C:\WINDOWS\SYSTEM\blank.htm!!! Hijacker?

By ibanez7 ยท 4 replies
May 19, 2006
  1. Hello!
    Been having problems with freezing and errors every now on a friend's computer and then so i ran a few scans and here is what i got.I'm wondering if i got everything out.Could someone please have a look.I scanned with lavasoft, spybot,ewido,and mcaffe antivirus.I've incuded the log files.I also did a scan with trend micro.It found ADW-SE 2 kinds and Dial-SE 2 kinds.I then re-took a hijack this and believe his browser is hijacked from C:\WINDOWS\SYSTEM\blank.htm.Can someone please have a look at the scans and point me in the right directions? thanks
    I attached the ewido scan and hijack but the adaware scan log was too big.

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).


    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

    O4 - HKLM\..\Run: [iaptwv] C:\WINDOWS\system32\rqsvfuc.exe r

    O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm (file missing) (HKCU)

    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145122242539
    O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} - http://dialup.carpediem.fr/CABS/1,0,3,8/fr/AccesMembre.cab
    O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\WINDOWS\system32\rqsvfuc.exe r

    Reboot into normal mode and turn system restore back on.

    Regards Howard :)
  3. ibanez7

    ibanez7 TS Rookie Topic Starter Posts: 24

    ok here is what i got now:

    Thanks very much for your help!!!
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    However, you should`ve posted it as an attachment, like you did the first time.

    No matter, I`ll delete it.

    Regards Howard :)
  5. ibanez7

    ibanez7 TS Rookie Topic Starter Posts: 24

    Thanks very much and sorry about screwing up on proper posting og log i'll be very careful not to do that again.Again thanks very much
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...