I am a novice and am new here at this site. After spending an entire day trying to fix my Browser Hijack problem, I found this site. I have used HiJackthis, Spybot S&D, Adaware, and this stuff seems to regenerate!! Here is my hijackthis log.. please, someone help, I am at my wits end.
Thanks so much for all your help!
Logfile of HijackThis v1.99.1
Scan saved at 9:11:03 PM, on 12/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Unzip it to your desktop.
Initially, run AboutBuster 5.0 and press ‘Update’ to make sure you have the latest reference file version. Do not run the actual scan/fix until instructed below.
You will run About:Buster while you are in Safe Mode.
It will create a log in addition to cleaning your system. Post that log into your next reply in this thread.
DISCONNECT FROM THE INTERNET During the fix do NOT connect to the Internet (turn your modem off or disconnect your internet connection wire).
Unless you can memorize these instructions, it would be a good idea to print them out or save these instructions to a file on your desktop (NOTEPAD).
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oolyi.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oolyi.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oolyi.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oolyi.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oolyi.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oolyi.dll/sp.html#77035
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oolyi.dll/sp.html#77035
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {30C2CB79-B898-DCF3-EFEF-5BB2F1EDEC08} - C:\WINDOWS\nethf32.dll
O2 - BHO: (no name) - {AE542976-4CB6-4417-956A-94A353C88D09} - C:\WINDOWS\system32\lhho.dll (file missing)
Make sure that all browser windows and internet links are closed, even this one! CLICK ’FIX CHECKED’ with HijackThis.
HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here
SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).
Run Clean.bat
Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok. Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files Click OK or Enter
***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.
Navigate to or locate the following Files and Folders:
- using Windows Explorer: right click on ‘My Computer’>Explore) or using Start (button)>Search …
Delete these Folders (if found) - preferably using Add/Remove Programs where possible:
None specified.
Now, run AboutBuster and select ’Begin Removal’. Continue running the scan until it shows clean.
Post a copy of the scan results, which will appear in the AboutBuster folder.
Next, run CWShredder
-Click on the: ‘Fix’ button
-Follow the prompts, and press OK
POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
I tried running the claen procedure twice. After I reboot from safe mode, even with modem disconnected, the About:blank home page appears and I get a respawning
of the files deleted with Hijackthis. This is the log when running hijackthis in safe mode after clean up:
Logfile of HijackThis v1.99.1
Scan saved at 8:20:20 AM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
This is the log of hijackthis after I reboot: As you see, the junk re-spawns itself!!
Logfile of HijackThis v1.99.1
Scan saved at 8:20:20 AM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
AboutBuster 5.1, reference file 33
Scan started on [12/13/2005] at [7:27:59 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\system32\ntpor.dat
Removed File! : C:\WINDOWS\system32\uyjwh.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:29:26 AM
AboutBuster 5.1, reference file 33
Scan started on [12/13/2005] at [7:33:47 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:34:59 AM
AboutBuster 5.1, reference file 32
Scan started on [12/13/2005] at [8:10:28 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:11:53 AM
We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gpwqm.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gpwqm.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gpwqm.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gpwqm.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gpwqm.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gpwqm.dll/sp.html#77035
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gpwqm.dll/sp.html#77035
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {21165088-A6A7-77FF-067A-CE5B83F27AC4} - C:\WINDOWS\system32\ipbd32.dll
POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
Can't access your web site now from explorer. All other web sites work!! Still the same Logfile of HijackThis v1.99.1
Scan saved at 8:05:01 AM, on 12/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
It removes unnecessary junk from your computer allowing it to run more efficiently and securely.
You may get more optimal cleaning if you run it in SAFEMODE – while rebooting and at the beep keep tapping the F8 key.
Once installed, you will notice an Online Help link at the bottom left. Updates checking link is provided at the bottom right. When first run in its DEFAULT opening setup – Cleaner button (Windows TAB is selected) , click the ‘Analyse’ button. Thereafter, click ‘Run Cleaner’ after you have reviewed what it proposes to clean.
Please download, install, update and scan your system with the free (trial) version of Ewido trojan scanner:
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.
Take note of any FILES that couldn't be deleted. Post any undeletable items and any available LOGS back here (IMPORTANT FEEDBACK) AND go after such FILES yourself if you want (preferably in SAFE MODE - reboot tapping the F8 key) .
These scans will take more than an hour to complete, so make sure you have time to let them run all the way through. (let us know if any files couldn't be deleted/cleaned.)
Reboot Post a new HJT log with any detailed feedback from the scans. How are things now behaving: any new or remaining apparent issues?
Thanks for the help, but all is futile and I have run out of patience. The time I have spent running all these programs I may as well fdisked and re-install OS. Ewido found over 300 entries, yet the problem still exists with a reboot. Stinger found nothing. Panda Activision crashed before I could save a report but was able to delete everything except one entry that was Adware: Windows Registry and I didn't understand this. Housecall won't laod at all and now I am pulling the hairs out of my head!! Running Housecall will be more wasted time. As soon as I click on explorer, the about:blank home page appears and all the nasty files respawn. A very NASTY hijacker. My hats off to the freaks who develop this garbage, they are VERY SMART!!
The log from ewido is so long that your system will not accept for having too many characters.
Thanks for trying to help, God Bless, and have great holiday, My next qust is getting help on fdisking (have done this before, need to brush up on directions.
My tenacity just wouldn't allow myself to give up ridding the about:blank hijacker.
Now I am not 100 percent certain as to how I finally did rid this menace, but FYI I thought some feedback might help for others facing this difficult threat removal.
I went back into safe mode and ran all the cleaners and programs. I also noticed that cleanmgr was NOT deleting hidden files that are located in a local settings folder for each user. These are temporary internet explorer files that I deleted manually. Why my cleanmgr isn't detecting these or whether I should have deleted these is a question?
Also, my freshman college son returned today and recommended I also clean my registry with a program regseeker. I also found a website from securiteam.com/securityreviews/5RP0L0UD5U.html that specifically speaks of 2 hidden files.
The first file I could not find with a program called reglite.exe. This file is related to appInit_dlls, located in the registry. Check it out.
I than ran hijackthis again and cwshredder. Lo and behold the Cool Homesearch was detected by cwshredder and deleted.
Now here is what I think is the real kicker in what I was doing wrong and I recommend this as part of your instructions to your other inquireers. After cleaning, etc., and than rebooting I was opening internet explorer and the home page would always be the hijacked one and the nasty files would regenerate.
Then I thought perhaps I should go to control panel and open internet properties and change the homepage from about:blank to google.com (my preferredpage), BEFORE opening explorer and LO AND BEHOLD, about:blank is now history. I have reran hijackthis and all the nasty files are caput.
I am not exactly sure what created my fix but you are much more experienced than I, but I thought this feedback may be of some use. Thankfully, I did NOT have to fdisk my Harddrive!!!
I am not exactly sure what created my fix but you are much more experienced than I, but I thought this feedback may be of some use. Thankfully, I did NOT have to fdisk my Harddrive!!!
Good work! Thanks for the feeedback and a chance to reflect.
I would appear that with your multiple profiles, the key was to clean each profile. One of the HJT infections:
Newbie
