Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hjt log file - Anita2


  • Please log in to reply
6 replies to this topic

#1 Anita2

Anita2

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 26 June 2005 - 08:10 PM

I have run adaware and spybot search and destroy but I still have cool web search and about blank on my computer.. Please help. Thanks


Logfile of HijackThis v1.99.1
Scan saved at 8:15:49 PM, on 6/26/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\COMMON FILES\SCM\LEDTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PDO DESKTOP\SMARTSYNC.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\CORKBOARD\CORK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\PROGRAM FILES\JUNO\BIN\JUNO.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {FAABE7D9-E637-11D9-8BCA-4445A7EA7D38} - C:\WINDOWS\SYSTEM\NNDGKJ.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LEDTRAY] C:\PROGRA~1\COMMON~1\SCM\LEDTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SmartSync] C:\PROGRAM FILES\PDO DESKTOP\SmartSync.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: MyCorkboard.lnk = C:\Program Files\Corkboard\CORK.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra button: PhoenixNet - {340a4740-9b1e-11d4-8bc6-ebc25c466b45} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Filter: text/html - {FAABE7D8-E637-11D9-8BCA-4445C8A6D8A3} - C:\WINDOWS\SYSTEM\NNDGKJ.DLL
O18 - Filter: text/plain - {FAABE7D8-E637-11D9-8BCA-4445C8A6D8A3} - C:\WINDOWS\SYSTEM\NNDGKJ.DLL

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:34 AM

Posted 26 June 2005 - 10:23 PM

Hello Anita2,

Download CWShredder at the link below: (don't run it yet)
http://cwshredder.net/bin/CWShredder.exe

Download 'SpSeHjfix'. >>> http://www.derbilk.de/SpSeHjfix109.zip (don't run it yet)

Clean out temporary and Temporary Internet Files.
Go to Start > Run and type in the box: cleanmgr.
Let it scan your system for files to remove.
Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin


Make sure you know how to boot into - SafeMode
http://www.computerhope.com/issues/chsafe.htm#02

Reboot into safe mode.

Disconnect from the Internet and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

Now run the CWShredder - Hit The FIX button!

Reboot and repeat the process above.

Reboot and post a fresh Hijackthis log and the 'SpSeHjfix' log.

Edited by SifuMike, 26 June 2005 - 10:28 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Anita2

Anita2
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 27 June 2005 - 07:11 PM

Thank you so much for your quick reply. I did what you recommended and here is my current hijackthis log and spsehjfix log.

Logfile of HijackThis v1.99.1
Scan saved at 7:11:40 PM, on 6/27/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\SCM\LEDTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PDO DESKTOP\SMARTSYNC.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\CORKBOARD\CORK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491;
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LEDTRAY] C:\PROGRA~1\COMMON~1\SCM\LEDTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SmartSync] C:\PROGRAM FILES\PDO DESKTOP\SmartSync.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: MyCorkboard.lnk = C:\Program Files\Corkboard\CORK.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra button: PhoenixNet - {340a4740-9b1e-11d4-8bc6-ebc25c466b45} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab



(6/27/05 6:56:13 PM) SPSeHjFix started v1.09
(6/27/05 6:56:13 PM) OS: Win98 (4.10.67766222)
(6/27/05 6:56:13 PM) Language: english
(6/27/05 6:56:19 PM) Disinfect started
(6/27/05 6:56:19 PM) Bad-Dll(IEP): se.dll
(6/27/05 6:56:19 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\NNDGKJ.DLL
(6/27/05 6:56:19 PM) Searchassistant Uninstaller - Keys Deleted
(6/27/05 6:56:19 PM) UBF: 6
(6/27/05 6:56:19 PM) UBB: 7
(6/27/05 6:56:19 PM) FilterKey: HKCR\text/html (deleted)
(6/27/05 6:56:19 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(6/27/05 6:56:19 PM) FilterKey: HKCR\CLSID\{FAABE7D8-E637-11D9-8BCA-4445C8A6D8A3} (deleted)
(6/27/05 6:56:19 PM) FilterKey: HKCR\text/plain (deleted)
(6/27/05 6:56:19 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(6/27/05 6:56:19 PM) FilterKey: HKCR\CLSID\{FAABE7D8-E637-11D9-8BCA-4445C8A6D8A3} (error while deleting)
(6/27/05 6:56:19 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FAABE7D9-E637-11D9-8BCA-4445A7EA7D38} (deleted)
(6/27/05 6:56:19 PM) BHO-Key: HKCR\CLSID\{FAABE7D9-E637-11D9-8BCA-4445A7EA7D38} (deleted)
(6/27/05 6:56:19 PM) UBR: 22
(6/27/05 6:56:19 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(6/27/05 6:56:19 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(6/27/05 6:56:19 PM) Stealth-String found: C:\WINDOWS\DISPLCY.TXT
(6/27/05 6:56:19 PM) File added to delete: c:\windows\system\nndgkj.dll
(6/27/05 6:56:19 PM) File added to delete: c:\windows\system\nndgkj.dll
(6/27/05 6:56:19 PM) File added to delete: c:\windows\temp\se.dll
(6/27/05 6:56:19 PM) File added to delete: c:\windows\displcy.txt
(6/27/05 6:56:19 PM) Reboot
(6/27/05 6:57:36 PM) SPSeHjFix 2nd Step
(6/27/05 6:57:37 PM) RunServicesOnce-Key: (edited)
(6/27/05 6:57:51 PM) Cleaned


