About:Blank is not a blank start up page... some generic search engine

[JustMe602]

Logfile of HijackThis v1.97.7
Scan saved at 8:01:54 PM, on 5/30/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\Program Files\DesktopAuthority\RaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Command Software\Command AntiVirus\dvpinit.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\WINNT\system32\SLClient.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ccsrvc.exe
C:\PROGRA~1\Altiris\CARBON~1\shellker.exe
C:\DOCUME~1\sdewey\LOCALS~1\Temp\slagent.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\DesktopAuthority\ragui.exe
C:\Program Files\RightFAX\FaxCtrl.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\sdewey\My Documents\shredder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\klpjoj.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\klpjoj.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\klpjoj.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\klpjoj.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\klpjoj.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\klpjoj.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 199.231.129.165 www.fclaw.com # Necessary to access site since AD Domain is fclaw.com
O1 - Hosts: 199.231.129.165 reports.fclaw.com # Necessary to access site since AD Domain is fclaw.com
O1 - Hosts: 199.231.129.165 fclaw.com # Necessary to access FTP site since AD Domain is fclaw.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0 .dll
O2 - BHO: (no name) - {27898C84-3C4B-4E48-A2BF-22F71CC44146} - C:\WINNT\system32\klpjoj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0 .dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [DesktopAuthority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desktop Authority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - Startup: BHO Cop.lnk = C:\Program Files\BHOCop\BHOCop.exe
O4 - Startup: Calculator.lnk = C:\WINNT\system32\calc.exe
O4 - Startup: Procomm Plus.lnk = C:\Program Files\Procomm Plus\programs\PW4.EXE
O4 - Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe
O4 - Global Startup: MCategory.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...040.5323842593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D6A6A09C-C43C-4BCC-90B0-349B71239328} (AXfco Control) - http://workflow.fclaw.com/AXfco.cab
O16 - DPF: {D6FB2DA3-A767-4D27-9926-B5F0528B0A08} (UAttach Control) - http://workflow.fclaw.com/UAdvCtls2.ocx
O16 - DPF: {DA018E54-7561-4AB5-A893-A3388C0F511C} (UltSignature Control) - http://workflow.fclaw.com/UAdvCtls2.ocx
O16 - DPF: {E09150AF-9388-450B-8098-0B4F6BBE1419} (Ultimus) - http://workflow.fclaw.com/UltAxClientMin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fclaw.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fclaw.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fclaw.com



Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 400000 253952 C:\WINNT\Explorer.EXE 5.00.3502.5321 Windows Explorer
ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL
ADVAPI32.DLL 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.DLL 5.00.2195.6876 Advanced Windows 32 Base API
KERNEL32.DLL 7c570000 753664 C:\WINNT\system32\KERNEL32.DLL 5.00.2195.6897 Windows NT BASE API Client DLL
RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime
GDI32.DLL 77f40000 253952 C:\WINNT\system32\GDI32.DLL 5.00.2195.6898 GDI Client DLL
USER32.DLL 77e10000 413696 C:\WINNT\system32\USER32.DLL 5.00.2195.6897 Windows 2000 USER API Client DLL
SHLWAPI.DLL 70bd0000 413696 C:\WINNT\system32\SHLWAPI.DLL 6.00.2800.1106 Shell Light-weight Utility Library
msvcrt.dll 78000000 286720 C:\WINNT\system32\msvcrt.dll 6.10.9359.0 Microsoft (R) C Runtime Library
COMCTL32.DLL 71710000 540672 C:\WINNT\system32\COMCTL32.DLL 5.81 Common Controls Library
shim.dll 732e0000 151552 C:\WINNT\system32\shim.dll 5.00.2195.5308 Shim Engine DLL
AcLayers.DLL 23000000 352256 C:\WINNT\AppPatch\AcLayers.DLL 5.00.2195.5308 Windows 2000 Shim Accessory DLL
hlpiigf.dll 61c00000 61440 c:\winnt\system32\hlpiigf.dll
SHELL32.dll 782f0000 2375680 C:\WINNT\system32\SHELL32.dll 5.00.3502.6144 Windows Shell Common Dll
OLE32.DLL 77a50000 978944 C:\WINNT\system32\OLE32.DLL 5.00.2195.6906 Microsoft OLE for Windows
CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0
OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4518
cscui.dll 77840000 249856 C:\WINNT\system32\cscui.dll 5.00.2195.4104 Client Side Caching UI
CSCDLL.DLL 770c0000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.5434 Offline Network Agent
SHDOCVW.DLL 71000000 1347584 C:\WINNT\system32\SHDOCVW.DLL 6.00.2800.1106 Shell Doc Object and Control Library
browseui.dll 71160000 1036288 C:\WINNT\System32\browseui.dll 6.00.2800.1106 Shell Browser UI Library
USERENV.DLL 7c0f0000 397312 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv
ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing
ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
NETAPI32.DLL 75170000 323584 C:\WINNT\system32\NETAPI32.DLL 5.00.2195.6897 Net Win32 API DLL
SECUR32.DLL 77be0000 61440 C:\WINNT\system32\SECUR32.DLL 5.00.2195.4587 Security Support Provider Interface
NETRAP.DLL 751c0000 24576 C:\WINNT\system32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL
SAMLIB.DLL 75150000 61440 C:\WINNT\system32\SAMLIB.DLL 5.00.2195.6897 SAM Library DLL
WS2_32.DLL 75030000 77824 C:\WINNT\system32\WS2_32.DLL 5.00.2195.4874 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.5400 Win32 LDAP API DLL
DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.4874 Windows Socket 32-Bit DLL
WININET.dll 70200000 610304 C:\WINNT\system32\WININET.dll 6.00.2800.1106 Internet Extensions for Win32
CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
mydocs.dll 76df0000 69632 C:\WINNT\system32\mydocs.dll 5.00.3315.4065 My Documents Folder UI
SLAgent.dll 10000000 53248 C:\DOCUME~1\sdewey\LOCALS~1\Temp\SLAgent.dll 5, 5, 0, 0 SLAgentDll Dynamic Link Library
CRTDLL.DLL 74fa0000 159744 C:\WINNT\System32\CRTDLL.DLL 4.00 Microsoft C Runtime Library
MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL
ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2195.5428 Microsoft® Lan Manager
NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2195.4874 NT LM UI Common Code - GUI Classes
NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes
NETSHELL.dll 76f20000 479232 C:\WINNT\system32\NETSHELL.dll 5.00.2195.5431 Network Connections Shell
stobject.dll 766d0000 98304 C:\WINNT\system32\stobject.dll 5.00.2195.4455 Systray shell service object
BATMETER.DLL 76740000 32768 C:\WINNT\system32\BATMETER.DLL 5.00.3502.5305 Battery Meter Helper DLL
SETUPAPI.DLL 77880000 577536 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.5400 Windows Setup API
POWRPROF.DLL 766f0000 28672 C:\WINNT\system32\POWRPROF.DLL 5.00.3502.5305 Power Profile Helper DLL
WINMM.DLL 77570000 196608 C:\WINNT\system32\WINMM.DLL 5.00.2161.1 MCI API DLL
webcheck.dll 70340000 266240 C:\WINNT\System32\webcheck.dll 6.00.2800.1106 Web Site Monitor
MSI.DLL 770f0000 2084864 C:\WINNT\system32\MSI.DLL 2.0.2600.1 Windows Installer
