Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help!


  • Please log in to reply
1 reply to this topic

#1 nmdamgud

nmdamgud

  • Members
  • 357 posts
  • OFFLINE
  •  
  • Location:santa fe, new mexico
  • Local time:01:34 AM

Posted 20 March 2005 - 01:49 AM

hiya, kids. below is the hjt for a good friend...it's off his computer. i will have him register an account asap...but he's not available to do so right now. i've just installed adaware and spybot s&d and run scans on both, 84 items on one; 189 on the other! guess there's just a leeeeetle problem here! anyway, here's his hjt log. i'm going to check this from my house/puter and print the instructions. it'll be almost a week before i can get back over here again to do the homework you assign!

as ALWAYS, guys...ty SOOO much!


Logfile of HijackThis v1.99.1
Scan saved at 11:42:58 PM, on 3/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\America Online 8.0a\aol.exe
C:\Program Files\America Online 8.0a\waol.exe
C:\Program Files\America Online 8.0a\aolwbspd.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MM_TDM~1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMUpdateMgr.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Toney\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Toney\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {89795B59-8CD2-4B00-8F8D-2592C77A63A2} - C:\WINDOWS\System32\bbao.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [zqmjedx] c:\windows\system32\zqmjedx.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Toney\LOCALS~1\Temp\se.dll,DllInstall
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.4.31/ca...a-ob-assets.cab
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} - http://www.movie-browser.com/tl7000.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EF6E3B5-6C9D-4F6D-83D3-3248DF6AF831}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EF6E3B5-6C9D-4F6D-83D3-3248DF6AF831}: NameServer = 205.188.146.145
O18 - Filter: text/html - {EF411530-1B99-4913-B6BF-531892A325B8} - C:\WINDOWS\System32\bbao.dll
O18 - Filter: text/plain - {EF411530-1B99-4913-B6BF-531892A325B8} - C:\WINDOWS\System32\bbao.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Edited by nmdamgud, 20 March 2005 - 02:31 AM.


BC AdBot (Login to Remove)

 


#2 Efwis

Efwis

    The Spyware Killing Dragon


  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:Iowa, USA
  • Local time:01:34 AM

Posted 20 March 2005 - 08:29 PM

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-ware - Download, install, and update.

Enable hidden files and folders: http://www.bleepingcomputer.com/forums/ind...torial=62#winme

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Toney\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Toney\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {89795B59-8CD2-4B00-8F8D-2592C77A63A2} - C:\WINDOWS\System32\bbao.dll
O4 - HKLM\..\Run: [zqmjedx] c:\windows\system32\zqmjedx.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Toney\LOCALS~1\Temp\se.dll,DllInstall
O18 - Filter: text/html - {EF411530-1B99-4913-B6BF-531892A325B8} - C:\WINDOWS\System32\bbao.dll
O18 - Filter: text/plain - {EF411530-1B99-4913-B6BF-531892A325B8} - C:\WINDOWS\System32\bbao.dll


Then delete the following files (if they exist):

C:\DOCUME~1\Toney\LOCALS~1\Temp <--do not delete the folder itself just all info in it.
C:\WINDOWS\cerbmod.dll
C:\WINDOWS\System32\bbao.dll
c:\windows\system32\zqmjedx.exe
C:\sp
<--maybe in program files or common files if not a seperate directory

Reboot into normal mode (simply restart your computer as you normally would), and run the following free, online virus scans:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/co...n_principal.htm
http://housecall.trendmicro.com/housecall/start_corp.asp

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.
Posted Image
if you like what I have done please consider making a donation to help fight spyware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users