Jump to content


Photo

About:Blank


  • Please log in to reply
13 replies to this topic

#1 piman

piman

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 May 2004 - 11:06 PM

Please help me rid this plague from my PC. I have tried to get rid of about:blank myself but could not. This is one the most persistent yet. Thanks in advance, Piman.

Logfile of HijackThis v1.97.7
Scan saved at 12:05:40 AM, on 5/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\System32\cisvc.exe
c:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\QosServM.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\Marimba\DESKTO~1\Tuner.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\System32\cidaemon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PELMICED.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\KillAd\killad.exe
C:\Program Files\Microsoft Office XP Standard\Office10\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [UserMIF1.44] c:\logon\UserMIF.bat
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Epson Printer Status Agent2.lnk = C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - Global Startup: BlackICE Agent.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP Standard\Office10\OSA.EXE
O4 - Global Startup: pwreset.lnk = C:\Program Files\Avaya\DEFINITY IP Service Provider\pwreset.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://home.cigna.com
O15 - Trusted Zone: http://auohscgit01.oracle.com
O15 - Trusted Zone: http://auohscgit06.oracle.com
O15 - Trusted Zone: http://auohscgit08.oracle.com
O15 - Trusted Zone: http://apps-cigna.or...outsourcing.com
O15 - Trusted Zone: http://appsdev-cigna...outsourcing.com
O15 - Trusted Zone: http://appsstage-cig...outsourcing.com
O15 - Trusted Zone: http://appstest-cign...outsourcing.com
O15 - Trusted Zone: http://*.smartforce.com
O15 - Trusted Zone: http://*.wdcapp014
O15 - Trusted Zone: http://*.wdcapp016
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} (Microsoft FlexGrid Control, version 6.0) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\msflxgrd.cab
O16 - DPF: {6313ACD5-705C-11D3-8ACA-004F4E002623} (EuroSup.EuroNation) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\EuroSup.cab
O16 - DPF: {6D852581-7F1A-11D2-9CAB-006008319186} (VanColorPickProj.VanColorPick) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\VanColorPick.CAB
O16 - DPF: {99AC51A7-BEFF-11D1-B5B1-00A024CD30C6} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\VANFIND.cab
O16 - DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} (vanStageTask.van_stage_task_ctl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\vanStageTask.CAB
O16 - DPF: {ADCBFFBC-DB3F-11D2-AADF-006008936C61} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} (vanChevron.van_chevron_ctl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\VANCHEVRON.cab
O16 - DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} (VanPallet.VanPalletCtrl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\VanPallet.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\SSCALA32.cab
O16 - DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} (VanLiteralDLL.VanLiteral) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\VanLiteralDLL.CAB
O16 - DPF: {F39FD815-E9C3-11D1-9C83-006008319186} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\VanTree.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cigna.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cigna.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.cigna.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.cigna.com

Edited by piman, 29 May 2004 - 08:19 PM.


#2 piman

piman

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 May 2004 - 10:02 AM

Could someone please take a look at my log? I realize you are very busy, but I'd like to clean this up. Thank you , Piman

#3 piman

piman

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 June 2004 - 02:15 PM

Hello again, just checking back. If possible, please take a look at my log. I have CWShredder, Spybot S&D, Hijack This and Registrar lite and am ready to go. I surfed some other about:blank post and tried to use their fixes but it did not work. I must be missing something.

Please take a look and advise.

Thanks, Piman

#4 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 06 June 2004 - 04:32 PM

Hi piman,

Since it's been a few days since you poasted a hijackthis log, please post an update log back into this thread.

Also, you need to install ALL critical updates from Microsoft's update site:
http://windowsupdate.microsoft.com This will help protect your computer from some of the nasty stuff out there.

#5 piman

piman

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 13 June 2004 - 07:19 PM

Hi, Thanks for the reply.

I updated my browser and interestingly, that seemed to confuse the about:blank malware. My browser stayed set to msn.com as a default home page, for a day and a couple reboots. Then, about:blank as a home page reappeared.

My log is reposted below. I have posted it without any clean up, immediatly after the reappearance of about:blank so you can see exactly what's going on, without any modification, from me.

I am awaiting your instruction. Please advise and thanks for your input.

