 

>these and then hit FIX.

>

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 

>

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 

>

>R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LCPG.DLL/sp.html 

>

>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 

>

>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 

>

>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LCPG.DLL/sp.html 

>

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

>

>R3 - Default URLSearchHook is missing 

>

>O2 - BHO: (no name) - {F87E1054-EE16-4370-A9EA-9CA1CC222057} - C:\WINDOWS\SYSTEM\GDOC.DLL 

>

>O2 - BHO: (no name) - {92A46B72-99DD-451E-91E4-020A27932BDE} - C:\WINDOWS\SYSTEM\GDOC.DLL 

>

>O2 - BHO: (no name) - {B8C39D6B-D02A-4E60-9057-1E4578A87D17} - C:\WINDOWS\SYSTEM\PNMKE.DLL 

>

>O2 - BHO: (no name) - {A502D346-A554-4E9E-97FE-092DD3B7A9FA} - C:\WINDOWS\SYSTEM\GDLNH.DLL 

>

>O2 - BHO: (no name) - {AA6279C6-B442-4322-8D95-98C48A3BADA3} - C:\WINDOWS\SYSTEM\BPHHJ.DLL 

>

>O2 - BHO: (no name) - {4F440DB5-616A-4FC8-9A7E-51EB117FB7F4} - C:\WINDOWS\SYSTEM\JABCPBA.DLL 

>

>O2 - BHO: (no name) - {01CAF2AB-A29F-45E1-9245-941F89D78324} - C:\WINDOWS\SYSTEM\NJCPM.DLL 

>

>O2 - BHO: (no name) - {8B29B43E-E86B-4913-8E12-53CF51EB08B6} - C:\WINDOWS\SYSTEM\OIBA.DLL 

>

>O2 - BHO: (no name) - {21C0DD84-817D-4765-9600-5C945A21AA8E} - C:\WINDOWS\SYSTEM\OIBA.DLL 

>

>O2 - BHO: (no name) - {38CE9B28-D020-4ECF-9256-7EA97F549E35} - C:\WINDOWS\SYSTEM\HGOM.DLL 

>

>O2 - BHO: (no name) - {52D46487-0543-4FDB-B042-ED05234EA64A} - C:\WINDOWS\SYSTEM\LCPG.DLL 

>

> O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE

>

> O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wininet.exe

>

>O4 - Startup: PowerReg Scheduler.exe

>

> O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab

>

>Reboot into SafeMode 

>and delete these files:

>HowToShowHiddenFiles 

>- if needed

>

>C:\WINDOWS\SYSUPD.EXE

>

>C:\WINDOWS\System\wininet.exe

>

>PowerReg Scheduler.exe <---may be anywhere

>

>

>Reboot and run Ad-Aware as outlined below:

>

>

>First thing to do is click on "Check For Updates Now", download the lastest updates.

>

>Then:

>

>- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

>check: "Unload recognized processes during scanning."

>

>- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

>Check: "Let Windows remove files in use after reboot."

>

>Press "Scan Now"

>

>- Check option "Use Custom scanning options"

>- Check option "Activate In-Depth Scan"

>- Press "Select drives\folders to scan"

>- Select the active partition which is usually C: 

>

>Now press "Next" to let Ad-aware scan your drives... 

>It will find a number of "bad" files and registry keys. Click 'Next' again

>Right-click in that pane and choose "select all"

>

>If it finds "bad" files and registry keys, press "Next" again 

>It will ask you whether you'd like to remove all checked items. Click OK.

>

>Finally, close Ad-Aware, and reboot.

>

>Post a fresh HJT log back here when done . MrC

>

>

>

>

>

>

>

>

>

>

>

[Reply or follow-up to this message]

re: About Blank
Saturday, June 5, 2004 at 2:13 pm
Posted by MrCharlie (4133 messages posted) 

   
OK, just have HJT fix this one, (it looks like it just surfaced)

 O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe

and delete this file:
C:\WINDOWS\SYSTEM\msmc.exe

There's a couple of ways to deal with the 'about blank' problem, lets try the easiest 
first.

Download and unzip this small program.

Win98Fix.zip

Then doubleclick who.bat and post the log saved by the Badfile txt. for review.