(6/27/05 7:02:30 PM) SPSeHjFix started v1.09
(6/27/05 7:02:30 PM) OS: Win98 (4.10.67766222)
(6/27/05 7:02:30 PM) Language: english
(6/27/05 7:02:35 PM) Disinfect started
(6/27/05 7:02:35 PM) Bad-Dll(IEP): (not found)
(6/27/05 7:02:35 PM) Bad-Dll(IEP) in BHO: (not found)
(6/27/05 7:02:35 PM) UBF: 4
(6/27/05 7:02:35 PM) UBB: 6
(6/27/05 7:02:35 PM) UBR: 21
(6/27/05 7:02:35 PM) Bad IE-pages:
(6/27/05 7:02:35 PM) Stealth-String not found:
(6/27/05 7:02:35 PM) Not infected->END

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:34 AM

Posted 27 June 2005 - 11:49 PM

Hello Anita2,

Looks like most of the infection is gone. :thumbsup: We just have a few items to cleanup.

*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: PhoenixNet - {340a4740-9b1e-11d4-8bc6-ebc25c466b45} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe


*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold (Do not be concerned if they do not exist)

PowerReg Scheduler V3.exe <==file You will have to search for this file. It may be in C:\windows or C:\WINDOWS\system32\


*******************************************

Let's empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

I recommend that you DO NOT run anything under the Issues Tab and the Applications Tab. To prevent accidently running the Issues Tab and Applicatons tabs, clear all check boxes are under them.

*******************************************

Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 27 June 2005 - 11:50 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Anita2

Anita2
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 28 June 2005 - 07:38 PM

Thank you so much for all your help!! Things are definately looking better. I haven't had any pop ups and I finally have my home page back.

There are a few things I'm concerned about. When I ran HiJackThis two of the items you told me to delete were no longer showing. I changed my home page back to msn.com and ran adaware last night and it found 2 critical errors which I prompted it to fix so that could be why. I don't know but here are the two items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

Also I didn't find the file PowerReg Scheduler V3.exe to delete it. I found backup-20050628-184326-580PowerReg Scheduler V3.exe but I didn't delete that. Let me know if I should.

Oh and I didn't have the option to deselect 'hide protected operating system files'. I did have the option to 'show all files' under 'hidden files' and I had that checked.

The last thing is when I reboot it tells me it's opening Juno.com and then it'll say 'opening about:blank' but then it goes back to opening Juno. That makes me wonder if something is still there. Or maybe it's always done that and I just haven't noticed.

But all in all the computer seems to working fine.

Here's my new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:21:13 PM, on 6/28/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\SCM\LEDTRAY.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PDO DESKTOP\SMARTSYNC.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\CORKBOARD\CORK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\PROGRAM FILES\JUNO\BIN\JUNO.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LEDTRAY] C:\PROGRA~1\COMMON~1\SCM\LEDTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SmartSync] C:\PROGRAM FILES\PDO DESKTOP\SmartSync.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: MyCorkboard.lnk = C:\Program Files\Corkboard\CORK.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:34 AM

Posted 28 June 2005 - 09:32 PM

Hi Anita2,

There are a few things I'm concerned about. When I ran HiJackThis two of the items you told me to delete were no longer showing. I changed my home page back to msn.com and ran adaware last night and it found 2 critical errors which I prompted it to fix so that could be why. I don't know but here are the two items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =


That is OK, as those two items were Internet Explorers starting page and search assistant. We were just deleting them for cleanup. :thumbsup:

Also I didn't find the file PowerReg Scheduler V3.exe to delete it. I found backup-20050628-184326-580PowerReg Scheduler V3.exe but I didn't delete that. Let me know if I should.


Again, that is OK. They are gone and not showing in your log. You do not have to do anything else. :flowers:

Oh and I didn't have the option to deselect 'hide protected operating system files'. I did have the option to 'show all files' under 'hidden files' and I had that checked.


Oops! My mistake! :trumpet: I forgot you are running Windows 98. Those instructions were for Windows XP. You did good.

The last thing is when I reboot it tells me it's opening Juno.com and then it'll say 'opening about:blank' but then it goes back to opening Juno. That makes me wonder if something is still there. Or maybe it's always done that and I just haven't noticed.


No, nothing like about:blank is showing in your log.

When Juno starts it probably opens you IE6 browser at the same time. I bet your IE6 browser has about:blank set as the home page address.

Unless you want about:blank as your default homepage, change it something you like.

To set the IE6 default homepage to something else:

Go to IE6, click the "Tools" menu and select "Internet Options."
On the "Internet Options" multi-tabbed dialog box that follows, make sure the "General" tab is selected.
Under "Home page," and put in the Home page address you want it to default to (for example, http://www.google.com).
If you click the "Use Blank" button, it puts in about:blank as you home page. Press OK to close the dialog box.



But all in all the computer seems to working fine.


The log looks clean! :inlove: Good job on the cleanup! :cool:


Please read and follow Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected again

Your IE needs updating. Please go to
Microsoft's windows update site
and do all Critical Updates.


You should have a firewall, as that is your first line of defense against malware. Here are 3 free ones available for personal use. I personally use Sygate firewall.

Sygate Personal Firewall

Kerio Personal Firewall

ZoneAlarm

Edited by SifuMike, 28 June 2005 - 09:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Anita2

Anita2
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 28 June 2005 - 09:47 PM

Thank you sooooooo much. I'll be sure and tell my friends about bleepingcomputer.com and I'm sure I'll be back. Take care and again..Thanks!!! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users