Logfile of HijackThis v1.97.7
Scan saved at 8:16:03 PM, on 6/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\System32\cisvc.exe
c:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\QosServM.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\Marimba\DESKTO~1\Tuner.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\System32\cidaemon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PELMICED.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\Marimba\DESKTO~1\lib\jre\bin\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\jmpisa\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\jmpisa\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\jmpisa\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\jmpisa\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\jmpisa\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\jmpisa\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {894C8C8B-A73F-4449-8E4F-44DDFFD72075} - C:\WINNT\System32\nlnph.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [UserMIF1.44] c:\logon\UserMIF.bat
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NavNT\vptray.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Epson Printer Status Agent2.lnk = C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - Global Startup: BlackICE Agent.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP Standard\Office10\OSA.EXE
O4 - Global Startup: pwreset.lnk = C:\Program Files\Avaya\DEFINITY IP Service Provider\pwreset.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: http://auohscgit01.oracle.com
O15 - Trusted Zone: http://auohscgit06.oracle.com
O15 - Trusted Zone: http://auohscgit08.oracle.com
O15 - Trusted Zone: http://apps-cigna.or...outsourcing.com
O15 - Trusted Zone: http://appsdev-cigna...outsourcing.com
O15 - Trusted Zone: http://appsstage-cig...outsourcing.com
O15 - Trusted Zone: http://appstest-cign...outsourcing.com
O15 - Trusted Zone: http://*.smartforce.com
O15 - Trusted Zone: http://*.wdcapp014
O15 - Trusted Zone: http://*.wdcapp016
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} (Microsoft FlexGrid Control, version 6.0) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\msflxgrd.cab
O16 - DPF: {6313ACD5-705C-11D3-8ACA-004F4E002623} (EuroSup.EuroNation) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\EuroSup.cab
O16 - DPF: {6D852581-7F1A-11D2-9CAB-006008319186} (VanColorPickProj.VanColorPick) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\VanColorPick.CAB
O16 - DPF: {99AC51A7-BEFF-11D1-B5B1-00A024CD30C6} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\VANFIND.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8149.7482175926
O16 - DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} (vanStageTask.van_stage_task_ctl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\vanStageTask.CAB
O16 - DPF: {ADCBFFBC-DB3F-11D2-AADF-006008936C61} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} (vanChevron.van_chevron_ctl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\VANCHEVRON.cab
O16 - DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} (VanPallet.VanPalletCtrl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\VanPallet.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\SSCALA32.cab
O16 - DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} (VanLiteralDLL.VanLiteral) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\VanLiteralDLL.CAB
O16 - DPF: {F39FD815-E9C3-11D1-9C83-006008319186} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\MXCOOK\LOCALS~1\Temp\VanTree.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cigna.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cigna.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.cigna.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.cigna.com

#6 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 13 June 2004 - 09:53 PM

Hi piman,

Create a folder on your desktop called PV. Then download this zip.
http://tools.zerosrealm.com/pv.zip

Please unzip it to that PV folder on your desktop. It will not work if you run it from inside the zip.

After unzipped open the pv folder, make sure you have an Internet Explorer window open or minimized and double click on the runme.bat file.

A dos window will open. Please select option 2 for Internet Explorer dll's by typing 2 and then pressing enter.

Notepad will open with a log in it. Please copy and paste the log into this post.

Next, go here and download this self extracting file:
http://tools.zerosrealm.com/dllfix.exe

Save it to your desktop, double click dllfix.exe and follow the prompts.

Go to the newly created dllfix folder on your desktop and double click start.bat and choose option #1. This will scan your computer for the 'bad' file. Notepad will open with a report in it. Copy the contents of the report back into this thread, along with the pv log AND an updated hijackthis log.

#7 piman

piman

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 June 2004 - 05:06 AM

Hi OSC,
Sorry it's taken so long to respond, I've been traveling but Iím back now. I ran through the steps you outlined but the dllfix.exe at http://tools.zerosrealm.com/dllfix.exe was removed because it was a little "buggy". The site directed me to http://tools.zerosre...AboutBuster.zip. I downloaded and ran the about buster. It scanned a bunch of files, and set my home page to google, but when I opened my browser, I was redirected to about:blank. I donít think I removed all the files as the site directed me to. The instructions from the site follow. I will also repost my log file in the next frame
Thanks in advance
Piman
PS: I used the non-manual method.
P

The DLLFix used to fix the new strand of about:blank made by CoolWebSearch has been pulled down by the creator Shadowwar. He claims that there are too many bugs for it to remain public so he has taken the fix down though he assures us that he will be making a new, more stable version soon. For those of you who still are infected with the new variant of about:blank (the one that hijacks your internet explorer browser to something similar to res://ewfom.dll#2342) a tool has been developed to remove this pest. This only applies to those running Win XP/Win2k.
The Fix for the NEW UPDATED variant:

Please note: This fix applies to those who have browsers hijacked to res://ewfom.dll#2342 and NOTHING else. Please only follow as advised by a qualified expert. Do not attempt to do it yourself.

