about blank home page

vanagon40vanagon40 Indiana Member
edited May 2004 in Spyware & Virus Removal
I am running windows 98 on a 5 year old machine. I have the about blank problem.

I have tried the fix from computer cops (posted in response to others), but run into the following problems:

"Run CWShredder . . . Then copy the contents of the quote box to Notepad"

I do not get a quote box. I am running CWShredder file version 1.57.


"To uninstall the secert reinstaller do this . . . "

I navigate to HKEY_LOCAL_MACHINE\software\microsoft\windows NT\CurrentVersion but in that folder there is no Windows folder. The only folders in the CurrentVersion folder are "drivers.desc" and "drivers32"

Needless to say, I am unable to follow the instructions and therefore remove this bug.

Thanks for any help.

Comments

  • vanagon40vanagon40 Indiana Member
    edited May 2004
    I had (or have) the about:blank trojan

    I ran CWShredder and hijack this (removing the "about:blank" stuff), and thought I was clean. But, when I type in an invalid web address in IE, I get rerouted to garbage (usually to http://morgen.cc/index.php?aid=20038)

    CWShredder says I'm clean.

    Here is my most recent hijack this log

    Logfile of HijackThis v1.97.7
    Scan saved at 11:00:07 AM, on 5/6/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\OTHER PROGRAMS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web2.westlaw.com/signon/default.wl
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: PartyPoker.com (HKLM)
    O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38093.6087962963
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1907d69a6f1406f90216/netzip/RdxIE601.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_4_0/controls/ybrequest.cab



    Any suggestions?
    (This is not the machine that I had the Sasser Worm, nor is it networked to that computer).
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Try CWShredder, and if that doesn't work, try following the instructions in this thread.
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    I have run CWShredder and it says I'm clean.

    With regard to the fix posted in the other link, I have no "Windows" folder in the "CurrentVersion" folder. In other words, my path dead ends at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

    In the CurrentVersion folder are two other folders, "drivers.desc" and "Drivers32." There is also a box with the letters "ab" followed by "(default)"

    Other suggestions?
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    I think by "quote box" they mean the main dialog box of the program. You can highlight text inside the main program box, and copy and paste from there.


    Can you post your Hijack This log for review?

    Also, because you are running Windows 98, the Reg Key will be different, as that fix was for people running XP. I think yours will be under :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Windows

    Or something similar. I don't have Win98 machine available to check that on though. What you could do is search the Regisry (Edit -> Find) for the value:

    AppInit_Dlls

    You may get a couple of matches, so check each of them using the technique in the post you have already tried.

    Dexter...
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    I've still got the about:blank trojan. Anyone have any suggestions?
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    You have started 2 threads on this same topic. Please stick to one thread for one topic. I have merged the 2 threads into one. See my reply above which has been merged from the other thread. The instructions may not work for you because they were written for Windows XP, not 98, and your Reg keys will be different.

    Dexter...
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    What you could do is search the Regisry (Edit -> Find) for the value:

    AppInit_Dlls

    I did and got no matches.
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    Here's the deal, the about:blank hijacker reloads itself every day under a new name. This is really long, but I wanted to include all the information I have gathered regarding this hijack. I am running Windows 98.

    I tried to remove the problem yesterday.

    This morning, BOONCAA.dll was put in the C:\WINDOWS\SYSTEM folder as soon as I ran IE

    I did a registry search for “booncaa” and found it in:

    HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{940CF161-A335-11D8-962B-0050925528BF}\InProcServer32\\(default)

    The value was “C:\WINDOWS\SYSTEM\BOOONCAA.DLL”

    and

    HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{940CF162-A335-11D8-962B-00506287B6C8}\InProcServer32\\(default)

    The value was “C:\WINDOWS\SYSTEM\BOOONCAA.DLL”

    Äbout:blank was the value for:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\HOMEOldSP
    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\main\\Start Page
    And
    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\main\\HOMEOldSP


    Yesterday, the offender was ghifkoo.dll and I found “C:\WINDOWS\SYSTEM\GHIFKOO.DLL”as the value in:

    HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{24B78341-A266-11D8-962B-00509A2AFB42}\InProcServer32\\(default)

    Without performing cleaning or other scans, I ran a hijack this scan which produced the following log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:01:36 AM, on 5/11/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\WINWORD.EXE
    C:\OTHER PROGRAMS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\BOONCAA.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BOONCAA.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\BOONCAA.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\BOONCAA.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BOONCAA.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\BOONCAA.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {940CF162-A335-11D8-962B-00506287B6C8} - C:\WINDOWS\SYSTEM\BOONCAA.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38093.6087962963
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1907d69a6f1406f90216/netzip/RdxIE601.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



    I then rebooted in the Safe Mode and performed the following:

    Ran CWShredder, SCAN only. Got the following results:

    CWShredder v1.57.0 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfo.com/~merijn/files/hijackthis.zip

    Windows 98 (4.10.1998 )
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system
    AppData folder: C:\WINDOWS\Application Data
    Username:

    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: res://C:\WINDOWS\SYSTEM\BOONCAA.DLL/sp.html (obfuscated)
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: res://C:\WINDOWS\SYSTEM\BOONCAA.DLL/sp.html (obfuscated)
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: res://C:\WINDOWS\SYSTEM\BOONCAA.DLL/sp.html (obfuscated)
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: res://C:\WINDOWS\SYSTEM\BOONCAA.DLL/sp.html (obfuscated)
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    Infected data: res://C:\WINDOWS\SYSTEM\BOONCAA.DLL/sp.html (obfuscated)
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    Infected data: res://C:\WINDOWS\SYSTEM\BOONCAA.DLL/sp.html (obfuscated)
    Hosts file not present
    Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (8550 bytes, A)
    Found line in Win.ini: load=
    Found line in Win.ini: run=
    Found System.ini file: C:\WINDOWS\system.ini (2214 bytes, A)
    Found line in System.ini: shell=Explorer.exe

    - END OF REPORT –

    I then ran CWShredder twice more to fix the problems. The last time showed a clean system.

    I then ran Ad-Aware, which produced the following log:

    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :Tuesday, May 11, 2004 11:15:42 AM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R303 08.05.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    5-11-04 11:15:42 AM - Scan started. (Smart mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [kernel32.dll]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4279208763
    Threads : 4
    Priority : High
    FileSize : 460 KB
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    Copyright : Copyright (C) Microsoft Corp. 1991-1998
    CompanyName : Microsoft Corporation
    FileDescription : Win32 Kernel core component
    InternalName : KERNEL32
    OriginalFilename : KERNEL32.DLL
    ProductName : Microsoft(R) Windows(R) Operating System
    Created on : 1/1/01
    Last accessed : 5/11/04 5:00:00 AM
    Last modified : 5/12/98 12:01:00 AM

    #:2 [msgsrv32.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294959071
    Threads : 1
    Priority : Normal
    FileSize : 11 KB
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    Copyright : Copyright (C) Microsoft Corp. 1992-1998
    CompanyName : Microsoft Corporation
    FileDescription : Windows 32-bit VxD Message Server
    InternalName : MSGSRV32
    OriginalFilename : MSGSRV32.EXE
    ProductName : Microsoft(R) Windows(R) Operating System
    Created on : 1/1/01
    Last accessed : 5/11/04 5:00:00 AM
    Last modified : 5/12/98 12:01:00 AM

    #:3 [mprexe.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294953039
    Threads : 1
    Priority : Normal
    FileSize : 28 KB
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    Copyright : Copyright (C) Microsoft Corp. 1993-1998
    CompanyName : Microsoft Corporation
    FileDescription : WIN32 Network Interface Service Process
    InternalName : MPREXE
    OriginalFilename : MPREXE.EXE
    ProductName : Microsoft(R) Windows(R) Operating System
    Created on : 1/1/01
    Last accessed : 5/11/04 5:00:00 AM
    Last modified : 5/12/98 12:01:00 AM

    #:4 [explorer.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 4294862955
    Threads : 5
    Priority : Normal
    FileSize : 176 KB
    FileVersion : 4.72.3110.1
    ProductVersion : 4.72.3110.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1997
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft(R) Windows NT(R) Operating System
    Created on : 5/12/98 12:01:00 AM
    Last accessed : 5/11/04 5:00:00 AM
    Last modified : 5/12/98 12:01:00 AM

    #:5 [spool32.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294714415
    Threads : 3
    Priority : Normal
    FileSize : 44 KB
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    Copyright : Copyright (C) Microsoft Corp. 1994 - 1998
    CompanyName : Microsoft Corporation
    FileDescription : Spooler Sub System Process
    InternalName : spool32
    OriginalFilename : spool32.exe
    ProductName : Microsoft(R) Windows(R) Operating System
    Created on : 1/1/01
    Last accessed : 5/11/04 5:00:00 AM
    Last modified : 5/12/98 12:01:00 AM

    #:6 [ad-aware.exe]
    FilePath : C:\OTHER PROGRAMS\AD-AWARE 6\
    ProcessID : 4294788563
    Threads : 3
    Priority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 5/7/04 4:05:43 PM
    Last accessed : 5/11/04 5:00:00 AM
    Last modified : 7/13/03 2:00:20 AM

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"

    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"

    Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Rootkey : HKEY_USERS
    Object : .Default\Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"


    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 3
    Objects found so far: 4


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    Value : ITBarLayout


    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 5


    11:17:41 AM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:01:59:250
    Objects scanned :36447
    Objects identified :5
    Objects ignored :0
    New objects :5

    I removed the items and ran Ad-Aware again, finding another item (only partial log displayed):

    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1

    I ran Ad-Aware twice more, finding nothing new.

    I then ran Spybot, result—System Clean.

    Finally, I ran hijack this again, and produced the following log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:43:22 AM, on 5/11/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\OTHER PROGRAMS\HIJACKTHIS.EXE

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38093.6087962963
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1907d69a6f1406f90216/netzip/RdxIE601.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    I made no changes.