On Saturday, June 5, 2004 at 12:38 pm, Dan wrote:

>did everything, thanks. This is what came up-

>

>Logfile of HijackThis v1.97.7

>Scan saved at 9:26:45 PM, on 6/5/2004

>Platform: Windows ME (Win9x 4.90.3000)

>MSIE: Internet Explorer v5.50 (5.50.4134.0100)

>

>Running processes:

>C:\WINDOWS\SYSTEM\KERNEL32.DLL

>C:\WINDOWS\SYSTEM\MSGSRV32.EXE

>C:\WINDOWS\SYSTEM\mmtask.tsk

>C:\WINDOWS\SYSTEM\MPREXE.EXE

>C:\WINDOWS\SYSTEM\MSTASK.EXE

>C:\WINDOWS\SYSTEM\SCARDSVR.EXE

>C:\WINDOWS\SYSTEM\STIMON.EXE

>C:\WINDOWS\SYSTEM\DEVLDR16.EXE

>C:\WINDOWS\EXPLORER.EXE

>C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

>C:\WINDOWS\TASKMON.EXE

>C:\WINDOWS\SYSTEM\SYSTRAY.EXE

>C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

>C:\WINDOWS\SYSTEM\HIDSERV.EXE

>C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE

>C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

>C:\WINDOWS\SYSTEM\WMIEXE.EXE

>C:\WINDOWS\SYSTEM\QTTASK.EXE

>C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

>C:\WINDOWS\RUNDLL32.EXE

>C:\SPYWAREGUARD\SGMAIN.EXE

>C:\WINDOWS\SYSTEM\DDHELP.EXE

>C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE

>C:\SPYWAREGUARD\SGBHP.EXE

>C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

>C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

>C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

>C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

>C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

>C:\WINDOWS\SYSTEM\SPOOL32.EXE

>C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE

>C:\WINDOWS\TEMP\SETUP.EXE

>C:\DANIEL\HIJACKTHIS\HIJACKTHIS.EXE

>

>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eltiempo.com/

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.megavision.com

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = provided by Community 

>Internet Systems, Inc.

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

>R3 - Default URLSearchHook is missing

>O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} 

>- C:\WINDOWS\SYSTEM\MSDXM.OCX

>O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)

>O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM 
FILES\MSN 

>TOOLBAR\01.01.1601.0\EN-US\MSNTB.DLL

>O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

>O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

>O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

>O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

>O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

>O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run

>O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe

>O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

>O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE

>O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 

> -osboot

>O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

>O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

>O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

>O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

>O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

>O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe

>O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec 

>Shared\Script Blocking\SBServ.exe" -reg

>O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE

>O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

>O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" 

>/detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"

>O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

>O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection 

>OfotoNow

>O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe

>O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe

>O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe

>O9 - Extra button: Hoteles (HKLM)

>O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

>O16 - DPF: {72B09CA7-1B59-454E-95D9-461A9227B785} (UIWrapper Class) - http://webcomp1.mediaring.com/orion/consumer/pcphone/ver1.2.5.0/wbsc125.cab

>O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://voizfone.mediaring.com/webcomp/pcphone/ver3.0.5.0/wbaxuiph305.cab

>O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program 

>Files\AutoCAD 2002\AcPreview.ocx

>O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program 

>Files\AutoCAD 2002\AcDcToday.ocx

>O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program 

>Files\AutoCAD 2002\InstBanr.ocx

>O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program 

>Files\AutoCAD 2002\InstFred.ocx

>O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab

>O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

>O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

>O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab

>O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

>O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

>O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - 
http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab

>O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38105.3232175926

>O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - 

>http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

>

>thanks for the help.

>

>Dan

>

>

>

[Reply or follow-up to this message]

re: About Blank
Sunday, June 6, 2004 at 8:28 am
Posted by Dan (20 messages posted) 


Okay, I got done with the top part, but I'm having a small problem operating the 
downloaded file, so could you post a detailed guide(I unzipped it, there is a "who" 
file, I open it, it takes me to DOS, but nothing else happens)

thanks, 

Dan





On Saturday, June 5, 2004 at 2:13 pm, MrCharlie wrote:

>

>   

>OK, just have HJT fix this one, (it looks like it just surfaced)

>

> O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe

>

>and delete this file:

>C:\WINDOWS\SYSTEM\msmc.exe

>

>There's a couple of ways to deal with the 'about blank' problem, lets try the easiest 

>first.