1) Download the tool About:Buster created by Rubber Ducky. (Download here)
2) Run Hijackthis and determine what the hijacker dll is (Eg/ res://ewfom.dll)
3) Run About:Buster and hit Start. Where it asks you to enter the name of the hijacker dll, input the one found in Hijackhis (Eg/ res://ewfom.dll).
4) It should say "Accepted" and it will begin to clean other necessary parts.
5) After running the tool re-open Hijackthis and fix any of the BHOS/04's that are related to this problem (GET EXPERT ADVISE!)
6) Then hit "Alt Ctrl Del" and any processes that were determined as part of the CWS problem and go and manually delete them. (GET EXPERT ADVISE!). Hopefully you will now be Done.

Manual Removal:

1) Open My Computer and choose "Tools" in in the menu option, then choose "Folder Options".
2) Click the "View" tab and under Advanced Settings set it to show "Hidden files and folders"
3) Next press "Alt Ctrl Del" and choose the "Processes tab" to bring up a list of running processes.
4) Click the "Image Name" button to get the processes in alphabetical order. Scroll through the list of processes and end task on any processes that you are unaware of or do not have anything on google (get an expert to help)
5) Next, go to Start --> Run and type "Services.msc" (without quotes) then hit OK.
6) Scroll down in the right pane of the screen and find the service called "Network Security Service". Double click it.
7) In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
8) Run HijackThis.exe again do a scan and place a check check in the following boxes and click on "Fix Checked":
- R1 Entries
- BHO entries
- 04 entries with random exes.
You may want an expert to assist you there.
9) Reboot into safe mode. Once in Safe Mode, delete the following files:
- R1 Entries
- BHO entries
- 04 entries with random exes.
You may want an expert to assist you there.
10) Go to Start, --> Run and type in "regedit" (without quotes) and press "Enter".
11) In the registry, navigate to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ In the left pane if you see something called "__NS_Service_3" right click on it and choose delete.
12) Next navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\ In the left pane if you see something called "LEGACY___NS_Service_3" right click on it and choose delete.
13) Exit regedit and reboot in Normal Mode.
14) Re-post a Hijackthis log in the forum where you are being helped, if its clean, you're good to go.

Please note: The fixes above only apply to those who are being hijacked to webpages such as res://ewfom.dll#2342 and nothing else.

