HJT log

[whtcivic93]

Logfile of HijackThis v1.97.7
Scan saved at 12:22:49 AM, on 11/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\systs32.exe
C:\WINDOWS\EXPLORER.EXE:ipdxs
C:\Program Files\AIM95\aim.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Documents and Settings\Matt\My Documents\My Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\flxzq.dll/sp.html#29836
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\flxzq.dll/sp.html#29836
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\flxzq.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\flxzq.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\flxzq.dll/sp.html#29836
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\flxzq.dll/sp.html#29836
O2 - BHO: (no name) - {C086A50D-7FBB-97FD-CFF2-05B844A747E5} - C:\WINDOWS\javaxk.dll
O4 - HKLM\..\Run: [systs32.exe] C:\WINDOWS\systs32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[AndyWatt]

These warrant further investigation:

C:\WINDOWS\systs32.exe
C:\WINDOWS\EXPLORER.EXE:ipdxs

And these are dodgy and should be deleted:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\flxzq.dll/sp.html#29836
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\flxzq.dll/sp.html#29836
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\flxzq.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\flxzq.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\flxzq.dll/sp.html#29836
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\flxzq.dll/sp.html#29836

Not sure about these ones:

O2 - BHO: (no name) - {C086A50D-7FBB-97FD-CFF2-05B844A747E5} - C:\WINDOWS\javaxk.dll
O4 - HKLM\..\Run: [systs32.exe] C:\WINDOWS\systs32.exe


Andy
--
"Logic is invincible because in order to combat logic it is necessary to use logic." -- Pierre Boutroux

 

[MeGustaXL]

You're infected with About:Blank, I'm sorry to say
Step 1. Follow this link:

http://www.securiteam.com/securityreviews/5RP0L0UD5U.html

And carry out the procedure.

Step 2. Download FireFox:

http://www.mozilla.org/products/firefox/index.html

Install and use that instead of IE6.

Step 3. Consign IE6 to the bin, except for sites that absolutely insist on its use, and which you totally trust, such as your bank.
Even then, e-mail, snail-mail and phone the webmaster of the site and insist that he opens up the site to other browsers.


Chris

Varium et mutabile semper Excel

 

[crow053]

There is a newer version of hijack this available. Do the above reccomended fixes, download the latest version, run it and repost the results.

 

[MichealC4]

http://www.mac-net.com/1305084.page

That might help you a bit.

----------------------------
"Security is like an onion" - Unknown

 

[whtcivic93]

thanks for the help everyone.. but when i delete those things andy said to, they just come back.. i have tried it multiple times, iam now using mozilla firefox and not having any problems with it

 

[MeGustaXL]

About:Blank is a particularly nasty piece of work, in that it hides one of its .dll files, which can then regenerate a randomly-named new set of files the next time you boot up!

The procedure at securiteam.com seems to work like a dose of industrial-grade bleach down a blocked drain, and brings up your PC smelling sweet. BUT...

You MUST disable System Restore before attempting to remove it, otherwise the little Bleepard just grows again, AND

Try setting Notepad to Read Only - About:Blank uses it to rewrite itself, so you'll cut off part of its air supply

BTW, My neighbour's PC had About:Blank a couple of days ago, as detected by HJT with a line like:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

But when we ran CWShredder on it, it got to the About:Blank part, and it failed to detect it! I believe that there aren't any updates planned for CWS, but I think we should all plead with the creators to re-think this, because there might be a new strain of A:B out there

Chris

Varium et mutabile semper Excel