As a neophyte, can someone give me a heads up on Hijack this and protocol?
Working against AboutBlank.

Need a solution.



Let me guess...no quick fix.

Hello,

Actually theres a few versions of About Blank. Download Hijack This from www.tomcoyote.com/hjt or if that doesnt work from here http://tools.zerosrealm.com/hjt.zip Save it to its own folder, not on the desktop or temp folder, close all other programs and select scan. When finished the scan button changes to save log. It opens notepad with the log. Copy and paste the entire log here in this thread.

Logfile of HijackThis v1.98.2
Scan saved at 11:34:05 AM, on 8/28/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra button: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file) (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.63.236.109.79.downloads.estara.com./as/OneCCDM.php?sessionid=1550148466_12.78.63.157_1198&=&req=1075938021330OneCC.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/winsearchie32.chm::/winsearchie32.exe

Hello,

Well you dont have About Blank, but you do have a different Coolweb infection. Download CWShredder from here, http://tools.zerosrealm.com/CWShredder.zip
Make sure when you run shredder you update it first and then select fix, not only scan. Then post a new Hijack This log.

Yes..This is the log after I started slogging through.
PC is less buggy, but I want to make sure I'm hitting more than the "Symptom".

I went ahead and wiped the "jump in your face" guys, and am at the point of tuning up.

I'll post the log....Thanks pugs.

Yes..This is the log after I started slogging through.
PC is less buggy, but I want to make sure I'm hitting more than the "Symptom".

I went ahead and wiped the "jump in your face" guys, and am at the point of tuning up.

I'll post the log....Thanks pugs.stut


........

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/win...nsearchie32.exe

Those all look suspicous enough to be removed...I would also download CWShredder and Spybot and run those if you haven't already. Plus, clean out your temp folders too!

Yes, puled the temps as well.

You got a couple i had missed!!! Thanks....I'll be back.

Think this grabbed the solutions.

Well actually CWShredder should have removed just about all the nasties in that log as this is a very old CWS infection that is well known. The reason you got infected is because of an unpatched system. Be sure to keep up with windows updates, they really make a difference.

Thanks Pugs!

I was walking Richard through the update, and realize my machine is no longer "Autoupdating" Where do I go, to reset this to happen auto.
Also (probably a new thread). I got locked in a loop.....I'll be back.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/win...nsearchie32.exe

Those all look suspicous enough to be removed...I would also download CWShredder and Spybot and run those if you haven't already. Plus, clean out your temp folders too!

No go. Still getting a home page reset.

Thanks. I shot another one below...
Thouhgt we had this!
Home page is still getting reset. Have Rich downloading updates.

We did a HJT fix, but immediately got the deleted files back.

I must be doing something assinine to be missing this.

Fix the entries while in safe mode. Also delete any files or folders related to it while still in safe mode. Then run Hijack This in safe mode still. Reboot normally and run Hijack This again. what you want to do is look at both logs and see if the infection came back after you rebooted. If so there may be a hidden dll there. If so I have some ideas for you. I will also talk to Merijn, a good friend of mine. He made Hijack This and CWShredder and will know if something isnt working right.

Sill no Bingo.
Richard has run everything he can get his hands on with no success. I ran into a guy today who mentioned a "Host.JSP" ??? file?
Does that make sense?

ran all suggested programs in safe mode, updated all , deleted temp files/
cookies. .Logfile of HijackThis v1.98.2
Scan saved at 8:31:05 PM, on 8/31/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHERO.EXE
C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHERO.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\NEGD.DAT
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = rr.com
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: GeekSuperheroBHO Class - {1FEA39D6-46B3-4F66-BC38-4839CFE198EA} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROSLAPDOWN.DLL
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\RunServices: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra button: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROSLAPDOWN.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROBUGSWAT.DLL (file missing)
O9 - Extra button: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file) (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab

.. keeps coming back. Attached hjt log

I am seriously amazed that CWShredder is not fixing this. I have not been able to get a hold of merijn yet as hes in university now. As soon as I can talk to him or someone else who knows ill get back to you. What I can suggest is posting this log on Http://forums.spywareinfo.com There are a lot of experts there that may know something we dont know.

no need for that pugs, just because you don't have the answer.

ran all suggested programs in safe mode, updated all , deleted temp files/
cookies. .Logfile of HijackThis v1.98.2
C:\WINDOWS\TEMP\NEGD.DAT
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#



O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe


O9 - Extra button: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra button: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROSLAPDOWN.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROBUGSWAT.DLL (file missing)

O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab

.. keeps coming back. Attached hjt log


OK, the two files shown in bold - find them and delete them in safe mode. If they won't delete you will have to get a 98 boot disk and do it in dos.

Geeksuperhero .... not heard of this but it's supposed to stop hijacks cold - have you used it? the last 3 tools here are useful (http://www.geeksuperhero.com/howto_tools.shtml#info) Judging by the file missing entry for geeksuperhero, it may have been corrupted.

Exactly how did you delete your temporary internet files?
Did you check in
c:\temp
c:\tmp
c:\windows\temp
c:\windows\tmp
as well for temp files?

There is also a folder called c:\windows\downloads which may have stuff in it.

Thanks Pugs!!! I appreciate the assistance.
Thanks NooNoo I'll delve in.

PC is out for a couple of days....

Nuch Grats for your assistance.

Cleaned up for a while, but this thing keeps coming back.
Any suggestions?
Where else could this guy be coming from?
Running Zone Alarm, Spyguard, etc, but can't seem to stop the source form changing page.

Cleaned up for a while, but this thing keeps coming back.
Any suggestions?
Where else could this guy be coming from?
Running Zone Alarm, Spyguard, etc, but can't seem to stop the source form changing page.

How about the teatimer add-on from Spybot? would that not prevent the registry update?

Check what services are running. Either post them here or google for the ones you dont know of. WIth coolweb a lot of times there is a service that installs it again.

How about the teatimer add-on from Spybot? would that not prevent the registry update?
Lost me there....teatimer?

Check what services are running. Either post them here or google for the ones you dont know of. WIth coolweb a lot of times there is a service that installs it again.
Little assist. When you say "services".

jstut

Tea timer is part of spybot. Have you read this advice here? (http://forums.windrivers.com/showthread.php?t=57348)

Services are what starts up with windows - in windows ME you press ctrl, alt, del to view whats running in background. Having said that, some of these spyware apps hide themselves from there.

Go through your program files directory in safe mode with hidden and system files on. List the folders shown there.

Cleaned up for a while, but this thing keeps coming back.
Any suggestions?
Where else could this guy be coming from?
Running Zone Alarm, Spyguard, etc, but can't seem to stop the source form changing page.
Besides all the great suggestions you have recieved, have you tried This (http://www.moosoft.com/products/cleaner/download/) yet? The 30 day trial is a full version. I have run into this about:blank on quite a few clients lately. By using this and the other suggestions I have cleaned them up in about 10 - 20 minutes. Cheers.

another about blank cleaner here (http://www.adwareaway.com/homeoldsp.htm)