Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This and About:Blank


  • Please log in to reply
9 replies to this topic

#1 Glammy

Glammy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 14 February 2005 - 02:28 PM

Hi All,

I'm hoping that somebody will be able to help me out with stopping my pc reverting to the about:blank homepage.

Even though i have removed the about:blank sections in hijack this i'm obviously missing the source of it!

Any help will be much appreciated.
Logfile of HijackThis v1.99.0
Scan saved at 7:23:55 PM, on 2/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\BEN\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1EE485A5-7B85-11D9-B492-000FB7F6D9CB} - C:\WINDOWS\SYSTEM\GGLFC.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\Run: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O18 - Filter: text/html - {EE327860-7EAC-11D9-B492-000F92197131} - C:\WINDOWS\SYSTEM\GGLFC.DLL
O18 - Filter: text/plain - {EE327860-7EAC-11D9-B492-000F92197131} - C:\WINDOWS\SYSTEM\GGLFC.DLL




Thanks

BC AdBot (Login to Remove)

 


#2 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 PM

Posted 14 February 2005 - 10:27 PM

Hello Glammy and Welcome! :thumbsup:
Sorry you're having malware trouble.

Download: "StartDreck", from here

Unzip it to its own folder, name the folder Startdreck and double-click on StartDreck.exe to start the program.

Press Config
Press Unmark All

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press Ok

Press Save and select the location to save the log file
(default is the same folder as the application)

Post the log in this thread for review.

#3 Glammy

Glammy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 15 February 2005 - 12:16 PM

Hi SirJon,

Thanks for your reply.

As requested here is the Startdreck log;



StartDreck (build 2.1.7 public stable) - 2005-02-15 @ 17:18:34 (GMT +00:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 5.00.2614.3500
Logged in as Mason at Q5J4K0

舞egistry
舞un Keys
翟urrent User
舞un
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
*Srv32 spool service=C:\WINDOWS\System\spoolsrv32.exe
舞unOnce
聞efault User
舞un
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
*Srv32 spool service=C:\WINDOWS\System\spoolsrv32.exe
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SoundMan=SOUNDMAN.EXE
*LoadQM=loadqm.exe
*Srv32 spool service=C:\WINDOWS\System\spoolsrv32.exe
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=C:\WINDOWS\SYSTEM\mstask.exe
*Machine Debug Manager=C:\WINDOWS\SYSTEM\MDM.EXE
舞unServicesOnce
**cokq=rundll32 C:\WINDOWS\WINRFP.EXE,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FFEF9AF5=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFEE11=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFD981=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE3BF1=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE6D2D=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEB84D=C:\WINDOWS\RUNDLL32.EXE
+FFFEA9B1=C:\WINDOWS\SYSTEM\MDM.EXE
+FFFE9229=C:\WINDOWS\EXPLORER.EXE
+FFE12C35=C:\WINDOWS\TASKMON.EXE
+FFE11E8D=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFE13609=C:\WINDOWS\SOUNDMAN.EXE
+FFE14CD9=C:\WINDOWS\LOADQM.EXE
+FFE1B4C1=C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
+FFE1A2D1=C:\WINDOWS\RUNDLL32.EXE
+FFE19229=C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
+FFE1C841=C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
+FFE3AA61=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFE200D1=C:\PROGRAM FILES\BLUEYONDER IST\BIN\MPBTN.EXE
+FFE06925=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFE42409=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFE5FE25=C:\MY DOCUMENTS\BEN\STARTDRECK\STARTDRECK.EXE
翠pplication specific

#4 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 PM

Posted 15 February 2005 - 02:51 PM

Good Job! Thank you for posting the StartDreck log. :thumbsup:

You mentioned:
"Even though I have removed the about:blank sections in hijack this I'm obviously missing the source of it!"
Please don't delete any further entries in HJT unless instructed by a HJT Team member here.

First, let's try to remove as much as we can with a few malware utilities.

Step 1:
Please go to Start, Settings, Control Panel, Add/Remove Programs, and uninstall any unknown or suspicious looking programs and/or toolbars.

Step 2:
Download and install the latest update for your SpySweeper program.
Open the program, click on Options, then Update Definitions, then close.

Please do not run a scan with SpySweeper yet.

Step 3:
Download and install CCleaner here.

Please do not run the CCleaner utility yet.

Step 4:
Download the eScan Antivirus Toolkit here. Save it to the desktop. Before running the program, we need to update the signature files first.

