• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
 K3NNY

FENIX about:blank

8 posts in this topic

Ok, this is the situation,

 

:!: Its an about:blank hijacker (search for). But with the addon of REBORNING when I turn off my computer. (If I reset nothing happens). One more thing, it aint a search for PORN, neither HACKz, WAREz or CRACKz. Its just a normal serach for, with normal searches.

 

(all programs are in their lastest version/reference files)

 

CWShredder:

none infected

 

Ad-AWARE 6:

Some "Possible CWS" entries. Not big deal.

 

HijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 01:22:12 a.m., on 14/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\ARCHIVOS DE PROGRAMA\OPERA75\OPERA.EXE
C:\WINDOWS\SLRUNDLL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\ESCRITORIO\DESCARGAS\!  HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\ARCHIV~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\ARCHIV~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Archivos de programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: CAMEDIA Master.lnk = C:\Archivos de programa\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Startup: Inicio de Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA.EXE
O4 - Startup: Búsqueda rápida de Microsoft.lnk = C:\Archivos de programa\Microsoft Office\Office\FINDFAST.EXE
O12 - Plugin for .png: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin5.dll
O13 - WWW Prefix: 
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38145.8939583333

I am so fucking tired of erasing the R0/R1/014 entries. THEY REBORN FROM THEIR ASHES.

 

Startup List:

StartupList report, 14/06/04, 01:28:36 a.m.
StartupList version: 1.52
Started from : C:\WINDOWS\ESCRITORIO\DESCARGAS\!  STARTUP LIST\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.00 (5.00.2614.3500)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\ARCHIVOS DE PROGRAMA\OPERA75\OPERA.EXE
C:\WINDOWS\SLRUNDLL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\ESCRITORIO\DESCARGAS\!  STARTUP LIST\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Menú Inicio\Programas\Inicio]
CAMEDIA Master.lnk = C:\Archivos de programa\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
Inicio de Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA.EXE
Búsqueda rápida de Microsoft.lnk = C:\Archivos de programa\Microsoft Office\Office\FINDFAST.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SM56ACL = sm56hlpr.exe
ccApp = "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check = C:\ARCHIV~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
NPROTECT = C:\ARCHIV~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
LoadQM = loadqm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ccEvtMgr = "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe"
NPROTECT = C:\ARCHIV~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
ScriptBlocking = "C:\Archivos de programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe" -reg

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 13/6/2004, 2:38:8)

[rename]
NUL=c:\windows\temp\sp.html
NUL=c:\windows\cookies\pc@bluestreak[2].txt
NUL=c:\windows\cookies\pc@tribalfusion[1].txt
NUL=c:\windows\cookies\pc@fastclick[2].txt
NUL=c:\windows\cookies\pc@atdmt[2].txt
NUL=c:\windows\cookies\pc@doubleclick[1].txt
NUL=c:\windows\cookies\pc@advertising[1].txt
NUL=c:\windows\cookies\pc@servedby.advertising[1].txt
NUL=c:\windows\cookies\pc@cgi-bin[1].txt
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb la,,C:\WINDOWS\COMMAND\keyboard.sys

--------------------------------------------------


Enumerating Browser Helper Objects:

NAV Helper - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Optimización del inicio de aplicaciones.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38145.8939583333

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 5.368 bytes
Report generated in 0,457 seconds

WTF is WebCheck???, I think that here is the problem.

 

Spybot S&D:

I am now searching...

 

:!: So, what do you think?

Share this post


Link to post
Share on other sites

I cleaned the machine with SpyBot S&D but still nothing. Im almost sure that the webcheck.dll has something to do with it. Any sugestions?

Share this post


Link to post
Share on other sites

:alarm: NEWS:

 

I've downloaded Spyware Blaster and installed it. BUT, when i try to run the program a warning message apears.

 

This program has been damaged, possibly by bad sector of the hard drive or a virus. Please reinstall it.

It doesn't matter how many times I reinstall it, it still apears that error message.

Share this post


Link to post
Share on other sites

:alarm:NEWS:

 

Ok, it seams to be gone. It didn't show up since a few days. But I still have some questions.

 

I run HijackThis and this 2 entries appeard.

 

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=

 

I "fix" them, but if i rerun the program inmediatelly after THEY ARE THERE AGAIN. So, whats going on with this and the webcheck.dll?????

Share this post


Link to post
Share on other sites

(bump) PLEASE HELP, I can't erase it. I've used AD-AWARE, SpyBot S&D, CWSheddrer and HijackThis (all of them updated) but still nothing, i just cant get rid of it, HELP!!!!!!!!!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0