Jump to content


Photo

FENIX about:blank


  • Please log in to reply
7 replies to this topic

#1  K3NNY

 K3NNY

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 14 June 2004 - 12:34 AM

Ok, this is the situation,

:!: Its an about:blank hijacker (search for). But with the addon of REBORNING when I turn off my computer. (If I reset nothing happens). One more thing, it aint a search for PORN, neither HACKz, WAREz or CRACKz. Its just a normal serach for, with normal searches.

(all programs are in their lastest version/reference files)

CWShredder:
none infected

Ad-AWARE 6:
Some "Possible CWS" entries. Not big deal.

HijackThis:
Logfile of HijackThis v1.97.7
Scan saved at 01:22:12 a.m., on 14/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\ARCHIVOS DE PROGRAMA\OPERA75\OPERA.EXE
C:\WINDOWS\SLRUNDLL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\ESCRITORIO\DESCARGAS\!  HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\ARCHIV~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\ARCHIV~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Archivos de programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: CAMEDIA Master.lnk = C:\Archivos de programa\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Startup: Inicio de Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA.EXE
O4 - Startup: Búsqueda rápida de Microsoft.lnk = C:\Archivos de programa\Microsoft Office\Office\FINDFAST.EXE
O12 - Plugin for .png: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin5.dll
O13 - WWW Prefix: 
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38145.8939583333
I am so fucking tired of erasing the R0/R1/014 entries. THEY REBORN FROM THEIR ASHES.

Startup List:
StartupList report, 14/06/04, 01:28:36 a.m.
StartupList version: 1.52
Started from : C:\WINDOWS\ESCRITORIO\DESCARGAS\!  STARTUP LIST\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.00 (5.00.2614.3500)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\ARCHIVOS DE PROGRAMA\OPERA75\OPERA.EXE
C:\WINDOWS\SLRUNDLL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\ESCRITORIO\DESCARGAS\!  STARTUP LIST\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Menú Inicio\Programas\Inicio]
CAMEDIA Master.lnk = C:\Archivos de programa\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
Inicio de Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA.EXE
Búsqueda rápida de Microsoft.lnk = C:\Archivos de programa\Microsoft Office\Office\FINDFAST.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SM56ACL = sm56hlpr.exe
ccApp = "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check = C:\ARCHIV~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
NPROTECT = C:\ARCHIV~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
LoadQM = loadqm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ccEvtMgr = "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe"
NPROTECT = C:\ARCHIV~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
ScriptBlocking = "C:\Archivos de programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe" -reg

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 13/6/2004, 2:38:8)

[rename]
NUL=c:\windows\temp\sp.html
NUL=c:\windows\cookies\pc@bluestreak[2].txt
NUL=c:\windows\cookies\pc@tribalfusion[1].txt
NUL=c:\windows\cookies\pc@fastclick[2].txt
NUL=c:\windows\cookies\pc@atdmt[2].txt
NUL=c:\windows\cookies\pc@doubleclick[1].txt
NUL=c:\windows\cookies\pc@advertising[1].txt
NUL=c:\windows\cookies\pc@servedby.advertising[1].txt
NUL=c:\windows\cookies\pc@cgi-bin[1].txt
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb la,,C:\WINDOWS\COMMAND\keyboard.sys

--------------------------------------------------


Enumerating Browser Helper Objects:

NAV Helper - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Optimización del inicio de aplicaciones.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38145.8939583333

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 5.368 bytes
Report generated in 0,457 seconds
WTF is WebCheck???, I think that here is the problem.

Spybot S&D:
I am now searching...

:!: So, what do you think?

#2  K3NNY

 K3NNY

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 14 June 2004 - 02:48 AM

I cleaned the machine with SpyBot S&D but still nothing. Im almost sure that the webcheck.dll has something to do with it. Any sugestions?

#3  K3NNY

 K3NNY

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 14 June 2004 - 02:46 PM

:alarm: NEWS:

I've downloaded Spyware Blaster and installed it. BUT, when i try to run the program a warning message apears.

This program has been damaged, possibly by bad sector of the hard drive or a virus. Please reinstall it.

It doesn't matter how many times I reinstall it, it still apears that error message.

#4  K3NNY

 K3NNY

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 14 June 2004 - 08:23 PM

:alarm: NEWS:

Ok, it seams to be gone. It didn't show up since a few days. But I still have some questions.

I run HijackThis and this 2 entries appeard.

O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

I "fix" them, but if i rerun the program inmediatelly after THEY ARE THERE AGAIN. So, whats going on with this and the webcheck.dll?????

#5  K3NNY

 K3NNY

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 16 June 2004 - 12:08 AM

:alarm: NEWS (bad news)

Its still there. Where the F*** those it hiddes?

PLEASE, I BEG YOU, HEEELLPPP

#6  K3NNY

 K3NNY

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 June 2004 - 06:56 PM

(bump) PLEASE HELP, I can't erase it. I've used AD-AWARE, SpyBot S&D, CWSheddrer and HijackThis (all of them updated) but still nothing, i just cant get rid of it, HELP!!!!!!!!!

#7  K3NNY

 K3NNY

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 18 June 2004 - 02:08 AM

Buuuuuumping in the rain :whistle:

#8  K3NNY

 K3NNY

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 18 June 2004 - 08:01 PM

BUMP & ROLL (please, help)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button