Jump to content


Photo

CSW about:blank


  • This topic is locked This topic is locked
12 replies to this topic

#1 SwirlGirl

SwirlGirl

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 May 2004 - 12:43 PM

I was asked to start a new thread here. This is my new hijack this log after running adaware and a reboot:

Logfile of HijackThis v1.97.7
Scan saved at 10:33:25 AM, on 05/19/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\CBM.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8122.4887152778

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 19 May 2004 - 04:31 PM

Try this.

Click here to download win9xfind.exe. Click unzip and it will install to C:\win9xfind. Open that folder and run the win9xfind.bat in there and it should identify a .dll file in the C:\windows\system directory.

If so, boot into DOS, find that file and delete it. Reboot (you may get an error message like Rundll Error loading c:\windows\system\*****.dll the system cannot find the file specified - if so click OK and reboot again). Let me know what you found and deleted. Rescan with HJT and post a new log so any remnants can be removed.
Posted Image

#3 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 04:43 PM

wtf? :blink:
1.) This is my Xfind package there, though not applicable to 9X
at all!
2.) Whoever packaged it should know that these parameters won't work:
2>&1
And the "string" is N/A (outdated)

Revised:
GoTo:
Start>run>Type:
msinfo32
*Expand: "Software Environment"
*Expand: "System hooks"
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If So hilite And use edit>copy and post here

Next,
Download: "StartDreck", unzip!
*Don't be f00led by the site's 'unique' interface!!!
http://members.black.../startdreck.htm

DoubleClick: 'StartDreck.exe'
Hit: -config
hit: -Unmark all
Check these boxes only:
Registry->run keys
System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#4 SwirlGirl

SwirlGirl

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 May 2004 - 04:57 PM

Daemon, thank you for the help! I followed your instructions but only got this in a dos window:

XFIND Ver. 2.3 © 1990..2001, Horst Schaeffer
Reports all files where given string was found

Syntax: XFIND "string" [path] [file ...] [options]

String: in quote marks and/or decimal ASCII values
linked with plus sign, i.e. "string"+9+"more"
Path: to start search, default current dir
File: file name(s), wildcards allowed, default: *.*
Options:
/C case sensitive search (case ignored by default)
/S include subdirectories
/R report files without given path
/L report LFN's (full path, unless /R)
/".." prefix for output lines

Please advise?
-Chandra

#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 04:59 PM

The instructions above were wrong and not applicable to Win9x!
Please review my previous post and steps!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 SwirlGirl

SwirlGirl

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 May 2004 - 05:10 PM

Revised:
GoTo:
Start>run>Type:
msinfo32
*Expand: "Software Environment"
*Expand: "System hooks"
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

I'm not able to expand System Hooks... nothing there.

???


Here's my StartDreck Log anyway:

StartDreck (build 2.1.5 public BETA) - 2004-05-19 @ 15:13:29
Platform: Windows 98 SE (Win 4.10.2222 A)

舞egistry
舞un Keys
翟urrent User
舞un
*Yahoo! Pager=C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
舞unOnce
聞efault User
舞un
*Yahoo! Pager=C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
舞unOnce
腿ocal Machine
舞un
*WinPatrol="C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
*MMTray=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
*EnsoniqMixer=starter.exe
*Zone Labs Client=C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
*PestPatrol Control Center=C:\PROGRA~1\PESTPA~1\PPControl.exe
*PPMemCheck=C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
*CookiePatrol=C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
舞unOnce
舞unServices
*TrueVector=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FFEF7F65=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFE08809=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFE0BF99=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFE0D16D=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
*FFE0D661=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFE1FECD=C:\WINDOWS\EXPLORER.EXE
*FFE29EC9=C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
*FFE2AD61=C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
*FFE2D799=C:\WINDOWS\STARTER.EXE
*FFE2C861=C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
*FFE20E85=C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
*FFE238E5=C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
*FFE22595=C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
*FFE3A695=C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
*FFE3DA11=C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
*FFE3CF99=C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
*FFE58835=C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
*FFE34F19=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFE50525=C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
*FFE56EF5=C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
*FFE707F1=C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.EXE
*FFE891E9=C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
*FFE8D3C1=C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
*FFE86091=C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
*FFE81F89=C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
*FFEA11ED=C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
*FFEBB625=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFEBE425=C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
*FFE96161=C:\WINDOWS\SYSTEM\WINOA386.MOD
*FFE60BCD=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
*FFEF4859=C:\PROGRAM FILES\MICROSOFT WORKS\MSWORKS.EXE
*FFEE5E9D=C:\WINDOWS\MSAGENT\AGENTSVR.EXE
*F4512971=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE
*FFEA3705=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
翠pplication specific


Thank you,
Chandra

#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 05:21 PM

If there is nothing listed in System hooks, And also according to
your current log, you don't have the same 'about blank' problem.

In any case, I suggest you download this fix:
-Download: "Win98Fix.zip", Unzip!
From:
http://www10.brinkst...last/pvtool.htm
-DoubleClick on: 'RunFix.reg' file, hit 'yes'
on the prompt!
-Restart computer!

After restart DoubleClick on the included
"who.bat", file
"Badfile.txt" should be created. Open and post it (unless empty)!

If so, restart your comuter in Safe Mode, find and delete:
CBM.DLL from System folder.
Run CWShredder again.

To fix all other problems:
http://www.lavasoftu...ftware/adaware/
Downnload, install run, update before the scan, select 'customise'
options, select your drive, scan and fix all found problems.

Post another log when done!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 SwirlGirl

SwirlGirl

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 May 2004 - 07:30 PM

Alas I'm back. The badfile was empty. I rebooted in safe mode but couldn't find CBM.DLL anywhere. CWShedder found nothing and my PC froze in the middle of AdAware scan and then did the same twice again after reboots in safe mode. I ended up ruuning the scan in normal mode and it also found nothing! :blink:
Something tells me that I'm not in the clear yet. What do you think? HijackThis log?

-Chandra

Edited by SwirlGirl, 19 May 2004 - 07:31 PM.


#9 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 08:51 PM

Yup, post fresh hijackthis log!
I think you have a bad bho, that's all.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 10:35 PM

I just spotted your post here:

http://www.spywarein...st=0

That's your bad file, identical to my samples properties!
Looks like it was not installed properly.

Go to the same page you downloaded my fix
from and submit it there by
clicking on the files for submissions!
It will open you email client, navigate and
add it as attachment! Thanks ;)

When done, go ahead and delete that file!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 SwirlGirl

SwirlGirl

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 May 2004 - 10:39 PM

Glad to to see you're still here! Here's a fresh one, am I all clear?

Logfile of HijackThis v1.97.7
Scan saved at 8:38:32 PM, on 05/19/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8122.4887152778

I'm be checking in, thank you so much for your help! -Chandra

#12 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 11:54 PM

Looks ok now! :)
were you able to get rid of the 'WDMEEA.DLL' file?
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#13 SwirlGirl

SwirlGirl

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 20 May 2004 - 12:15 AM

It seems so. It doesn't show up when I do a find files or folders from the start menu. But I don't know at what point I removed these files (if I have), so I'm a bit paranoid that they're just lurking until I log on to my bank accounts. :unsure: I'll keep running the scans for a few more days just to be sure.
Thank you so much for your help,
-Chandra
;)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button