About:Blank hijacker

Hi. Have a small network of three machines linked to a broadband connection. All three have caught About:Blank hijacker in spite of a BT firewall. Have removed hijacker from two machines using Adware Away. One machine will not load this programe so have run Spybot S & D and Ad-aware which removed several bugs. Am unable to remove About:Blank on the third machine so have run Hijack This and attach log file. Any help would be appreciated. Thanks.

Logfile of HijackThis v1.98.2
Scan saved at 10:41:14, on 08/06/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {7733E283-D807-11D9-B695-E40CD35A3763} - C:\WINDOWS\SYSTEM\NABK.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [webscan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = local
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.254
O18 - Filter: text/html - {7733E282-D807-11D9-B695-E40CBC1692F8} - C:\WINDOWS\SYSTEM\NABK.DLL
O18 - Filter: text/plain - {7733E282-D807-11D9-B695-E40CBC1692F8} - C:\WINDOWS\SYSTEM\NABK.DLL

Hello,M&J Skinner & Welcome

Please perform the following steps:

1. Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

2. Download SpSeHjfix.zip and unzip it to it's own folder. Do not run it yet.

3. Download CleanUp! and install it. Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

4. Start in Safe Mode Using the F8 method:
* Restart the computer.
* As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
* Use the arrow keys to select the Safe Mode menu item.
* Press the Enter key.

5. Disconnect from the net and Close ALL OPEN PROGRAMS.

6. Run SpSeHjfix and click on Start Disinfection.
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder that SpSeHjfix is located in.

7. Now run CWShredder and click on the Fix -> button.

8. Reboot and repeat the above process.


Reboot and post a fresh HijackThis log and the log that was created by SpSeHjfix.

& i would like to add that once we have you all clean
you should update IE


HGD

Thanks for your prompt reply. I have followed your instructions including running CWShredder twice, it removed CWS HiddenDLL the first time and reported nothing the second time. I attach the two logs as requested.

John.


(6/13/05 10:15:49) SPSeHjFix started v1.09
(6/13/05 10:15:49) OS: Win98 (4.10.67766222)
(6/13/05 10:15:49) Language: english
(6/13/05 10:16:03) Disinfect started
(6/13/05 10:16:03) Bad-Dll(IEP): (not found)
(6/13/05 10:16:03) Bad-Dll(IEP) in BHO: (not found)
(6/13/05 10:16:03) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\NABK.DLL
(6/13/05 10:16:03) Searchassistant Uninstaller - Keys Deleted
(6/13/05 10:16:03) UBF: 6
(6/13/05 10:16:03) UBB: 1
(6/13/05 10:16:03) FilterKey: HKCR\text/html (deleted)
(6/13/05 10:16:03) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(6/13/05 10:16:03) FilterKey: HKCR\CLSID\{7733E282-D807-11D9-B695-E40CBC1692F8} (deleted)
(6/13/05 10:16:03) FilterKey: HKCR\text/plain (deleted)
(6/13/05 10:16:03) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(6/13/05 10:16:03) FilterKey: HKCR\CLSID\{7733E282-D807-11D9-B695-E40CBC1692F8} (error while deleting)
(6/13/05 10:16:03) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{7733E283-D807-11D9-B695-E40CD35A3763} (deleted)
(6/13/05 10:16:03) BHO-Key: HKCR\CLSID\{7733E283-D807-11D9-B695-E40CD35A3763} (deleted)
(6/13/05 10:16:03) UBR: 11
(6/13/05 10:16:03) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run \sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(6/13/05 10:16:03) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(6/13/05 10:16:03) Stealth-String found: C:\WINDOWS\FDQ.TXT
(6/13/05 10:16:03) File added to delete: c:\windows\system\nabk.dll
(6/13/05 10:16:03) File added to delete: c:\windows\system\nabk.dll
(6/13/05 10:16:03) File added to delete: c:\windows\temp\se.dll
(6/13/05 10:16:03) File added to delete: c:\windows\fdq.txt
(6/13/05 10:16:03) Reboot
(6/13/05 10:17:13) SPSeHjFix 2nd Step
(6/13/05 10:17:14) RunServicesOnce-Key: (edited)
(6/13/05 10:17:19) Cleaned


Logfile of HijackThis v1.98.2
Scan saved at 10:26:00, on 13/06/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [webscan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = local
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.254

Hi,M&J Skinner

Well it's back at us the problem with this type of bad guy
is once we get going you need to get back at me right
away so do this for me please.

goto windows update & update IE you are using a way
old IE then clean as i posted before talking about what
i had you do in your first post above

once you do that get right back here

HGD

Have downloaded some 24 updates + IE6. Machine is now right up to date.
Then have run SpSeHjfix, CWShredder and Hijack This. New log file as follows:

Logfile of HijackThis v1.98.2
Scan saved at 15:35:54, on 14/06/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [webscan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = local
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.254

Have now managed to change start page in IE to MSN and it appears to have stuck with no change back to About:Blank.

John.

Hi,M&J Skinner

Well you are just about there nice work do this here again
& all we may need to do after is some cleanup work.

Download CW-Shredder at the link below:
http://www.isecurity.org.uk/downloads/cwshredder.exe

Download SpSeHjfix here:
http://www.derbilk.de/SpSeHjfix109.zip
Save it to the desktop and then right click a blank part of desktop & select new folder, call it spfix. Unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

HGD

Have downloaded latest copies of CW Shredder and SpSeHjfix and run them on the machine.

Log files are:



(6/16/05 10:45:28) SPSeHjFix started v1.09
(6/16/05 10:45:29) OS: Win98 (4.10.67766222)
(6/16/05 10:45:29) Language: english
(6/16/05 10:45:31) Disinfect started
(6/16/05 10:45:31) Bad-Dll(IEP): (not found)
(6/16/05 10:45:31) Bad-Dll(IEP) in BHO: (not found)
(6/16/05 10:45:31) UBF: 4
(6/16/05 10:45:31) UBB: 0
(6/16/05 10:45:31) UBR: 12
(6/16/05 10:45:31) Bad IE-pages:
(6/16/05 10:45:31) Stealth-String not found:
(6/16/05 10:45:31) Not infected->END


Logfile of HijackThis v1.99.1
Scan saved at 10:48:18, on 16/06/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [webscan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = local
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.254

Thanks.

Hi,M&J Skinner

Sorry for the hold up on this here

Boot to safe mode: Instructions here

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html

then close out of HijackThis & take care of this here

click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS

That will change everything back to defaults (M$)......

Change your homepage and search engines to whatever you wish and reset your pc.

When it boots back up, open IE and see if the page stays the way that you set it.

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

HGD

Have re-run Hijack This and removed the settings you recommended. I have also tightened up the Internet Explorer settings as suggested, the machine is now clear and running normally. Thank you for all your help, I am twisting the arm of the person who originally downloaded the hijacker to make a contribution to your site! Once again many thanks for your help.

John.

Hey,John

Great to hear all is good & no problem
have a safe July 4

HGD