>

>Download and unzip this small program.

>

>Win98Fix.zip

>

>Then doubleclick who.bat and post the log saved by the Badfile txt. for review.

>

>

>

>

>

>

[Reply or follow-up to this message]

re: About Blank
Sunday, June 6, 2004 at 9:41 am
Posted by MrCharlie (4133 messages posted)

OK, here's how it works. Double click the who.bat and let it run, when it's done it will close. Then you should see a badfile.txt, that should contain the file that's causing the problem. So open it up (badfile.txt) and copy and paste the results back here. You still are having a problem, right. If not, we may have to wait until you do and then run the program to see it.


On Sunday, June 6, 2004 at 8:28 am, Dan wrote:
>
>
>Okay, I got done with the top part, but I'm having a small problem operating the
>downloaded file, so could you post a detailed guide(I unzipped it, there is a "who"
>file, I open it, it takes me to DOS, but nothing else happens)
>
>thanks,
>
>Dan
>

[Reply or follow-up to this message]

re: About Blank
Sunday, June 6, 2004 at 9:57 am
Posted by MrCharlie (4133 messages posted)

Just to add, when you double click on the who.bat, you should see your hard drive light come on. This indicates that the program is scanning your system, it may take a minute or so, depending on the size of your drive.


On Sunday, June 6, 2004 at 8:28 am, Dan wrote:
>
>
>Okay, I got done with the top part, but I'm having a small problem operating the
>downloaded file, so could you post a detailed guide(I unzipped it, there is a "who"
>file, I open it, it takes me to DOS, but nothing else happens)
>
>thanks,
>
>Dan
>

[Reply or follow-up to this message]

re: About Blank
Monday, June 7, 2004 at 5:20 am
Posted by Dan (20 messages posted) 

C:\WINDOWS\System\WINLONO.DLL is the only thing that came up, should I delete it?

Dan







On Sunday, June 6, 2004 at 9:57 am, MrCharlie wrote:

>   

>

>Just to add, when you double click on the who.bat, you should see your hard drive 

>light come on. This indicates that the program is scanning your system, it may take 

>a minute or so, depending on the size of your drive.

>

>

[Reply or follow-up to this message]

re: About Blank
Monday, June 7, 2004 at 6:29 pm
Posted by MrCharlie (4133 messages posted) 

  
No, not yet. First download the KillBox 
and unzip to a folder, we'll use this to delete the file.

Next, double click the RunFix.reg and let it merge into the registry.
 
Third, reboot and delete the file found by who.bat, here's how:

 Just copy and paste C:\WINDOWS\System\WINLONO.DLL into the KillBox 
and hit kill this file. It may not be able to delete it now, so let it delete it 
on reboot.

Now run HJT again and fix any them that look like these. (R0, R1, R2)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 
(obfuscated

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Reboot and see how it is.

Let me know,  MrC










On Monday, June 7, 2004 at 5:20 am, Dan wrote:

>C:\WINDOWS\System\WINLONO.DLL is the only thing that came up, should I delete it?

>

>Dan

>

>

>

[Reply or follow-up to this message]

re: About Blank
Wednesday, June 9, 2004 at 5:45 am
Posted by Dan (20 messages posted) 

one problem, when I click on the "the killbox" icon, it says download program could 
not be found. Maybe there is a different download site?

Dan







On Monday, June 7, 2004 at 6:29 pm, MrCharlie wrote:

>  

>No, not yet. First download the KillBox 

>and unzip to a folder, we'll use this to delete the file.

>

>Next, double click the RunFix.reg and let it merge into the registry.

> 

>Third, reboot and delete the file found by who.bat, here's how:

>

> Just copy and paste C:\WINDOWS\System\WINLONO.DLL into the KillBox 

>and hit kill this file. It may not be able to delete it now, so let it delete it 

>on reboot.

>

>Now run HJT again and fix any them that look like these. (R0, R1, R2)

>

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\HGOM.DLL/sp.html 

>(obfuscated

>

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

>

>Reboot and see how it is.

