B
Bearman
I tried everything to remove about:blank as my default
web page. CW Shredder, Ad Aware, SpyBot and Hijack
This. I removed the line from Hijack this and then
about:blank from my regedit files.
I reboot and still get the about:blank even after
changing it to msn.com and the nasty items show up again
in Hijack this scan and regedit.
Following is my Hijack This scan. Anyone know what else
I might be missing that I should do or should remove
after doing the scan.
Thanks
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\PROMon.exe
C:\Program Files\Adaptec\Easy CD Creator 5
\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Tablet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local
Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = res://C:\WINNT\System32
\npd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = res://C:\WINNT\System32
\npd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = res://C:\WINNT\System32
\npd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = res://C:\WINNT\System32
\npd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = res://C:\WINNT\System32
\npd.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = res://C:\WINNT\System32
\npd.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page =
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-
28BA1851E39A} - (no file)
N2 - Netscape 6: user_pref
("browser.startup.homepage", "www.netaddress.com");
(C:\Documents and Settings\Owner\Application
Data\Mozilla\Profiles\default\tjf1t4hs.slt\prefs.js)
N2 - Netscape 6: user_pref
("browser.search.defaultengine", "engine://C%3A%5CProgram%
20Files%5CNetscape%5CNetscape%206%5Csearchplugins%
5CSBWeb_01.src"); (C:\Documents and
Settings\Owner\Application
Data\Mozilla\Profiles\default\tjf1t4hs.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BA966C40-A6E4-40C3-AA85-
4882C7330E7F} - C:\WINNT\System32\npd.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - C:\Program Files\Microsoft
Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32
\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32
\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunV
alue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program
Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program
Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program
Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft
Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1
\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program
Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!
\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35}
(RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1}
(StartFirstControl.CheckFirst) -
hcp://system/StartFirstControl.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4}
(ZoneAxRcMgr Class) -
http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?37844.5946990741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
(PopCapLoader Object) -
http://zone.msn.com/bingame/zuma/default/popcaploader_v5.c
ab
web page. CW Shredder, Ad Aware, SpyBot and Hijack
This. I removed the line from Hijack this and then
about:blank from my regedit files.
I reboot and still get the about:blank even after
changing it to msn.com and the nasty items show up again
in Hijack this scan and regedit.
Following is my Hijack This scan. Anyone know what else
I might be missing that I should do or should remove
after doing the scan.
Thanks
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\PROMon.exe
C:\Program Files\Adaptec\Easy CD Creator 5
\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Tablet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local
Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = res://C:\WINNT\System32
\npd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = res://C:\WINNT\System32
\npd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = res://C:\WINNT\System32
\npd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = res://C:\WINNT\System32
\npd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = res://C:\WINNT\System32
\npd.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = res://C:\WINNT\System32
\npd.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page =
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-
28BA1851E39A} - (no file)
N2 - Netscape 6: user_pref
("browser.startup.homepage", "www.netaddress.com");
(C:\Documents and Settings\Owner\Application
Data\Mozilla\Profiles\default\tjf1t4hs.slt\prefs.js)
N2 - Netscape 6: user_pref
("browser.search.defaultengine", "engine://C%3A%5CProgram%
20Files%5CNetscape%5CNetscape%206%5Csearchplugins%
5CSBWeb_01.src"); (C:\Documents and
Settings\Owner\Application
Data\Mozilla\Profiles\default\tjf1t4hs.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BA966C40-A6E4-40C3-AA85-
4882C7330E7F} - C:\WINNT\System32\npd.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - C:\Program Files\Microsoft
Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32
\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32
\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunV
alue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program
Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program
Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program
Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft
Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1
\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program
Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!
\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35}
(RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1}
(StartFirstControl.CheckFirst) -
hcp://system/StartFirstControl.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4}
(ZoneAxRcMgr Class) -
http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?37844.5946990741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
(PopCapLoader Object) -
http://zone.msn.com/bingame/zuma/default/popcaploader_v5.c
ab