#8 piman

piman

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 June 2004 - 05:08 AM

Logfile of HijackThis v1.97.7
Scan saved at 6:07:53 AM, on 06/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\QosServM.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsgSys.EXE
C:\Program Files\Nortel Networks\Extranet_serv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PELMICED.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Palm\HOTSYNC.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\javaw.exe
C:\Program Files\KeyText\KeyText.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CIGNA-Link
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 172.18.46.16 wdc17130 #SecurID
O1 - Hosts: 172.18.44.16 wdc16b30 #SecurID
O2 - BHO: (no name) - {F8A9969D-FEA1-4342-B09E-F9C4DB9C5011} - C:\WINNT\System32\oodoln.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [UserMIF1.44] c:\logon\UserMIF.bat
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [navcfg] c:\winnt\temp\navcfg.exe /s
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP Standard\Office10\OSA.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: pwreset.lnk = C:\Program Files\Avaya\DEFINITY IP Service Provider\pwreset.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://home.cigna.com
O15 - Trusted Zone: http://auohscgit01.oracle.com
O15 - Trusted Zone: http://auohscgit06.oracle.com
O15 - Trusted Zone: http://auohscgit08.oracle.com
O15 - Trusted Zone: http://apps-cigna.or...outsourcing.com
O15 - Trusted Zone: http://appsdev-cigna...outsourcing.com
O15 - Trusted Zone: http://appsstage-cig...outsourcing.com
O15 - Trusted Zone: http://appstest-cign...outsourcing.com
O15 - Trusted Zone: http://*.smartforce.com
O15 - Trusted Zone: http://*.wdcapp014
O15 - Trusted Zone: http://*.wdcapp016
O15 - Trusted Zone: http://*.wdcapp16
O16 - DPF: inspect - http://efs.sys.cigna.com/inspect.CAB
O16 - DPF: pkictls2 - http://efs.sys.cigna.com/pkictls2.CAB
O16 - DPF: Sametime Meeting Room Client ST30SP1 - http://nthtst26.cign...gRoomClient.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} (Microsoft FlexGrid Control, version 6.0) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\msflxgrd.cab
O16 - DPF: {6313ACD5-705C-11D3-8ACA-004F4E002623} (EuroSup.EuroNation) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\EuroSup.cab
O16 - DPF: {6D852581-7F1A-11D2-9CAB-006008319186} (VanColorPickProj.VanColorPick) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\VanColorPick.CAB
O16 - DPF: {99AC51A7-BEFF-11D1-B5B1-00A024CD30C6} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\VANFIND.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7908.4811689815
O16 - DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} (vanStageTask.van_stage_task_ctl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\vanStageTask.CAB
O16 - DPF: {ADCBFFBC-DB3F-11D2-AADF-006008936C61} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} (FarPoint DateTime Control) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\EDT32X20.cab
O16 - DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} (vanChevron.van_chevron_ctl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\VANCHEVRON.cab
O16 - DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} (VanPallet.VanPalletCtrl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\VanPallet.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\SSCALA32.cab
O16 - DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} (VanLiteralDLL.VanLiteral) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\VanLiteralDLL.CAB
O16 - DPF: {F39FD815-E9C3-11D1-9C83-006008319186} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\VanTree.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cigna.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cigna.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35919AC1-7D3E-47E1-901A-640B0661F86B}: NameServer = 10.104.2.49,10.33.86.95
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.cigna.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{35919AC1-7D3E-47E1-901A-640B0661F86B}: NameServer = 10.104.2.49,10.33.86.95

#9 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 29 June 2004 - 08:05 PM

Hi piman,

That dllfix was pulled shortly after I posted it to you, so that's why it didn't work. There's a new fix for this type of infection.

Download and install APM from: http://www.diamondcs...ex.php?page=apm

Now click Start > All Programs > APM > Advanced Process Manipulator. In the upper window select explorer.exe. In the lower window find and right click oodoln.dll. Select Unload DLL and click OK on the prompts that follow.

Run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {F8A9969D-FEA1-4342-B09E-F9C4DB9C5011} - C:\WINNT\System32\oodoln.dll


Reboot your computer and post a fresh hijackthis log.

#10 piman

piman

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 July 2004 - 09:38 AM

Hi OSC,
I ran the APM as directed but could not locate the DLL in explorer.exe. I opened iexplorer.exe and found it. I ran an updated CWS, Spy and HJT, and unloaded the DLL. That cleaned it up for a few days but then I got it again on www.alltheweb.com when a search stalled. I think I was going to eBay or consumer reports, the query hung and about:blank popped up. I ran the cleans again and found another DLL, named differently but still starting with an ďOĒ and also listed On the BHO line of HJThis. I cleaned that and all was fine and then it popped up again, same DLL, same name. I cleaned again and pressed on. Today, I was going to http://www.shoprehoboth.com/ and got about:blank again, this time as a BHO DLL named << blbog >> or something like that (sorry I forgot to note it). I also get the first six lines in HJT pointing to sp.html. I have cleaned that DLL and have been ok since then.

The problem is that this thing keeps coming back whenever it wants. I run an updated version of NAV with current definitions and am behind a router on my home network. It seems like thereís a file on my PC that calls out to the about:blank source and announces Iím online, clean, and ready to be reinfected. Can this be? Can there be a reporting bot on my pc?

Are there any developments in the about blank saga? Has this hijack become more prevalent on the web? Are there any new tools I can use to clean and prevent this?

PS, next time I get the about:blank hijack, and I probably will, Iíll post a new log.

Any input is appreciated.

Thanks in advance
Piman

#11 piman

piman

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 18 July 2004 - 11:33 AM

Got it again. Looks like it's creating itself. This time the BHO dll was mjkk.dll. CWS caught it, but it still looks like it's re-creating itself on my PC.