>

>Let me know,  MrC

>

>

>

>

>

>

[Reply or follow-up to this message]

re: About Blank
Wednesday, June 9, 2004 at 3:37 pm
Posted by MrCharlie (4133 messages posted) 

 
No, that's it as far as I know. If you can delete the file the normal way, go a head 
and do it. If not, just click on my name and send me a note and I will send you the 
KillBox. It's a small app 212kb in size. MrC








On Wednesday, June 9, 2004 at 5:45 am, Dan wrote:

>one problem, when I click on the "the killbox" icon, it says download program could 

>not be found. Maybe there is a different download site?

>

>Dan

>

>

>

[Reply or follow-up to this message]

re: About Blank
Saturday, June 12, 2004 at 10:36 am
Posted by Dan (20 messages posted) 

I was able to delete it the normal way. 

here is a log from Hyjack this now-

Logfile of HijackThis v1.97.7
Scan saved at 7:33:29 PM, on 6/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SCARDSVR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\BHODEMON\BHODEMON.EXE
C:\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
C:\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE
C:\DANIEL\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eltiempo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.megavision.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = provided by Community 
Internet Systems, Inc.
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F05D2B3C-89C8-4F65-B706-FC6BA4CF98A8} - C:\WINDOWS\SYSTEM\EFHF.DLL 
(disabled by BHODemon)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} 
- (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} 
- C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN 
TOOLBAR\01.01.1601.0\EN-US\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 
 -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec 
Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" 
/detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection 
OfotoNow
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe
O9 - Extra button: Hoteles (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {72B09CA7-1B59-454E-95D9-461A9227B785} (UIWrapper Class) - http://webcomp1.mediaring.com/orion/consumer/pcphone/ver1.2.5.0/wbsc125.cab
O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://voizfone.mediaring.com/webcomp/pcphone/ver3.0.5.0/wbaxuiph305.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program 
Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program 
Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program 
Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program 
Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38105.3232175926
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - 
http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

tell me if there is anything else I should do now. 

thanks

Dan







On Wednesday, June 9, 2004 at 3:37 pm, MrCharlie wrote:

> 

>No, that's it as far as I know. If you can delete the file the normal way, go a 
head 

>and do it. If not, just click on my name and send me a note and I will send you 
the 

>KillBox. It's a small app 212kb in size. MrC

>

>

>

>

[Reply or follow-up to this message]

re: About Blank
Saturday, June 12, 2004 at 1:43 pm
Posted by MrCharlie (4133 messages posted) 

   
Looks Good, just have HJT fix these:

R3 - Default URLSearchHook is missing 

O2 - BHO: (no name) - {F05D2B3C-89C8-4F65-B706-FC6BA4CF98A8} - C:\WINDOWS\SYSTEM\EFHF.DLL 

 O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
-msmc (MSMC.EXE)

Delete this file:

 C:\WINDOWS\SYSTEM\msmc.exe

Since we went this far, just post one more log for a final check. MrC

PS: The Kill Box link should work now.








On Saturday, June 12, 2004 at 10:36 am, Dan wrote:

>I was able to delete it the normal way. 

>

>here is a log from Hyjack this now-

>

>Logfile of HijackThis v1.97.7

>Scan saved at 7:33:29 PM, on 6/12/2004

>Platform: Windows ME (Win9x 4.90.3000)

>MSIE: Internet Explorer v5.50 (5.50.4134.0100)

>

>Running processes:

>C:\WINDOWS\SYSTEM\KERNEL32.DLL

>C:\WINDOWS\SYSTEM\MSGSRV32.EXE

>C:\WINDOWS\SYSTEM\mmtask.tsk

>C:\WINDOWS\SYSTEM\MPREXE.EXE

>C:\WINDOWS\SYSTEM\MSTASK.EXE

>C:\WINDOWS\SYSTEM\SCARDSVR.EXE

>C:\WINDOWS\SYSTEM\STIMON.EXE

>C:\WINDOWS\SYSTEM\DEVLDR16.EXE

>C:\WINDOWS\EXPLORER.EXE

>C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

>C:\WINDOWS\TASKMON.EXE

>C:\WINDOWS\SYSTEM\SYSTRAY.EXE

>C:\WINDOWS\SYSTEM\HIDSERV.EXE

>C:\WINDOWS\SYSTEM\WMIEXE.EXE

>C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

>C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE

>C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

>C:\WINDOWS\SYSTEM\QTTASK.EXE

>C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

>C:\WINDOWS\RUNDLL32.EXE

>C:\WINDOWS\SYSTEM\DDHELP.EXE

>C:\PROGRAM FILES\BHODEMON\BHODEMON.EXE

>C:\SPYWAREGUARD\SGMAIN.EXE

>C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE

>C:\SPYWAREGUARD\SGBHP.EXE

>C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE

>C:\DANIEL\HIJACKTHIS\HIJACKTHIS.EXE

>C:\WINDOWS\SYSTEM\SPOOL32.EXE

>

>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eltiempo.com/

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.megavision.com

>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = provided by Community 

>Internet Systems, Inc.

>R3 - Default URLSearchHook is missing

>O2 - BHO: (no name) - {F05D2B3C-89C8-4F65-B706-FC6BA4CF98A8} - C:\WINDOWS\SYSTEM\EFHF.DLL 

>(disabled by BHODemon)

>O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} 

>- (no file)

>O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} 

>- C:\WINDOWS\SYSTEM\MSDXM.OCX

>O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)

>O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM 
FILES\MSN 

>TOOLBAR\01.01.1601.0\EN-US\MSNTB.DLL

>O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

>O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

>O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

>O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

>O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

>O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run

>O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe

>O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

>O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE

>O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 

> -osboot

>O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

>O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

>O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

>O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

>O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

>O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe

>O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec 

>Shared\Script Blocking\SBServ.exe" -reg

>O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE

>O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

>O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" 

>/detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"

>O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

>O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection 

>OfotoNow

>O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe

>O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe

>O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe

>O9 - Extra button: Hoteles (HKLM)

>O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

>O16 - DPF: {72B09CA7-1B59-454E-95D9-461A9227B785} (UIWrapper Class) - http://webcomp1.mediaring.com/orion/consumer/pcphone/ver1.2.5.0/wbsc125.cab

>O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://voizfone.mediaring.com/webcomp/pcphone/ver3.0.5.0/wbaxuiph305.cab

>O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program 

>Files\AutoCAD 2002\AcPreview.ocx

>O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program 

>Files\AutoCAD 2002\AcDcToday.ocx

>O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program 

>Files\AutoCAD 2002\InstBanr.ocx

>O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program 

>Files\AutoCAD 2002\InstFred.ocx

>O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab

>O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

>O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

>O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab

>O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

>O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

>O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - 
http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab

>O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38105.3232175926

>O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - 

>http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

>

>tell me if there is anything else I should do now. 

>

>thanks

>

>Dan

>

>

>

[Reply or follow-up to this message]

re: About Blank
Sunday, June 13, 2004 at 12:54 pm
Posted by Dan (20 messages posted) 

Okay, downloaded Killbox, but the file is already gone. 

here is the log-

Logfile of HijackThis v1.97.7
Scan saved at 9:48:24 PM, on 6/13/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SCARDSVR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
C:\SPYWAREGUARD\SGBHP.EXE
C:\DANIEL\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eltiempo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.megavision.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = provided by Community 
Internet Systems, Inc.
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} 
- (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} 
- C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN 
TOOLBAR\01.01.1601.0\EN-US\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 
 -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec 
Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" 
/detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection 
OfotoNow
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe
O9 - Extra button: Hoteles (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {72B09CA7-1B59-454E-95D9-461A9227B785} (UIWrapper Class) - http://webcomp1.mediaring.com/orion/consumer/pcphone/ver1.2.5.0/wbsc125.cab
O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://voizfone.mediaring.com/webcomp/pcphone/ver3.0.5.0/wbaxuiph305.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program 
Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program 
Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program 
Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program 
Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38105.3232175926
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - 
http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

thanks

Dan







On Saturday, June 12, 2004 at 1:43 pm, MrCharlie wrote:

>   

>Looks Good, just have HJT fix these:

>

>R3 - Default URLSearchHook is missing 

>

>O2 - BHO: (no name) - {F05D2B3C-89C8-4F65-B706-FC6BA4CF98A8} - C:\WINDOWS\SYSTEM\EFHF.DLL 

>

> O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe

>-msmc (MSMC.EXE)

>

>Delete this file:

>

> C:\WINDOWS\SYSTEM\msmc.exe

>

>Since we went this far, just post one more log for a final check. MrC

>

>PS: The Kill Box link should work now.

