Jump to content


Photo

about:blank


  • This topic is locked This topic is locked
14 replies to this topic

#1 kfoleyblue

kfoleyblue

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 11 June 2004 - 04:39 PM

I have run spybot with updated files and it comes up clean. I run adaware and it finds the coolwebsearch and I choose to fix. as soon as I open internet explorer, about:blank pulls up as my home page again. I close out of IE and run adaware again and the same items come up again. I clean them, and the loop just keeps going.

I ran hijack this and here's my log file below. could someone please help me :wtf:

Logfile of HijackThis v1.97.7
Scan saved at 5:16:07 PM, on 6/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\MSAC-FD1\MSSTAT.EXE
C:\PROGRAM FILES\TECHSMITH\SNAGIT 6\SNAGIT32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\NNFKFAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\NNFKFAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\NNFKFAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\NNFKFAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\NNFKFAA.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\NNFKFAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {C284D923-BBC4-11D8-81A1-000486C12F81} - C:\WINDOWS\SYSTEM\NNFKFAA.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: UPDATE (2).pif = G:\UPDATE\TESTUPDA.BAT
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Startup: SnagIt 6.lnk = C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8149.4693055556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://81.211.105.37...m::/on-line.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = paetec.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.1.2.149

#2 wilb

wilb

    Member

  • New Member
  • Pip
  • 1 posts

Posted 11 June 2004 - 05:27 PM

Hi sorry I cant offer a fix as such, Im struggling myself but I just noticed your problem seems to be same as mine and were both using win98se your hijack this log looks very similiar too, if I get any good links too help Ill post them here for you and If you could do the same id b gratefull
my post title is about:blank
subheading is reinfection

cheers william

#3 kfoleyblue

kfoleyblue

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 14 June 2004 - 04:40 PM

thanks William,

If I get a fix I'll update your post!

#4 MTC

MTC

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 14 June 2004 - 05:28 PM

please do post folks..having the same problem here trying to rid a 98se machine of this problem myself. Tried just about everything.

DC

#5 mephitical

mephitical

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 14 June 2004 - 05:37 PM

Waiting for help myself on a Windows 98SE. I'll let you all know if I get a fix on my post.

#6 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 14 June 2004 - 08:36 PM

Hi, Guys,
Sorry this took so long.

Kfoleyblue, first of all, please move HJT to its own permanent folder for when we need it later. Otherwise, with it on your desk, the backups that it saves will be scattered all over the desktop.

Let's see if we can get rid of the file that is reinfecting you first. Then we will remove the other nasty stuff.
Download: "StartDreck", from here:
Here

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Post the log in this thread.
(If I do not get back to you right away, it is only because of our difference in time zones.)
Microsoft MVP - Consumer Security

#7 kfoleyblue

kfoleyblue

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 June 2004 - 01:26 PM

Ok, I moved HJT to it's own folder.
Here's the log from StartDreck below

thanks!

StartDreck (build 2.1.5 public BETA) - 2004-06-16 @ 14:23:06
Platform: Windows 98 SE (Win 4.10.2222 A)

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
*nwiz=nwiz.exe /install
*Client Access Service="C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
*Client Access Taskbar="C:\Program Files\IBM\Client Access\cwbuitsk.exe"
*Client Access API Daemon="C:\Program Files\IBM\Client Access\cwbappcd.exe"
*Client Access Help Update="C:\Program Files\IBM\Client Access\cwbinhlp.exe"
*Client Access Check Version="C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
*mdac_runonce=C:\WINDOWS\SYSTEM\runonce.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*vptray=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Client Access Start Incoming RC=###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
*Client Access Network Drive=C:\Program Files\IBM\Client Access\cwbbs.exe
*Client Access Network Print=C:\Program Files\IBM\Client Access\cwbnpred.exe
*rtvscn95=C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
*defwatch=C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
舞unServicesOnce
**wdvb=rundll32 C:\WINDOWS\SYSTEM\HLPOACJ.DLL,StreamingDeviceSetup
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FF0F94A3=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFC33F=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFD58F=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFEC45B=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFEB00F=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
*FFFEC8C7=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
*FFFD01DB=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
*FFFDABBF=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
*FFFDE53B=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFDDCBF=C:\WINDOWS\RUNDLL32.EXE
*FFFB10A3=C:\WINDOWS\EXPLORER.EXE
*FFFBCEAB=C:\WINDOWS\TASKMON.EXE
*FFFA258B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFA566B=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
*FFF94DA3=C:\WINDOWS\SYSTEM\STIMON.EXE
*FFFAB0A3=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
*FFF9C30B=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
*FFF92F0B=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
*FFF813AB=C:\PROGRAM FILES\MSAC-FD1\MSSTAT.EXE
*FFFAF39F=C:\PROGRAM FILES\TECHSMITH\SNAGIT 6\SNAGIT32.EXE
*FFF80B97=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFFAFB0B=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFF95AA3=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFF8F323=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF63F0F=C:\STARTDRECK\STARTDRECK.EXE
翠pplication specific

#8 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 16 June 2004 - 04:41 PM

Make sure your Windows is configured to show all files.
http://www.xtra.co.n...1916458,00.html

Do a search for this file: C:\WINDOWS\SYSTEM\HLPOACJ.DLL

If you can find it, delete HLPOAC.DLL. If you cannot find it, please do this:

Download: "Win98Fix.zip" from here:
<http://www10.brinkst...ast/pvtool.htm>

Unzip to its own folder.

Open Folder and double click on RunFix.reg file.
Hit 'Yes' to merge it into your registry.
Restart your computer.