Step 5:
Updating the eScan Antivirus Toolkit with the latest files:
1.) Double-click on the mwav.exe file saved to the desktop; it will extract the program files to new folder called Kaspersky at the root of the C:\drive in Windows, C:\Kaspersky.
2.) Double-click on My Computer, double-click on the Hard Drive (usually the C:\drive), find and double-click on the Kaspersky folder; inside the Kaspersky folder, find and double-click on the kavupd.exe file.
3.) Double-clicking on the kavupd.exe file open the command prompt (DOS screen) and update the program with all the latest signature files. By default, the update process creates a folder on the root of the C:\drive called Downloads. This is where the updated files are placed.
4.) After the update is complete, copy and paste these new updated signature files (from the C:\Downloads folder) to the C:\Kaspersky folder where eScan originally extracted the antivirus program files.

Please do not run a scan with the eScan Antivirus Toolkit utility yet.

Step 6:
Please enable all hidden files and folders in Windows. For instructions click here

Step 7:
Please reboot into Safe Mode. For instructions click here

Step 8:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:
1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder.
2.) Double-click on the mwavscan.com file; this will open the eScan program.
3.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are checked.
4.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
6.) Click the Scan Clean (or Scan) button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed.

Step 9:
From Safe Mode, open SpySweeper. On the LH side, click on Sweep Now, on the RH side click Sweep Options, under What to Sweep:, click Sweep Memory, Sweep Registry, Sweep Cookies, Sweep all User Accounts. Under Where to Sweep, click Sweep All Folders on Selected Drives. Now, back on the LH side click Sweep Now again and click Start.

Step 10:
From Safe Mode, open CCleaner, click on Options, Settings, uncheck the box "Only delete files in Windows Temp folders older than 48 hours", click OK. Using the default settings, click Run Cleaner and let it scan for all files and folders. (You'll see the results in the large Progress window.) Click Exit and reboot the PC. Now all the temp files and folders are clean, even your index.dat files are gone.

Step 11:
Now reboot back into Normal Mode (Windows) and open HijackThis, click on "Do a system scan and save and save a logfile", copy and paste the entire contents of the logfile here for review.

Edited by SirJon, 15 February 2005 - 02:55 PM.


#5 Glammy

Glammy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 19 February 2005 - 07:38 AM

Hi SirJon

Sorry about the delay in posting back.

Unfortunately everything didn't go as planned. When i tried to run the mwavscan.com in safe mode nothing happenned. Double clicked on the file but it didnt start.

I ran the CCleaner and Spy Sweeper as requested.


Heres the latest Hijack This log.




Logfile of HijackThis v1.99.0
Scan saved at 12:37:36 PM, on 2/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BLUEYONDER IST\BIN\MPBTN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\BEN\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {BC696D26-7F74-11D9-B492-000F5911515F} - C:\WINDOWS\SYSTEM\PJLF.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O18 - Filter: text/html - {E0BE70C0-8272-11D9-B492-000F514AF677} - C:\WINDOWS\SYSTEM\PJLF.DLL
O18 - Filter: text/plain - {E0BE70C0-8272-11D9-B492-000F514AF677} - C:\WINDOWS\SYSTEM\PJLF.DLL



Thanks

#6 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 PM

Posted 19 February 2005 - 12:46 PM

Sorry you're having trouble. :thumbsup:

Right-click on the mwav.exe file, click on Properties check the size of the file, the complete file should be 9.55MB. If it is anything less, please try downloading and running the eScan utility again from Safe Mode and carefully following the instructions posted earlier.

Please reboot into Safe Mode. For instructions click here

From Safe Mode, please close ALL open windows AND browsers, open HijackThis and put checks next to all the following, then click "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {BC696D26-7F74-11D9-B492-000F5911515F} - C:\WINDOWS\SYSTEM\PJLF.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Filter: text/html - {E0BE70C0-8272-11D9-B492-000F514AF677} - C:\WINDOWS\SYSTEM\PJLF.DLL
O18 - Filter: text/plain - {E0BE70C0-8272-11D9-B492-000F514AF677} - C:\WINDOWS\SYSTEM\PJLF.DLL


This is not malware, but an unneeded resource hog; it is safe to delete.
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

From Safe Mode, please delete the following files and/or folders:
Go to Start, Search, For Files or Folders, and type in each file or folder name.

C:\WINDOWS\TEMP\SE.DLL <----Delete this file (If found)
C:\WINDOWS\SYSTEM\PJLF.DLL <----Delete this file

From Safe Mode, copy the contents of the Quote Box to Notepad. Name the file as O18fix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

REGEDIT4

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain]


Then double-click on the O18fix.reg file, and when it prompts to merge say Yes. This will clear registry entries left behind by the malware infections.