>

>

>

>

[Reply or follow-up to this message]

re: About Blank
Sunday, June 13, 2004 at 6:39 pm
Posted by MrCharlie (4133 messages posted)

Case Closed My Friend!! Thanks, MrC


On Sunday, June 13, 2004 at 12:54 pm, Dan wrote:
>Okay, downloaded Killbox, but the file is already gone.
>
>here is the log-
>
>Logfile of HijackThis v1.97.7
>Scan saved at 9:48:24 PM, on 6/13/2004
>Platform: Windows ME (Win9x 4.90.3000)
>MSIE: Internet Explorer v5.50 (5.50.4134.0100)
>
>Running processes:
>C:\WINDOWS\SYSTEM\KERNEL32.DLL
>C:\WINDOWS\SYSTEM\MSGSRV32.EXE
>C:\WINDOWS\SYSTEM\mmtask.tsk
>C:\WINDOWS\SYSTEM\MPREXE.EXE
>C:\WINDOWS\SYSTEM\MSTASK.EXE
>C:\WINDOWS\SYSTEM\SCARDSVR.EXE
>C:\WINDOWS\SYSTEM\STIMON.EXE
>C:\WINDOWS\SYSTEM\DEVLDR16.EXE
>C:\WINDOWS\EXPLORER.EXE
>C:\WINDOWS\TASKMON.EXE
>C:\WINDOWS\SYSTEM\SYSTRAY.EXE
>C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
>C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
>C:\WINDOWS\SYSTEM\HIDSERV.EXE
>C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
>C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
>C:\WINDOWS\SYSTEM\WMIEXE.EXE
>C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
>C:\WINDOWS\RUNDLL32.EXE
>C:\WINDOWS\SYSTEM\DDHELP.EXE
>C:\SPYWAREGUARD\SGMAIN.EXE
>C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
>C:\SPYWAREGUARD\SGBHP.EXE
>C:\DANIEL\HIJACKTHIS\HIJACKTHIS.EXE
>
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eltiempo.com/
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.megavision.com
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = provided by Community
>Internet Systems, Inc.
>O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
>- (no file)
>O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467}
>- C:\WINDOWS\SYSTEM\MSDXM.OCX
>O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
>O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN
>TOOLBAR\01.01.1601.0\EN-US\MSNTB.DLL
>O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
>O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
>O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
>O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
>O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
>O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
>O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
>O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
>O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
>O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
> -osboot
>O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
>O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
>O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
>O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
>O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
>O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
>O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec
>Shared\Script Blocking\SBServ.exe" -reg
>O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
>O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
>O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe"
>/detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
>O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
>O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection
>OfotoNow
>O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
>O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe
>O9 - Extra button: Hoteles (HKLM)
>O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
>O16 - DPF: {72B09CA7-1B59-454E-95D9-461A9227B785} (UIWrapper Class) - http://webcomp1.mediaring.com/orion/consumer/pcphone/ver1.2.5.0/wbsc125.cab
>O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://voizfone.mediaring.com/webcomp/pcphone/ver3.0.5.0/wbaxuiph305.cab
>O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program
>Files\AutoCAD 2002\AcPreview.ocx
>O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program
>Files\AutoCAD 2002\AcDcToday.ocx
>O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program
>Files\AutoCAD 2002\InstBanr.ocx
>O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program
>Files\AutoCAD 2002\InstFred.ocx
>O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
>O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
>O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
>O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
>O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
>O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
>O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
>O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38105.3232175926
>O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) -
>http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
>
>thanks
>
>Dan
>
>
>

[Reply or follow-up to this message]

Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread
Return to the Windows Me Discussion Forum


All content at Annoyances.org is Copyright © 1995-2008 Creative Elementtm All rights reserved.
Please do not plagiarize; redistributing these pages without permission is strictly prohibited.