Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

about:blank, browser hijacker, SmitFraud C


  • Please log in to reply
3 replies to this topic

#1 vaan

vaan

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 07 July 2005 - 03:42 PM

I am furious beyond words right now; I'd love to throw this piece of trash into the ocean after unscrewing the part of the computer holding the motherboard and hard drive and such and slip a few lit M80s in there...

I had typed up an extremely long post of everything I've done to get rid of these problems and how they always come back every time I turn it on, etc... there's no way in **** I'm spending that many hours writing again so I'll just hit a few points.

I have/had Trojan-Spy.HTML.Smitfraud.c, Search.EXE, CoolWebSearch, tracking cookies, Alexa, PSGuard, intel32, and other malware... though I know exactly from what file I got everything: a movie-trailer-that-turned-out-NOT-to-be-a-movie-trailer which was downloaded into a temporary folder so RealPlayer could view it.

I've already followed the tutorials to the letter on how to get rid of SmitFraud C and se.dll / about:blank, yet they remain; I've used HijackThis, CWShredder, Ad-Aware SE, the Panda scanner, TrendMicro HouseCall, FxGaobot, Autoruns, RegSeeker, Netstat in MSDOS, Windows Registry (deleting keys and values and replacing others), Startdreck, Win98Fix, and so much else...

I always Fix what I need to in Autoruns and HijackThis yet they come right back when I reboot the PC.

I have the logs for the Panda scan, Ad-Aware SE, and HijackThis, yet there are some files it refuses to allow me to delete, and I know they are in charge, like se.dll.

I'm not going to repeat (again) exactly which files I've deleted (from Autoruns, HijackThis, Config for Startup, etc.), just the logs from HijackThis and Ad-Aware SE (which SCANS fine but refuses to delete/quarantine anything after I scan my PC :thumbsup: .

From HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 4:21:04 PM, on 7/7/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\COMPAQ\INTERNET\WATCHDOG.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\INTROREG\PIPELINE\REMIND32.EXE
C:\CPQS\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D540DD92-EEF0-11D9-9D63-003062302E75} - C:\WINDOWS\SYSTEM\BMKN.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [CPQEASYACC] C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - Startup: Reminder-cpq40301.lnk = C:\Program Files\Introreg\PIPELINE\REMIND32.EXE
O4 - Startup: K6CPU.EXE
O4 - Startup: MINIFERT.PIF = C:\CPQS\TOOLS\MINIFERT.EXE
O4 - Startup: Qrunq.pif = C:\CPQS\TOOLS\QRUNQ.EXE
O4 - Startup: BackWeb.lnk = C:\CPQS\BackWeb\Program\backweb.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O18 - Filter: text/html - {D540DD91-EEF0-11D9-9D63-003092E2B002} - C:\WINDOWS\SYSTEM\BMKN.DLL
O18 - Filter: text/plain - {D540DD91-EEF0-11D9-9D63-003092E2B002} - C:\WINDOWS\SYSTEM\BMKN.DLL

From Ad-Aware:

ArchiveData(auto-quarantine- 2005-07-07 15-56-48.bckp)
Referencefile : SE1R53 07.07.2005
======================================================

COOLWEBSEARCH

obj[0]=Process : C:\WINDOWS\TEMP\SE.DLL
obj[2]=RegValue : .DEFAULT\software\microsoft\internet explorer\main "HOMEOldSP"
obj[3]=RegValue : software\microsoft\internet explorer\main "HOMEOldSP"
obj[15]=Regkey : protocols\filter\text/html
obj[16]=Regkey : protocols\filter\text/plain
obj[17]=Regkey : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall
obj[18]=RegValue : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall "UninstallString"
obj[19]=RegValue : protocols\filter\text/html "CLSID"
obj[20]=RegValue : protocols\filter\text/plain "CLSID"
obj[21]=RegValue : software\microsoft\internet explorer\main "Enable Browser Extensions"
obj[22]=RegValue : software\microsoft\internet explorer\main "Use Custom Search URL"
obj[23]=RegValue : software\microsoft\internet explorer\main "Toolbars_Placement"
obj[24]=RegValue : software\microsoft\internet explorer\new windows "PopupMgr"
obj[25]=RegValue : software\classes\protocols\filter\text/html "CLSID"
obj[26]=RegValue : software\microsoft\internet explorer\main "Use Search Asst"
obj[27]=RegData : software\microsoft\internet explorer\main "Use Search Asst"
obj[28]=RegData : software\microsoft\internet explorer\main "Start Page"
obj[29]=RegData : software\microsoft\internet explorer\search "SearchAssistant"
obj[30]=RegData : software\microsoft\internet explorer\main "Use Search Asst"
obj[31]=RegData : software\microsoft\internet explorer\main "Start Page"
obj[32]=File : C:\windows\TEMP\se.dll
obj[33]=File : C:\WINDOWS\wplog.txt

