Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hjt-mwillis


  • This topic is locked This topic is locked
7 replies to this topic

#1 mwillis

mwillis

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 13 August 2004 - 02:25 PM

I am running windows 98
Browser is being hijacked to "about:blank"
spysweeper keeps prompting me to restore my home page.
I deleted two lines, but they reapear each time I run HJT.



Logfile of HijackThis v1.98.2
Scan saved at 2:50:48 PM, on 6/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\RB.EXE
C:\WINDOWS\START MENU\PROGRAMS\PEST PATROL\PPMEMCHECK.EXE
C:\WINDOWS\START MENU\PROGRAMS\PEST PATROL\PPCONTROL.EXE
C:\WINDOWS\START MENU\PROGRAMS\PEST PATROL\COOKIEPATROL.EXE
C:\WINDOWS\SYSTEM\INETCNTRL\INETCNTRL.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\CASIO\PC CONNECT FOR CASSIOPEIA\PCLSTART.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {915F98AD-CE2F-43E1-B679-2E361342CBDF} - C:\WINDOWS\SYSTEM\NFN.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [RamBooster2] C:\WINDOWS\SYSTEM\rb.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\WINDOWS\STARTM~1\PROGRAMS\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\WINDOWS\STARTM~1\PROGRAMS\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\WINDOWS\STARTM~1\PROGRAMS\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\SYSTEM\InetCntrl\InetCntrl.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PC Connect for CASSIOPEIA starter.lnk = C:\Program Files\CASIO\PC Connect for CASSIOPEIA\PCLSTART.exe
O10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.weatherbug.com/minibug/tr...uginstaller.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://radmin.tradebank.com/systemInfo/ScriptX/smsx.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05c62104467f6e...tzip/RdxIE2.cab
O18 - Filter: text/html - {02946C25-46F4-4BAE-82AD-7DD20523951E} - C:\WINDOWS\SYSTEM\NFN.DLL
O18 - Filter: text/plain - {02946C25-46F4-4BAE-82AD-7DD20523951E} - C:\WINDOWS\SYSTEM\NFN.DLL

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:08 AM

Posted 13 August 2004 - 04:19 PM

Please follow these steps:

Step 1:

1. Click on Start, then Run and type msinfo32 and press the OK button.
2. Expand the Software Environment section.
3. Expand the System Hooks Section.
4. Look for the which may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If you find that file, highlight it with your mouse and click on edit then copy to copy the filename.

Then post that filename with the information in the next step in a reply to this post.

5. Continue to Step 2.

Step 2:

1. Download: "StartDreck" from:

http://www.niksoft.at/download/startdreck.htm

2. Extract the file into c:\startdreck.

3. Navigate to c:\startdreck and double-click on Startdreck.exe

4. When the program opens click on the Config button.

5. Then click on the unmark all button.

6. Then put checkmarks in the following checkboxes:

Under Registry put a checkmark in the Run Keys checkbox.

Under System/Drivers put a check in the Running Proccess checkbox.

7. Press the OK button.

8. Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

9. Post a copy of the log as a reply to this post.

#3 mwillis

mwillis
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 14 August 2004 - 09:32 AM

Thanks, These are the only 2 items listed under system hooks.


CBT Qdcspi.dll CSINJECT.EXE C:\WINDOWS\SYSTEM\Qdcspi.dll C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE



Mouse Xahook.dll PSFREE.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\Xahook.dll C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:08 AM

Posted 14 August 2004 - 10:11 AM

What about the log from startdreck

#5 mwillis

mwillis
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 14 August 2004 - 12:38 PM

Thanks for your patience.
Here is the log.




StartDreck (build 2.1.7 public stable) - 2004-06-22 @ 13:28:41 (GMT -04:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2600.0000
Logged in as PCS Customer at PCS CUSTOMER

舞egistry
舞un Keys
翟urrent User
舞un
*PopUpStopperFreeEdition="C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
舞unOnce
聞efault User
舞un
*PopUpStopperFreeEdition="C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
*QD FastAndSafe=
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
*RamBooster2=C:\WINDOWS\SYSTEM\rb.exe
*PPMemCheck=C:\WINDOWS\STARTM~1\PROGRAMS\PESTPA~1\PPMemCheck.exe
*PestPatrol Control Center=C:\WINDOWS\STARTM~1\PROGRAMS\PESTPA~1\PPControl.exe
*CookiePatrol=C:\WINDOWS\STARTM~1\PROGRAMS\PESTPA~1\CookiePatrol.exe
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Machine Debug Manager=C:\WINDOWS\SYSTEM\MDM.EXE
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
*CSINJECT.EXE=C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
*SymTray - Norton SystemWorks=C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
*Nisum=C:\Program Files\Norton Internet Security\NISUM.EXE
*ccPxySvc=C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FFCF9781=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFE6319=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE54A9=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEE125=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFEEA0D=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEB969=C:\WINDOWS\SYSTEM\MDM.EXE
+FFFEAA71=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
+FFFD4C55=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
+FFFEE2A1=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
+FFFEC175=C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
+FFFDF1AD=C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
+FFFDA88D=C:\WINDOWS\EXPLORER.EXE
+FFFB5CFD=C:\WINDOWS\TASKMON.EXE
+FFFB449D=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFB08C9=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
+FFFB8E29=C:\WINDOWS\SYSTEM\RB.EXE
+FFFB0225=C:\WINDOWS\START MENU\PROGRAMS\PEST PATROL\PPMEMCHECK.EXE
+FFFA45D9=C:\WINDOWS\START MENU\PROGRAMS\PEST PATROL\PPCONTROL.EXE
+FFFA2449=C:\WINDOWS\START MENU\PROGRAMS\PEST PATROL\COOKIEPATROL.EXE
+FFFAFBCD=C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
+FFFAE285=C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
+FFF99579=C:\PROGRAM FILES\CASIO\PC CONNECT FOR CASSIOPEIA\PCLSTART.EXE
+FFF80105=C:\PROGRAM FILES\SYSTEM & INTERNET WASHER\CSERASER.EXE
+FFFBB071=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF57869=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF438ED=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF7E80D=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
+FFF15929=C:\WINDOWS\TEMP\STARTDRECK.EXE
翠pplication specific

#6 mwillis

mwillis
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 15 August 2004 - 01:37 PM

I was just checking to see if anybody had any suggestions about the log I attached.
This is a business computer and I would like to have it fixed soon if some one could help. Is their somewhere I could send a donation? I do not expect to get your help for free. Thanks

#7 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:08:08 AM

Posted 15 August 2004 - 01:59 PM

Grinler is away for the day, so I will get you finished up. :D

I need to see a fresh HJT log though please. :D

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:08 AM

Posted 15 August 2004 - 05:06 PM

Back :thumbsup: Thanks groovicus for taking over while I was away :flowers:

Mwillis can you please just do the following:

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

CWShredder Download Site #1

or

CWShredder Download Site #2

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

A tutorial that goes over this process step by step can be found here:

CWShredder - How to remove CoolWebSearch with CWShredder


Also for information on how to support bleepingcomputer via donations or otherwise you can see this link:

http://www.bleepingcomputer.com/supportus.php




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users