The bad file should now be visible so you can delete it.
Browse to HLPOAC.DLL
Right click select 'Properties' and remove any 'Read only' protection.
Right click again and select 'Delete'.

(If you cannot find the file, run the 'Who.bat' file in the folder.
The file will be found and listed.)

Reboot.

In order to take care of the Trojan problem and the CWS hijacker, you will need to do this:

1. Scan with Trendmicro's free online scan, Housecall HERE
Let it remove whatever it finds.
2. Reboot and scan with Adaware which had an update yesterday, so please make sure the update is installed.
3. Scan with Spybot (Updated today).
4. Scan with CWShredder.
For how to download CWShredder to remove CoolWebSearch please follow instructions HERE


Make sure you close all programs and windows before running CWShredder and be sure to click on the "Fix" button.

5. Lastly, please run a scan with HJT and post a fresh log so we can see if any remnants still need to be removed.

Thanks, and good luck.
Microsoft MVP - Consumer Security

#9 kfoleyblue

kfoleyblue

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 June 2004 - 05:29 PM

I did all the steps you outlined and here's my hijack this log below:

Logfile of HijackThis v1.97.7
Scan saved at 6:27:21 PM, on 6/16/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\MSAC-FD1\MSSTAT.EXE
C:\PROGRAM FILES\TECHSMITH\SNAGIT 6\SNAGIT32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: UPDATE (2).pif = G:\UPDATE\TESTUPDA.BAT
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Startup: SnagIt 6.lnk = C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8149.4693055556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://81.211.105.37...m::/on-line.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = paetec.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.1.2.149

let me know how it looks,
thanks!

#10 MTC

MTC

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 June 2004 - 07:10 PM

howdy..my problem is that new.dll's keep showing up and I cannot rename or delete since they are "in use by windows". Seen a thread on w2000 and this problem. there is a hidden file that keeps recreating them. Somehow I need to find that file and my problems will be over with.

DC

#11 MTC

MTC

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 June 2004 - 07:20 PM

http://www.akadia.co...lank_virus.html

just an fyi...

DC

#12 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 16 June 2004 - 07:26 PM

Kfoleyblue,
:D Wow! It is looking much better.

These two concern me:
I could not find any info on this. Do you have any idea what it might be?
O4 - Startup: UPDATE (2).pif = G:\UPDATE\TESTUPDA.BAT

This one, acccording to my research, is an installer for a Trojan that is downloaded from a webpage.
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://81.211.105.37...m::/on-line.exe
Please boot into safemode, run HJT and check to fix the following:
O4 - Startup: UPDATE (2).pif = G:\UPDATE\TESTUPDA.BAT (IF you do not know what this is.)
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://81.211.105.37...m::/on-line.exe


Optional to check:
RealPlayer and SnagIt do not really need to be running at Startup. These use resources and they can always be opened when needed, rather than at Startup. It is your choice whether or not you want to check these.
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: SnagIt 6.lnk = C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe

If you decide to fix these two blue items, while still in Safemode, open the Task Manager (Alt_Ctrl+Del) and close them if they are running in memory.
Reboot.

Please delete your temporary files by deleting all files and folders that are in those folders (Do not delete the temp folder itself.) -- for example:
C:\WINDOWS\Temp\
C:\Temp\

Also delete the Temporary Internet Files, being sure to also select "Delete All Offline Content".


Please post a fresh HJT log, and let me know how the computer is running now.


MTC: We need to see your HJT log and your StartDreck log. Please post your own topic on Page One of the forum. Thanks.
Microsoft MVP - Consumer Security

#13 kfoleyblue

kfoleyblue

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 June 2004 - 11:45 AM

Bugbatter,

O4 - Startup: UPDATE (2).pif = G:\UPDATE\TESTUPDA.BAT
this entry is actually a script we run at startup to update the corporate address book for email- no email server here, pop3 accounts instead :)

I didn't remove this but I did remove the c:\foo.mht entry in hijack this and left the others alone.

I also deleted from c:\temp and c:\win\temp and emptied the recycle bin. Also deleted temp internet files with offline files checked.

My latest log file from hijack this is below.

what are the chances of this thing coming back?

Logfile of HijackThis v1.97.7
Scan saved at 12:44:23 PM, on 6/17/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\MSAC-FD1\MSSTAT.EXE
C:\PROGRAM FILES\TECHSMITH\SNAGIT 6\SNAGIT32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: UPDATE (2).pif = G:\UPDATE\TESTUPDA.BAT
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Startup: SnagIt 6.lnk = C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8149.4693055556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = paetec.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.1.2.149

#14 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 17 June 2004 - 03:22 PM

Nice job! It's looking clean!
Apparently, there was a patch issued to prevent that webpage Trojan from installing, so in order to prevent future infection, here are some simple steps you can take:
1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: <http://v4.windowsupd...en/default.asp>

2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

3. Download and install the following free programs:
a. SpywareBlaster: http://www.javacools...areblaster.html
b. IE/Spyad: http://www.staff.uiu...es/resource.htm
c. Periodically check for updates.

4. Install Spyware Detection and Removal Programs.
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft....ftware/adaware/
b. SpyBot S&D: http://security.koll...n&page=download

Check for updates in Adaware frequently as they sometimes can update daily.
I would check for updates in SpyBot once a week or so.
I scan with each at least weekly.

5. Keep your antivirus software and firewall software up to date.
Note: Zone Alarm Firewall (Zone Labs)http://www.zonelabs....ontent/home.jsp is free.
Microsoft MVP - Consumer Security

#15 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 03 August 2004 - 02:21 PM

Glad we could help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button