Home Page Hijacked

  oakwood 19:58 29 Aug 2004

Tried to post a response on my last post (click here) but got the following message

"An Error Has Occurred

You have accessed this Page incorrectly. This could be because you have mistyped a URL, or have tried to access a page that does not exists or has been removed. An email has been sent to the webmaster notifying them of this problem.

HJT log is below.
Hope somebody can help.

  VoG II 20:07 29 Aug 2004

You may be getting this error because you are trying to post too much: there is an 800 word limit per post.

Post it in about 4 chunks, double spacing it or it will be practically illegible.

  oakwood 20:14 29 Aug 2004

Ok here we go.
Part 1

Logfile of HijackThis v1.98.2
Scan saved at 19:10:01, on 29/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:











C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe


C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE


C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe


C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe



C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Mark\My Documents\Programs\HijackThis.exe

  oakwood 20:16 29 Aug 2004

Part 2

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = click here

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {33DA09FC-0D84-29B4-815F-CC48795929D4} - C:\WINDOWS\system32\d3kv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [jpzcold] C:\WINDOWS\System32\vvpbfnlh.exe

O4 - HKLM\..\Run: [ipol32.exe] C:\WINDOWS\ipol32.exe

O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe

  oakwood 20:18 29 Aug 2004

And the final part of the Trilogy!

O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE


O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - click here

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - click here

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - click here

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - click here

O17 - HKLM\System\CCS\Services\Tcpip\..\{42A8F5A2-9170-48BE-A4B7-8090C6553107}: NameServer =

O17 - HKLM\System\CS1\Services\Tcpip\..\{42A8F5A2-9170-48BE-A4B7-8090C6553107}: NameServer =

  VoG II 20:25 29 Aug 2004

Thanks. I've e-mailed an expert to look at this.

If she doesn't respond in a while I'll have a go.

  oakwood 20:46 29 Aug 2004

I feel the Force is Strong!!!!!

  ruairi2 21:01 29 Aug 2004

You have all the same problems as i had,i reckon
you have the About Blank virus,view my fix(help for people with About Blank(my fix)sun- 29-8.

  iambeavis 21:11 29 Aug 2004

These are my two 'for the pot' -

O4 - HKLM\..\Run: [ipol32.exe] C:\WINDOWS\ipol32.exe

O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe

  oakwood 23:38 29 Aug 2004

Thank you for your help
My problems now seem to be sorted.
I Used the Kaspersky trial for info (click here.

  Nellie2 23:38 29 Aug 2004

Hello... sorry I've taken my time. Bank holiday! :)

Could you find this dll and zip it then save the zip file somewhere handy. Click on the little envelope by my name and send me an email, I will reply with my email address.. you can then send the zip file to me.. I'd like to have a look at it. Thanks.

Run hijackthis again and make sure all browsers and windows are closed except for hijackthis. Put a tick against the following and click fix checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {33DA09FC-0D84-29B4-815F-CC48795929D4} - C:\WINDOWS\system32\d3kv.dll

O4 - HKLM\..\Run: [jpzcold] C:\WINDOWS\System32\vvpbfnlh.exe

O4 - HKLM\..\Run: [ipol32.exe] C:\WINDOWS\ipol32.exe

O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe

Fix this one too if you haven't set the policy to fix your home page

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then reboot into safe mode and enable hidden files and folders click here and click here and delete the following;

C:\WINDOWS\System32\vvpbfnlh.exe <--- file
C:\WINDOWS\ipol32.exe <--- file
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\<--- folder

Then boot back to normal mode and go straight to windows update and download SP1 and any other critical updates you are missing. You are VERY vulnerable without them.

BTW... you don't have the CoolWeb about:blank problem.

Post a fresh log when done

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Alienware 17 R4 2017 review

These brilliant Lego posters show just what children's imaginations are capable of

Mac power user tips and hidden tricks

Comment réinitialiser votre PC, ordinateur portable ou tablette Windows ?