ALEXA

obj[1]=RegValue : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"

DIALER

obj[4]=RegValue : .DEFAULT\software\microsoft\windows\currentversion\run ""
obj[5]=RegValue : software\microsoft\windows\currentversion\run ""

POSSIBLE BROWSER HIJACK ATTEMPT

obj[6]=RegValue : software\microsoft\windows\currentversion\run "sp"

TRACKING COOKIE

obj[7]=IECache Entry : Cookie:matt dinse@apmebf.com/
obj[8]=IECache Entry : Cookie:matt dinse@mediaplex.com/
obj[9]=IECache Entry : Cookie:matt dinse@qksrv.net/
obj[10]=IECache Entry : Cookie:matt dinse@linksynergy.com/
obj[11]=IECache Entry : c:\WINDOWS\Cookies\matt dinse@mediaplex[1].txt
obj[12]=IECache Entry : c:\WINDOWS\Cookies\matt dinse@apmebf[2].txt
obj[13]=IECache Entry : c:\WINDOWS\Cookies\matt dinse@qksrv[2].txt
obj[14]=IECache Entry : c:\WINDOWS\Cookies\matt dinse@linksynergy[1].txt

--------

From Panda scan, showing the files which are infected that my computer REFUSES to let me delete:

Adware:Adware/SearchExe No disinfected ** C:\WINDOWS\SYSTEM\BMKN.DLL

Adware:Adware/SearchExe No disinfected ** C:\WINDOWS\TEMP\SE.DLL

Spyware:Spyware/ISTbar No disinfected ** Windows Registry

Adware:Adware/SearchExe No disinfected ** C:\windows\TEMP\se.dll

Adware:Adware/Startpage.GX No disinfected ** Windows Registry

Adware:Adware/SearchExe No disinfected ** C:\WINDOWS\SYSTEM\bmkn.dll

Adware:Adware/SearchExe No disinfected ** C:\WINDOWS\temp\se.dll

-----

The dll's I can't delete since they're "in use", even in safe mode. And I can't find those particular Registry values/keys.


So, what to do?

BC AdBot (Login to Remove)

 


m

#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:08:40 PM

Posted 09 July 2005 - 10:15 AM

If you still need help, could you post a fresh log please?

#3 vaan

vaan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 10 July 2005 - 09:31 AM

I just did a log a few seconds ago and everything was still 'screwed up' even though I had 'fixed' it several times:

Logfile of HijackThis v1.99.1
Scan saved at 10:24:27 AM, on 7/10/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\COMPAQ\INTERNET\WATCHDOG.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\INTROREG\PIPELINE\REMIND32.EXE
C:\CPQS\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D540DE12-EEF0-11D9-9D63-003083390B8C} - C:\WINDOWS\SYSTEM\BMKN.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [CPQEASYACC] C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - Startup: Reminder-cpq40301.lnk = C:\Program Files\Introreg\PIPELINE\REMIND32.EXE
O4 - Startup: K6CPU.EXE
O4 - Startup: MINIFERT.PIF = C:\CPQS\TOOLS\MINIFERT.EXE
O4 - Startup: Qrunq.pif = C:\CPQS\TOOLS\QRUNQ.EXE
O4 - Startup: BackWeb.lnk = C:\CPQS\BackWeb\Program\backweb.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O18 - Filter: text/html - {D540DE11-EEF0-11D9-9D63-003073EB95FB} - C:\WINDOWS\SYSTEM\BMKN.DLL
O18 - Filter: text/plain - {D540DE11-EEF0-11D9-9D63-003073EB95FB} - C:\WINDOWS\SYSTEM\BMKN.DLL

I have also noticed that if I do Ctrl Alt Del, I notice anywhere from 1 to 30 iexplore's running in the background with no browser up; I think that is also related. :thumbsup:

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:08:40 PM

Posted 10 July 2005 - 09:48 AM

=== Step 1 ===
Download: "StartDreck", from here:
http://www.niksoft.at/download/startdreck.htm

Unzip to its own folder and start the program

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Post the log in your next response.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users