Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT-austinshadow


  • Please log in to reply
1 reply to this topic

#1 austinshadow

austinshadow

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 13 March 2005 - 04:28 PM

Hello everyone. My work computer has somehow contracted the about:blank malware and it is killing my computer (and driving me crazy). This computer is running off of windows 98. Not only is the browser hijacked, but it won't let me run or download certain software to get rid of it and it misdirects my google links; saying the program has performed an illegal operation and boots me off line. It has also added an extra 20 or so running processes that is eating up the ram on my computer that makes it almost impossible to run any programs because it says the system is dangerously low on resources when I try.
I have followed all of the advice on this site to the letter so far; running spybot S&D first, then adaware se, and last night I even went to the link and followed the process for removing the about:blank malware given on your site by downloading STARTDREK and CWSHREDDER. Well, my computer didn't have any of the files mentioned in the STARTDREK report and CWSHREDDER told me my computer was completely clean of the COOLWEBSEARCH malware... and as soon as I tried to log back on line-WHAM!-about:blank was staring at me laughing in my face for my efforts. :thumbsup: Pretty Please help me if you can.

-Here is the HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 3:01:05 PM, on 3/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\EXPLORER.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GOBACK\GBTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bqpvf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bqpvf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bqpvf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bqpvf.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bqpvf.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {0FF84796-D55D-0207-988D-69D68D1D0117} - C:\WINDOWS\NETUL.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] c:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [GBPoll] c:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\RunServices: [D3LC32.EXE] C:\WINDOWS\D3LC32.EXE
O4 - HKLM\..\RunServices: [JAVAPG.EXE] C:\WINDOWS\JAVAPG.EXE
O4 - HKLM\..\RunServices: [NETIF32.EXE] C:\WINDOWS\NETIF32.EXE
O4 - HKLM\..\RunServices: [SYSAG32.EXE] C:\WINDOWS\SYSTEM\SYSAG32.EXE
O4 - HKLM\..\RunServices: [APIEI.EXE] C:\WINDOWS\SYSTEM\APIEI.EXE
O4 - HKLM\..\RunServices: [APIZG.EXE] C:\WINDOWS\APIZG.EXE
O4 - HKLM\..\RunServices: [ISSVC] "c:\Program Files\Norton Personal Firewall\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [JAVAKD.EXE] C:\WINDOWS\SYSTEM\JAVAKD.EXE
O4 - HKLM\..\RunServices: [IPIH.EXE] C:\WINDOWS\IPIH.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [MFCMM32.EXE] C:\WINDOWS\MFCMM32.EXE
O4 - HKLM\..\RunServices: [ADDBZ32.EXE] C:\WINDOWS\ADDBZ32.EXE
O4 - HKLM\..\RunServices: [IELG32.EXE] C:\WINDOWS\SYSTEM\IELG32.EXE
O4 - HKLM\..\RunServices: [APIYL32.EXE] C:\WINDOWS\SYSTEM\APIYL32.EXE
O4 - HKLM\..\RunServices: [APILC.EXE] C:\WINDOWS\SYSTEM\APILC.EXE
O4 - HKLM\..\RunServices: [IESD32.EXE] C:\WINDOWS\IESD32.EXE
O4 - HKLM\..\RunServices: [WINJH32.EXE] C:\WINDOWS\WINJH32.EXE
O4 - HKLM\..\RunServices: [ATLQE.EXE] C:\WINDOWS\ATLQE.EXE
O4 - HKCU\..\Run: [Norton SystemWorks] "c:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\RunServices: [Norton SystemWorks] "c:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

*crossing my fingers*
THANKS

BC AdBot (Login to Remove)

 


#2 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:12:32 AM

Posted 16 March 2005 - 07:04 AM

Hi AustinShadow and welcome to Bleeping. :thumbsup:

You have quite a bit of malware on your machine here. First of all I'd like to say that the entries in the Startdreck log are random hence why you didn't find the about blank reloader by comparing to other Startdreck logs on the forum. I'll need to see a new Startdreck log in your next reply please. In the meantime, we need to clear up some of the other stuff lurking around in there. Start by updating your Norton virus definitions and then follow the instructions below.

TDS Anti-Trojan
1.Download and install the trial version of TDS-3 Anti-Trojan from here. Don't start the program yet. Update the trojan database by right clicking the link below and selecting 'save as' and save it to the directory where you installed TDS-3, overwriting the previous radius.td3.

http://www.diamondcs.com.au/tds/radius.td3


2.Reboot in safe mode (tap F8 repeatedly on bootup) and launch TDS-3. In the top bar of the TDS window click System Testing > Full System Scan.

3. Detections will appear in the lower pane of the TDS window. When the scan has eventually finished, right click the lower pane and select 'save as txt' to save the 'scandump.txt'. Leaving the program open, copy and paste the contents of scandump.txt into your next reply.

4. After posting the scanlog, right click the lower TDS pane again and select 'delete' to remove everything labelled 'positive identification'.

5. Reboot the machine in Safe Mode again and run a full system scan with your anti-virus program. Copy & paste a summary of it's findings in your next reply if it detects anything.

6. Reboot in normal mode and post the TDS log, Norton 'summary', Startdreck log and a fresh HijackThis log for inspection. We'll then see to the about blank infection.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users