Now reboot the PC back into Normal Mode (Windows), open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.

#7 Glammy

Glammy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 23 February 2005 - 04:14 PM

Hi,

The Kapersky program still would not run even though it is the file size stated.

I have fixed the items you suggested and then tried to delete the se.dll and pjlf.dll files. The se.dll file was deleted but the pjlf would not delete as the system said it was in use by windows.

I also tried to copy the quote box as you requested but could not connect to the internet whilst in safe mode. If still required i could save it and then copy it in save mode on rebooting.

I then rebooted my pc and was greeted with the following error message.

RUNDLL (name of the message error box)
Error loading c:windows\\temp\se.dll
The system could not find the relevant file



Here's the latest log



Logfile of HijackThis v1.99.0
Scan saved at 9:08:15 PM, on 2/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\BLUEYONDER IST\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\BEN\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmesse...pdownloader.cab

#8 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 PM

Posted 23 February 2005 - 04:47 PM

"I also tried to copy the quote box as you requested but could not connect to the internet whilst in safe mode. If still required i could save it and then copy it in save mode on rebooting."
When creating the O18fix.reg file, there is no need to be in Safe Mode or the Internet. Try it again by following the instructions carefully.

"Error loading c:windows\\temp\se.dll"
This is due to the O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall entry still existing in the registry.

Please disable SpySweeper in Windows before using HJT. Right-click on the GOLD icon located in the lower RH taskbar, click Close then click ShutDown.

Now close ALL open windows AND browsers and open HijackThis, click on Do a system scan only and put checks next to all the following, then click "Fix Checked"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

"The se.dll file was deleted but the pjlf would not delete as the system said it was in use by windows."
Usually this works in Safe Mode, however to delete the PJLF.DLL file let's try this:

1.) Please download Pocket Killbox here.
2.) Save it in a permanent folder named KillBox on the root of your C:\drive. Double-click on My Computer; double-click on your hard drive, (usually the C:\drive) right-click on a blank area, choose New, choose Folder, name the folder KillBox. Now, unzip KillBox.exe into this folder.
3.) Double-click on KillBox.exe.
4.) In the Killbox program, select the 'Delete on Reboot' option.
5.) In the field labeled 'Full Path of File to Delete' enter the following file to delete:
(copy the line below and paste it into the box):

C:\WINDOWS\SYSTEM\PJLF.DLL

6.) Press the button that looks like a RED circle with a WHITE X in it. When it asks if you would like to Reboot now, press the YES button. When the Killbox asks for an other confirmation, press 'YES' again.

Now after the reboot, open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.

Edited by SirJon, 23 February 2005 - 04:50 PM.


#9 Glammy

Glammy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 23 February 2005 - 05:05 PM

Hi SirJon,

Latest log as requested. I also checked to see if i could find the PJLF file and it seems to have gone.

Logfile of HijackThis v1.99.0
Scan saved at 10:07:08 PM, on 2/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\BLUEYONDER IST\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\BEN\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blackandambers.co.uk/
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmesse...pdownloader.cab

#10 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 PM

Posted 23 February 2005 - 06:46 PM

You do nice work! :flowers:
Your log is clean!

A few friendly :thumbsup: tips to tighten security:

1.) Install AVG Antivirus Free Edition here
Keep your AVG Antivirus and all your spyware utilities up to date daily and run a hard drive scan with them once a week.

2.) STOP using Internet Explorer. Malware has gotten smarter these days and has the ability to change your IE security settings behind your back. Download and install Mozilla Firefox here. Firefox weathers the storm of spyware better than IE because it is not integrated into Windows and does not use Active X controls or Browser Helper Objects (BHOs). (These are known targets of malware writers) If you’ve got a few dollars to spare, purchase Opera, you won’t be sorry.

3.) Download and install the free ZoneAlarm firewall here. For proper configuration click here. This program acts as a security gate and can help prevent the penetration of malware onto your system and prevent malware already present on your system from phoning home.

4.) Always make sure you have the latest Windows critical updates installed on your PC. Go to the Start menu, and click on 'Windows Update', it will take you to the Microsoft Windows Update site. If there are new critical updates to install, download them immediately. Once the installation process has completed, reboot your computer.

5.) Are you wondering how you got infected in the first place? For information click here.

Glad I could help you Glammy, Good Luck. :trumpet:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users