wdmaud.drv 77560000 36864 C:\WINNT\system32\wdmaud.drv 5.00.2195.3649 WDM Audio driver mapper
msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
LINKINFO.DLL 76710000 36864 C:\WINNT\system32\LINKINFO.DLL 5.00.2134.1 Windows Volume Tracking
shdoclc.dll 718c0000 540672 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library
CfgMgr32.dll 770b0000 28672 C:\WINNT\system32\CfgMgr32.dll 5.00.2134.1 Configuration Manager Forwarder DLL
docprop2.dll 71f00000 315392 C:\WINNT\System32\docprop2.dll 5.00.2178.1 DocProp2
MSVFW32.DLL 6a8f0000 131072 C:\WINNT\System32\MSVFW32.DLL 5.00.2134.1 Microsoft Video for Windows DLL
AVIFIL32.DLL 74870000 90112 C:\WINNT\System32\AVIFIL32.DLL 5.00.2134.1 Microsoft AVI File support library
faxshell.dll 70020000 20480 C:\WINNT\system32\faxshell.dll 5.00.2134.1 Fax Tiff Data Column Provider
actxprxy.dll 703d0000 110592 C:\WINNT\System32\actxprxy.dll 6.00.2800.1106 ActiveX Interface Marshaling Library
events.dll 2030000 147456 C:\Program Files\Trillian\events.dll
comdlg32.dll 76b30000 249856 C:\WINNT\system32\comdlg32.dll 5.00.3315.3727 Common Dialogs DLL
browselc.dll 71960000 73728 C:\WINNT\System32\browselc.dll 6.00.2800.1106 Shell Browser UI Library
version.dll 77820000 28672 C:\WINNT\system32\version.dll 5.00.2134.1 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2134.1 LZ Expand/Compress API DLL
clreg.dll 2a90000 126976 C:\Program Files\West Group\Common\clreg.dll 2.2.0.1 WestCiteLink Registry
urlmon.dll 702b0000 499712 C:\WINNT\system32\urlmon.dll 6.00.2800.1106 OLE32 Extensions for Win32
wgfile.dll 3a10000 114688 C:\Program Files\West Group\Common\wgfile.dll 2.2.0.1 West Group File Objects
WZSHLSTB.DLL 16200000 24576 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL 4.1 (32-bit) WinZip Shell Extension DLL
avshext.dll 3ea0000 32768 C:\Program Files\Command Software\Command AntiVirus\avshext.dll 4,80,2,30311
ATL70.DLL 3eb0000 98304 C:\WINNT\system32\ATL70.DLL 7.00.9466.0 ATL Module for Windows (Unicode)
MSVCR70.dll 7c000000 344064 C:\WINNT\system32\MSVCR70.dll 7.00.9466.0 Microsoft® C Runtime Library
avshelng.dll 3ee0000 20480 C:\Program Files\Command Software\Command AntiVirus\avshelng.dll 4,80,2,30311
clie.dll 3ef0000 237568 C:\Program Files\West Group\CiteLink\clie\clie.dll 2.2.0.1 WestCiteLink for Microsoft Internet Explorer
MFC42.DLL 103a0000 991232 C:\WINNT\system32\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version
MSVCP60.dll 780c0000 397312 C:\WINNT\system32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library
ycomp5_3_16_0.dll 68000000 315392 C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0 .dll 2004, 2, 9, 1 Yahoo! Companion 5.3 for Internet Explorer
klpjoj.dll 3fb0000 45056 C:\WINNT\system32\klpjoj.dll
SDHelper.dll 3fc0000 733184 C:\PROGRA~1\SPYBOT~1\SDHelper.dll
olepro32.dll 695e0000 167936 C:\WINNT\system32\olepro32.dll 5.0.4518

[AnnMarie]

Hi JustMe602 - sorry about the delay in replying to your post. I havent been able to be here much this week. OK, we can see the hidden file, its klpjoj.dll.

Download dllfix.exe from here

Doubleclick on it and install in folder of your choice, preferably on your root drive (C

Doubleclick on start.bat and choose option 2 (type 2 after the blinking cursor and hit Enter). Next choose option 1 (type 1 after the blinking cursor and hit Enter). Type klpjoj.dll after the cursor and hit Enter again. The program will do the rest. NB You will be asked if you wish to reboot, you must click YES.

When you have rebooted, make sure that you have the latest version of CWShredder and run it again. Reboot afterwards.

Next, download the latest version of Ad-Aware from here (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

After installing AAW, and before running the program, you must FIRST update the reference file following these instructions. (and you must always do this before you run the program at any later date).

Now do the following:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives. It will find a number of spyware files and registry keys. Right-click in that pane and choose "select all"

Now press "Next" again. It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

Run Hijack This again and post back a new log.