about:blank, a trojan, c:\spad, can someone help?

Factual Questions
1

I posted this same thing at Computercops.biz, but they aren’t as helpful as the great people at the SDMB.

I use Windows Professional 2000, heres my log from HijackThis

Logfile of HijackThis v1.97.7
Scan saved at 4:37:52 PM, on 6/17/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\scagent.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\UMonit2K.exe
C:\WINNT\loadqm.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\a\LOCALS~1\Temp\sexgame.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\Program Files\The Cleaner ca.exe
C:\Program Files\The Cleaner cm.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\docume~1\a\applic~1\service.exe
C:\Documents and Settings\a\Application Data\uuol.exe
C:\WINNT\System32\wcpsvsu.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\DOCUME~1\a\LOCALS~1\Temp\daab.dat
C:\Program Files\AIM\aim95.exe
C:\Program Files\The Cleaner\cleaner.exe
C:\Program Files\AIM\aim95.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {EA81EA51-4EF8-4493-A8E6-DCF29C572287} - C:\WINNT\System32\cee.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM…\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM…\Run: [CARPService] carpserv.exe
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM…\Run: [UMonit2K.exe] “C:\WINNT\System32\UMonit2K.exe”
O4 - HKLM…\Run: [LoadQM] loadqm.exe
O4 - HKLM…\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM…\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [hsim] C:\DOCUME~1\a\LOCALS~1\Temp\sexgame.exe *r8
O4 - HKLM…\Run: [Remndr] “C:\Program Files\CasinoOnline\CsRemnd.exe”
O4 - HKLM…\Run: [hins] C:\DOCUME~1\a\LOCALS~1\Temp\sexgame.exe r20
O4 - HKLM…\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7 aumon.exe
O4 - HKLM…\Run: [tcactive] C:\Program Files\The Cleaner ca.exe
O4 - HKLM…\Run: [tcmonitor] C:\Program Files\The Cleaner cm.exe
O4 - HKLM…\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM…\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM…\Run: [Ad-aware] “C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe” +c
O4 - HKLM…\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKCU…\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU…\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU…\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU…\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU…\Run: [sysmon] C:\WINNT\System32\sysmon\sysmon.exe
O4 - HKCU…\Run: [System Update4] c:\docume~1\a\applic~1\service.exe
O4 - HKCU…\Run: [Brao] C:\Documents and Settings\a\Application Data\uuol.exe
O4 - HKCU…\Run: [WINT] C:\WINNT\System32\wcpsvsu.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra ‘Tools’ menuitem: JavaScript Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra ‘Tools’ menuitem: JavaScript Console (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2569f32da76d57033722/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4322/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

After fixing all the problems, they come back after I run scan again.

There are so many things going on with my computer I don’t know where to start.

AVG Resident Shield keeps popping up telling me Trojan horse PSW.Briss.D is found in file C:\WINNT\system32\hurrican2.exe. It tells me to run AVG for Windows, but when I do, it finds nothing. I’ve looked for the hurrican2.exe file in the system32 folder, but I find nothing either.

Spy Sweeper Homepage Shield keeps popping up asking if I want to switch homepage to about:blank.

When I click on my AIM quicklaunch, I get a pop-up every time.

A while ago I got rid of this Spad file thing, but the URL that it directed my homepage to still pops up out of nowhere at random times. I don’t think I followed the directions on how to get rid of it carefully, anyone know what to do?

2

You might want to try going to www.trendmicro.com and doing the free online scan.

Can you do a search on your computer for a file by the name of hosts and post the contents?

3

I searched, and I got nothing. Getting scanned right now.

4

to completely eradicate all infection on your machine, follow these steps carefully, and in order.

  1. for the trojan you have, a copy of the file may be in restore files, so follow the directions given on the following site and the pop ups from AVG should stop(make sure your AVG detection files are updated also).
    http://www.computercops.biz/postp192652.html

after that, try another online scan:

2. rescan with hijack this and delete the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
O2 - BHO: (no name) - {EA81EA51-4EF8-4493-A8E6-DCF29C572287} - C:\WINNT\System32\cee.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2569f32da76d57...ip/RdxIE601.cab
O4 - HKCU…\Run: [WINT] C:\WINNT\System32\wcpsvsu.exe
O4 - HKCU…\Run: [Brao] C:\Documents and Settings\a\Application Data\uuol.exe
O4 - HKLM…\Run: [Remndr] “C:\Program Files\CasinoOnline\CsRemnd.exe”
O4 - HKLM…\Run: [hsim] C:\DOCUME~1\a\LOCALS~1\Temp\sexgame.exe *r8
3. download CWSshredder, run the file and click fix. http://www.spywareinfo.com/~merijn/files/CWShredder.exe

download ad-aware, update the reference file, do a FULL SCAN OF DRIVE C:\ and delete and files found. http://www.lavasoftusa.com/support/download/

last but not necessary, download spybot S&D, update files and then do a full scan with it. http://safer-networking.de/ also, make sure to have it install the internet explorer helper which prevents against new infections(see help file, it is easy to do).
4. download HPgurus HOSTS file(comes with instruciton) to avoid most kinds of future infection.http://webpages.charter.net/hpguru/hosts/hosts.html

finally, download the .reg file and add it to the registry from the following site to prevent even more infeciton from bad software(right click save as). http://www.spywareguide.com/blockfile.php
5. after restarting your computer, post a new hijack this log file.

