Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

ewlee

1 Message

343

September 6th, 2005 02:00

msblank.html hijacker? HijackThis log- help, please!

Hi there, I'm experiencing problems with my internet explorer, and my entire computer is running extremely slowly. The internet explorer pages keep opening, with an error message that basically says that it is looking for some "msblank.html" page. I have run HijackThis a few times and gotten rid of the obvious bad stuff, so I assume that I must have gotten rid of the beginnings of this msblank problem (it is also worth mentioning that I originally had a search toolbar added by this hijacker, but was able to get rid of it after a lot of work and research). However, the internet explorer keeps opening without any tool bar now (no back or forward arrows, stop button, etc), and when I try to access pages off of a google search, for example, this hijacker keeps forwarding me to other sites (in particular, such sites as "abcsearch.com", "search city", "search.lycos....." and other search sites). If somebody could look over my logfile of my HijackThis scan and advise me on what further steps I can take to fix this problem, I would be VERY grateful. Thank you for your help and time in advance!

Logfile of HijackThis v1.99.1
Scan saved at 11:15:06 PM, on 9/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\WINDOWS\system32\PRPCUI.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\progra~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Default\Desktop\Random\HijackThis.exe
C:\WINDOWS\explorer.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\progra~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pinger] C:\Toshiba\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [FTWv0trSs] C:\WINDOWS\fqsdlcnx.exe
O4 - HKLM\..\Run: [5h5jqr6b] C:\WINDOWS\system32\5h5jqr6b.exe
O4 - HKLM\..\Run: [Jç˜e‡šVnRÖ§P¹+  C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\fqsdlcnx.exe
O4 - HKLM\..\Run: [Ud9C] C:\WINDOWS\pujcpdi.exe
O4 - HKLM\..\Run: [viikqn2a] C:\WINDOWS\system32\viikqn2a.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [dws6RPM3T] regman32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3531E896-196E-469B-B529-4B20C59EED8C}: NameServer = 69.50.161.132,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E1B3A20-6625-4308-A2EC-436046DE3F14}: NameServer = 69.50.161.132,85.255.112.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{3531E896-196E-469B-B529-4B20C59EED8C}: NameServer = 69.50.161.132,85.255.112.15
O17 - HKLM\System\CS2\Services\Tcpip\..\{3531E896-196E-469B-B529-4B20C59EED8C}: NameServer = 69.50.161.132,85.255.112.15
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe

 

zbestwun2001

4 Apprentice

 • 

8.8K Posts

September 6th, 2005 15:00

Hi,

Be sure to look this solution over before you begin. There are a some item(s) i'm not familar with. If you recognze any, then just omit them from this fix.


Download the Adware.Istbar removal utility from Symantec and following the instructions on the same page.


Run HiJackThis and click " Scan", then check(tick) the following, if present:


O4 - HKLM\..\Run: [FTWv0trSs] C:\WINDOWS\fqsdlcnx.exe
O4 - HKLM\..\Run: [5h5jqr6b] C:\WINDOWS\system32\5h5jqr6b.exe
O4 - HKLM\..\Run: [Jç˜e‡šVnRÖ§P¹+ C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\fqsdlcnx.exe
O4 - HKLM\..\Run: [viikqn2a] C:\WINDOWS\system32\viikqn2a.exe
O4 - HKCU\..\Run: [dws6RPM3T] regman32.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{3531E896-196E-469B-B529-4B20C59EED8C}: NameServer = 69.50.161.132,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E1B3A20-6625-4308-A2EC-436046DE3F14}: NameServer = 69.50.161.132,85.255.112.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{3531E896-196E-469B-B529-4B20C59EED8C}: NameServer = 69.50.161.132,85.255.112.15
O17 - HKLM\System\CS2\Services\Tcpip\..\{3531E896-196E-469B-B529-4B20C59EED8C}: NameServer = 69.50.161.132,85.255.112.15
...( Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.)


Now, with all windows closed except HiJackThis, click " Fix checked".


Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINDOWS\fqsdlcnx.exe
C:\WINDOWS\system32\5h5jqr6b.exe
C:\WINDOWS\system32\viikqn2a.exe

Search for...

regman32.exe

...using " Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".



Reboot and post back a new log, and let me know how everything goes.
Steve
-

Was this post helpful?

View All

No Events found!

Top