Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - brenttharp


  • This topic is locked This topic is locked
2 replies to this topic

#1 brenttharp

brenttharp

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 25 August 2005 - 01:38 PM

Hi. I ran all the typical stuff - Spybot, Ad Aware, MS AntiSpyware, and Ewido, but from the HJT log you can see that the about:blank keeps loading in the registry. Since I don't know anything about what to remove safely, I'm posting the log below - please help!!! Thanks.

p.s. A warning came up on the MS AntiSpyware and I clicked Block, but about:blank still got loaded. I even put it as a blocked site and it still gets reconfigured in my Internet Options. In case any of that info helps.

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:29:44 AM, on 8/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\PROGRA~1\CA\SHARED~1\CAM\bin\cam.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\WINNT\system32\stisvc.exe
C:\SxpInst\sxplog32.exe
C:\Program Files\CA\SharedComponents\DTS\bin\tngdoba.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CA\SharedComponents\DTS\bin\tngdta.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Infotriever\Agent\infoclient.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\UMCSTUB.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINNT\System32\rsvp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\MY DOWNLOADS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\221008~1.COM\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\221008~1.COM\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://comfin.na.setpac.ge.com/pac.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8BDB7A9D-D97A-425E-8A9B-D15D62DE2752} - C:\WINNT\system32\epob.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [CA-AMAgent] C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\221008~1.COM\LOCALS~1\Temp\se.dll,DllInstall
O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - d:\lotus\org6\organize\bandobjs.dll
O15 - Trusted Zone: http://capitalallocation.cre.comfin.ge.com
O15 - Trusted Zone: http://crepafriis1.crefs.capital.ge.com
O15 - Trusted Zone: http://egrdashboard.crefs.capital.ge.com
O15 - Trusted Zone: http://egrflash.crefs.capital.ge.com
O15 - Trusted Zone: http://horizon.cf.capital.ge.com
O15 - Trusted Zone: intranet.mmf.capital.ge.com
O15 - Trusted Zone: http://mag.crefs.capital.ge.com
O15 - Trusted Zone: http://portfolioreview.crefs.capital.ge.com
O15 - Trusted Zone: http://ppulse.crefs.capital.ge.com
O15 - Trusted Zone: http://siebel.cef.capital.ge.com
O15 - Trusted Zone: http://siebel.vfs.capital.ge.com
O15 - Trusted Zone: http://teprd.crefs.capital.ge.com
O15 - Trusted Zone: http://ventana.cre.comfin.ge.com
O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.com/downloads/ReadFileApplet.cab
O16 - DPF: Sametime Meeting Room Client ST30EMS - http://mmfmeeting01.ge.com/sametime/stmeet...gRoomClient.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://capquickplace03.ge.com/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - http://mmfmeeting01.ge.com/sametime/stmeet...STJNILoader.cab
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.infotriever.com/bin/ifhelper.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/03a4e4d501eba3...ip/RdxIE601.cab
O16 - DPF: {631F0C94-C02F-40AC-A31B-DDC39731FC81} (Siebel Option Pack for IE 7.0.4) - http://horizon.cf.capital.ge.com/sales/141...lOptionPack.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124295214080
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.infuzer.com/IDC/client/player/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = comfin.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = comfin.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = comfin.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O18 - Filter: text/html - {79E7B912-0580-4544-9375-CEE06655B256} - C:\WINNT\system32\epob.dll
O18 - Filter: text/plain - {79E7B912-0580-4544-9375-CEE06655B256} - C:\WINNT\system32\epob.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINNT\UMCSTUB.EXE
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\PROGRA~1\CA\SHARED~1\CAM\bin\cam.exe
O23 - Service: CA-License Client (CA_LIC_CLNT) - Unknown owner - C:\WINNT\Lic98Rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Unknown owner - C:\WINNT\Lic98RmtD.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: DTS Browser (TNG-DOBA) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\DTS\bin\tngdoba.exe
O23 - Service: DTS Metrics Gatherer (TNG-DTMG) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\DTS\bin\tngdtmg.exe
O23 - Service: DTS Agent (TNG-DTS) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\DTS\bin\tngdta.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:07:22 PM

Posted 27 August 2005 - 08:53 PM

Hello brenttharp and welcome to BleepingComuter.


You have Microsoft Antispyware running. The MSAS real-time protection can interfer with the fixes we are about to do so we need to disable it for the duration of this cleanup.

Open Microsoft AntiSpyware.
  • Click on Tools, Settings.
  • In the left pane, click on Real-time Protection.
  • Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup.
  • Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection.
  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
To re-enable it, you follow the same steps but check Enable Real-time Protection.


Please download CWShredder.exe to your desktop.
- Run CWShedder.exe.
- Click on Check for Update to be sure you have the most current version.
- Close CWShredder, we will use it later.

Download AboutBuster.zip to your desktop.
- Unzip the contents of AboutBuster.zip to it's own folder.
- Navigate to the AboutBuster folder and double-click on AboutBuster.exe.
- Click Update to begin the update process.
- If any updates exist please install them.
- Close AboutBuster by clicking on Exit. AboutBuster will be used later.

Download CleanUp! and install it.
- Don't run it yet.

Download SpSeHjfix112.zip and unzip it to it's own folder.
- We will use it later.

+++++++

Reboot into Safe Mode.


Run AboutBuster:
- Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
- Click Yes to allow it to shutdown explorer.exe.
- It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
- When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
- Reboot your computer into safe mode again

Run AboutBuster again following the same instructions as above, this time without the restart at the end. You should still be in safe mode.

Run CWShredder and click on the Fix button.

Run SpSeHjfix and click on Start Disinfection.
- As part of the cleaning process, it will reboot your machine.
- The tool will create a log of the fix which will appear in the folder that SpSeHjfix is located in.

Start CleanUp! and click on the CleanUp! button.
- Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.
- Exit Cleanup


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\221008~1.COM\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\221008~1.COM\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {8BDB7A9D-D97A-425E-8A9B-D15D62DE2752} - C:\WINNT\system32\epob.dll

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\221008~1.COM\LOCALS~1\Temp\se.dll,DllInstall

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/03a4e4d501eba3...ip/RdxIE601.cab

O18 - Filter: text/html - {79E7B912-0580-4544-9375-CEE06655B256} - C:\WINNT\system32\epob.dll
O18 - Filter: text/plain - {79E7B912-0580-4544-9375-CEE06655B256} - C:\WINNT\system32\epob.dll

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


If not already there, reboot into normal mode.

Please do an online virus scan at two or more of the following sites:
Panda ActiveScan <--Scan 'My Computer'.
TrendMicro Housecall <-- Select 'Complete Scan', then check 'My Computer'.
BitDefender On-Line Virus Scan <-- Accept the defaults.
eTrust <-- 'Cure' whatever is found, then delete if unsuccessful.
Symantec Security Check <-- Run the virus scan.


Post a fresh HJT log along with the SpSeHjfix log.
Derfram
~~~~~~

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:07:22 PM

Posted 12 September 2005 - 09:42 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users