5

Just got on my computer and I’m about to do everything. Theres another problem now, but I think its unrelated to this problem. I tried to download the latest version of AIM and it says C:\Program Files\Sysfiles\imagehlp.dll could not be opened. Alright, off to do everything.

6

I wasn’t able to do step one because I’m on Windows 2000 Professional, and the steps were for Windows XP. I can’t find where to turn off restore points. I did step two, heres a fresh log.

Logfile of HijackThis v1.97.7
Scan saved at 5:19:10 PM, on 6/18/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\scagent.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\UMonit2K.exe
C:\WINNT\loadqm.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\a\LOCALS~1\Temp\sexgame.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\PROGRA~1\Agnitum\TAUSCA~1.7 aumon.exe
C:\Program Files\The Cleaner ca.exe
C:\Program Files\The Cleaner cm.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\docume~1\a\applic~1\service.exe
C:\Documents and Settings\a\Application Data\uuol.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Eser\Install_AIM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM…\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM…\Run: [CARPService] carpserv.exe
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM…\Run: [UMonit2K.exe] “C:\WINNT\System32\UMonit2K.exe”
O4 - HKLM…\Run: [LoadQM] loadqm.exe
O4 - HKLM…\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM…\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7 aumon.exe
O4 - HKLM…\Run: [tcactive] C:\Program Files\The Cleaner ca.exe
O4 - HKLM…\Run: [tcmonitor] C:\Program Files\The Cleaner cm.exe
O4 - HKLM…\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM…\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM…\Run: [Ad-aware] “C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe” +c
O4 - HKCU…\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU…\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU…\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU…\Run: [sysmon] C:\WINNT\System32\sysmon\sysmon.exe
O4 - HKCU…\Run: [System Update4] c:\docume~1\a\applic~1\service.exe
O4 - HKCU…\Run: [Brao] C:\Documents and Settings\a\Application Data\uuol.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra ‘Tools’ menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra ‘Tools’ menuitem: JavaScript Console (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4322/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

Did step 3, CWShredder found nothing. Ran Ad-Aware, its the first time in 2 days it didn’t find 30 plus infections (only 2).

7

I notice there are two instances of C:\WINNT\system32\Ati2evxx.exe in your Hijackthis log; the filename itself looks like a legitimate one (something to do with your graphics card, I would guess), but the fact that there are two entries for it makes me suspicious. Do you have two graphics cards installed?

8

It does look odd, but it’s normal if the ATI system tray applet installed and running.

9

The System Restore service is included with Windows ME and Windows XP, but not with Windows 2000.

There is a limited recover-from-failed-config-changes facility called the Last Known Good Configuration that you can select when booting up. It’s much more limited than, and very different from, the System Restore that newer versions of Windows have.

I don’t think you have to worry about skipping step 1 in this case.

10

Bad news: you can’t usually remove that infection merely by deleting the entries. It’s a variant of CoolWebSearch and uses an infection method that neither hijacthis nor CWShredder can detect.

It may be gone now, but it’ll show up again soon.

It involves a hidden .dll file that changes randomly the next time you boot. When it comes back, post the log at http://www.spywareinfo.com and they can guide you through the cleaning (I think it’s down right now as they put up a new server). Computercops.biz should also know about it.

There are also several bits of spyware the original cleaning missed. These lines are problems:

O4 - HKCU…\Run: [sysmon] C:\WINNT\System32\sysmon\sysmon.exe
O4 - HKCU…\Run: [System Update4] c:\docume~1\a\applic~1\service.exe
O4 - HKCU…\Run: [Brao] C:\Documents and Settings\a\Application Data\uuol.exe
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

Delete them via hijackthis, restart the computer, then delete the following, if present:

“C:\WINNT\System32\sysmon” folder
service.exe
uuol.exe
“C:\Documents and Settings\a” folder

11

if the about:blank page comes back then you need to follow the steps given at the following link to delete the hidden .dll file that reinfects you, then run CWSshredder again.

12

smellson I can’t find the directions, are they in of the pages someone gives?

Anyone know anything about my AIM problem?

13

bump