aboutblank

**pugs** · September 1st, 2004, 04:29 AM

I am seriously amazed that CWShredder is not fixing this. I have not been able to get a hold of merijn yet as hes in university now. As soon as I can talk to him or someone else who knows ill get back to you. What I can suggest is posting this log on Http://forums.spywareinfo.com There are a lot of experts there that may know something we dont know.

**NooNoo** · September 2nd, 2004, 05:43 AM

no need for that pugs, just because you don't have the answer.

**NooNoo** · September 2nd, 2004, 05:56 AM

Originally Posted by jstut

ran all suggested programs in safe mode, updated all , deleted temp files/
cookies. .Logfile of HijackThis v1.98.2
C:\WINDOWS\TEMP\NEGD.DAT
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#

O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe

O9 - Extra button: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra button: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROSLAPDOWN.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROBUGSWAT.DLL (file missing)

O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab

.. keeps coming back. Attached hjt log

OK, the two files shown in bold - find them and delete them in safe mode. If they won't delete you will have to get a 98 boot disk and do it in dos.

Geeksuperhero .... not heard of this but it's supposed to stop hijacks cold - have you used it? the last 3 tools here are useful Judging by the file missing entry for geeksuperhero, it may have been corrupted.

Exactly how did you delete your temporary internet files?
Did you check in
c:\temp
c:\tmp
c:\windows\temp
c:\windows\tmp
as well for temp files?

There is also a folder called c:\windows\downloads which may have stuff in it.

**jstut** · September 3rd, 2004, 07:59 PM

Thanks Pugs!!! I appreciate the assistance.
Thanks NooNoo I'll delve in.

PC is out for a couple of days....

Nuch Grats for your assistance.

**jstut** · September 9th, 2004, 10:04 AM

Cleaned up for a while, but this thing keeps coming back.
Any suggestions?
Where else could this guy be coming from?
Running Zone Alarm, Spyguard, etc, but can't seem to stop the source form changing page.

**Garak** · September 9th, 2004, 10:18 AM

Originally Posted by jstut

Cleaned up for a while, but this thing keeps coming back.
Any suggestions?
Where else could this guy be coming from?
Running Zone Alarm, Spyguard, etc, but can't seem to stop the source form changing page.

How about the teatimer add-on from Spybot? would that not prevent the registry update?

**pugs** · September 9th, 2004, 04:11 PM

Check what services are running. Either post them here or google for the ones you dont know of. WIth coolweb a lot of times there is a service that installs it again.

**jstut** · September 9th, 2004, 08:10 PM

Originally Posted by Garak

How about the teatimer add-on from Spybot? would that not prevent the registry update?

Lost me there....teatimer?

**jstut** · September 9th, 2004, 08:12 PM

Originally Posted by pugs

Check what services are running. Either post them here or google for the ones you dont know of. WIth coolweb a lot of times there is a service that installs it again.

Little assist. When you say "services".

**NooNoo** · September 10th, 2004, 05:26 AM

jstut

Tea timer is part of spybot. Have you read this advice here?

Services are what starts up with windows - in windows ME you press ctrl, alt, del to view whats running in background. Having said that, some of these spyware apps hide themselves from there.

Go through your program files directory in safe mode with hidden and system files on. List the folders shown there.

**Zonie** · September 10th, 2004, 09:25 AM

Originally Posted by jstut

Cleaned up for a while, but this thing keeps coming back.
Any suggestions?
Where else could this guy be coming from?
Running Zone Alarm, Spyguard, etc, but can't seem to stop the source form changing page.

Besides all the great suggestions you have recieved, have you tried This yet? The 30 day trial is a full version. I have run into this about:blank on quite a few clients lately. By using this and the other suggestions I have cleaned them up in about 10 - 20 minutes. Cheers.