Just a question here...Has anyone put the law on these jerks that arre bugging our pc's. I mean, these pc's are our personal property that theyre modifying without our permission. Is their identity even known? Can we catch them and make them clean toilets in a prison or something? Just curious. I figured you folks are more in touch with whats going on, legally, with this stuff, more than anyone else. Just vetching, thats all. Thanks. Jim

#12 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 19 July 2004 - 06:55 PM

Hi piman,

Please post an updated log. I'll be watching here tonight for it. As for who they are, yes, we know who they are and there's not a lot anyone can do since what they are doing is technically not breaking any laws (if you can believe that). :huh:

#13 piman

piman

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 19 July 2004 - 09:40 PM

Hey OSC, I didnt even go anywhere this time and I got it. I just rebooted and it came back, There's got to be a generating dll on my pc. This time the dll's name that hjt found was oal.dll.

Logfile of HijackThis v1.98.0
Scan saved at 10:36:46 PM, on 07/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\QosServM.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PELMICED.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\javaw.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\KillAd\killad.exe
C:\Program Files\Quick View Plus\Program\qvp32.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis\HijackThis.exe
C:\WINNT\System32\HPBPRO.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 172.18.46.16 wdc17130 #SecurID
O1 - Hosts: 172.18.44.16 wdc16b30 #SecurID
O2 - BHO: (no name) - {9C672B2F-D9A2-4BA9-98A5-7D76A0243D85} - C:\WINNT\System32\oal.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [UserMIF1.44] c:\logon\UserMIF.bat
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [navcfg] c:\winnt\temp\navcfg.exe /s
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP Standard\Office10\OSA.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: pwreset.lnk = C:\Program Files\Avaya\DEFINITY IP Service Provider\pwreset.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://home.cigna.com
O15 - Trusted Zone: http://auohscgit01.oracle.com
O15 - Trusted Zone: http://auohscgit06.oracle.com
O15 - Trusted Zone: http://auohscgit08.oracle.com
O15 - Trusted Zone: http://apps-cigna.or...outsourcing.com
O15 - Trusted Zone: http://appsdev-cigna...outsourcing.com
O15 - Trusted Zone: http://appsstage-cig...outsourcing.com
O15 - Trusted Zone: http://appstest-cign...outsourcing.com
O15 - Trusted Zone: http://*.smartforce.com
O15 - Trusted Zone: http://*.wdcapp014
O15 - Trusted Zone: http://*.wdcapp016
O15 - Trusted Zone: http://*.wdcapp16
O16 - DPF: inspect - http://efs.sys.cigna.com/inspect.CAB
O16 - DPF: pkictls2 - http://efs.sys.cigna.com/pkictls2.CAB
O16 - DPF: Sametime Meeting Room Client ST30SP1 - http://nthtst26.cign...gRoomClient.cab
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} (Microsoft FlexGrid Control, version 6.0) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\msflxgrd.cab
O16 - DPF: {6313ACD5-705C-11D3-8ACA-004F4E002623} (EuroSup.EuroNation) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\EuroSup.cab
O16 - DPF: {6D852581-7F1A-11D2-9CAB-006008319186} (VanColorPickProj.VanColorPick) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\VanColorPick.CAB
O16 - DPF: {99AC51A7-BEFF-11D1-B5B1-00A024CD30C6} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\VANFIND.cab
O16 - DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} (vanStageTask.van_stage_task_ctl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\vanStageTask.CAB
O16 - DPF: {ADCBFFBC-DB3F-11D2-AADF-006008936C61} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} (FarPoint DateTime Control) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\EDT32X20.cab
O16 - DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} (vanChevron.van_chevron_ctl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\VANCHEVRON.cab
O16 - DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} (VanPallet.VanPalletCtrl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\VanPallet.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\SSCALA32.cab
O16 - DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} (VanLiteralDLL.VanLiteral) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\VanLiteralDLL.CAB
O16 - DPF: {F39FD815-E9C3-11D1-9C83-006008319186} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\JMPISA\LOCALS~1\Temp\VanTree.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cigna.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cigna.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.cigna.com
O18 - Filter: text/html - {C5C39DC7-12FC-4209-937E-428D92BD0EBC} - C:\WINNT\System32\oal.dll
O18 - Filter: text/plain - {C5C39DC7-12FC-4209-937E-428D92BD0EBC} - C:\WINNT\System32\oal.dll

#14 piman

piman

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 23 July 2004 - 11:20 PM

Hey OSC,
I didnt even go anywhere this time and I got it. I just rebooted and it came back, There's got to be a file generating a randomly named dll on my pc. This time the dll's name that hjt found was LECPBT.dll.
Thanks
Piman




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button