    I checked for BOONCAA.dll in the C:\WINDOWS\SYSTEM folder and it was gone. I search of the C drive returned no instances of “BOONCAA”

    I rebooted normally.

    My home page was reset to the MSN default. BOONCAA was not reloaded to my system folder.

    A registry search found “booncaa” as the value in:

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU\\f

    That folder also had the following values for other items:

    a = [empty]
    b = dfsflkjis.dll
    c = comaedas.dll
    d = porn
    e = sex
    f = ncaa
    g = youbet
    h = spy
    i = shopnav
    j = morgen



    I did a complete registry search for “AppInit” and found nothing.

    My browser now works fine except the when I type in an incorrect URL I am redirected to http://th.msie.cc/index.php?aid=20038

    BUT, this problem will reload after 12 to 24 hours. This is my work computer, so it will run the same all day today, but the offending dll will be reloaded tomorrow as soon as I open IE. It will have a new name.

    Obviously, I need to find the hidden reloader and delete it. However, I have no idea where to look or how to find it.

    I apologize for taking up so much space, but wanted to provide sufficient information for someone (anyone) to help. PLEASE. This is driving me insane.

    HELP……
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    This sounds like the dreaded CWS blank trojan that's mutating faster than people can find solutions for removing it. Try this thread over at Spywareinfo. It seems to offer the best hope for removing this beast.
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    Thanks for the suggestion Mr. Kwitko, but as noted in the final post in that thread
    None of the steps posted here is applicable to winME or 98!
    ***Only 2K/XP!!!***

    I'm running 98.

    I have searched and searched for a solution to a Windows 98 problem, but still having no success.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    <s>Look on page 3 of that thread, 3rd post down. The method should work the same regardless of OS.</s>

    I found the Win9x solution:
    A few facts before we "break the Champagne" here:
    Win95/98 and ME don't use the Appint_Dlls value,
    neither have this key!
    1.)
    For these operating systems, all you have to do is
    start in safe mode
    Run hijackthis then or open your:
    HKLM\.......Runservicesonce key, and it should
    point the offending Dll.
    Can be conveniently deleted.

    5th page, last post.
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    Good find Mr. Kwitko!

    Dexter...
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    Yeah, I'd seen that too.

    I cannot see anything in the hijack log that looks like the offending dll, nor could I find anything in the

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce folder, or for that matter the Run, RunOnce, RunOnceEx, or RunServices folders.

    The only thing in the RunServicesOnce folder was an "ab" {default} box with the value being blank.

    Am I overlooking something?
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    Ok....you say this is a work computer. Does anyone else use it besides you? When you go home at night does someone come in and use it in the evening?

    Let's clean a couple of unnecessary items from your list:

    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe

    Also, you can disable this one:

    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

    *IF* you are not using the computer to debug MS Visual Studio program scripts. See the following link:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;321410



    One more thing I would like to see is your StartUp list from HJT. Run HJT, and click on CONFIG, then MISC TOOLS. Turn on the checkboxes "List also minor sections" and "List empty sections", then click Generate StartupList Log. Copy and paste the resulting file here. Something in your startup routine has to be generating this, so let's look at the whole list. It will be long, but don't worry about it. If it is too long to post the text due to the board's character limit, then attach the text file instead.

    Dexter...
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    Here is my start-up log from HJT. More details about the bug are in my next post.

    StartupList report, 5/12/04, 11:05:15 AM
    StartupList version: 1.52
    Started from : C:\OTHER PROGRAMS\HIJACKTHIS.EXE
    Detected: Windows 98 Gold (Win9x 4.10.1998)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\OTHER PROGRAMS\HIJACKTHIS.EXE

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
    *No files*

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    TCASUTIEXE = TCAUDIAG.EXE -off
    TIPS = C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    EnsoniqMixer = starter.exe
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    Multi-function Keyboard = GWHotKey.exe

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    McAfeeVirusScanService = C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *No values found*

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    *No values found*

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *No subkeys found*

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [SetupcPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

    [AppletsPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

    [FontsPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

    [{5A8D6EE0-3E18-11D0-821E-444553540000}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

    [PerUser_ICW_Inis] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

    [{89820200-ECBD-11cf-8B85-00AA005B4395}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

    [{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
    StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

    [PerUser_Msinfo] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

    [PerUser_Msinfo2] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

    [MotownMmsysPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

    [MotownAvivideoPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

    [PerUser_Base] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

    [ShellPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

    [Shell2PerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

    [PerUser_winbase_Links] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

    [PerUser_winapps_Links] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

    [PerUser_LinkBar_URLs] *
    StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

    [TapiPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

    [PerUserOldLinks] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

    [MmoptRegisterPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

    [OlsPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

    [PerUser_Paint_Inis] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

    [PerUser_Calc_Inis] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

    [PerUser_MSBackup_Inis] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSBackup_Inis 64 C:\WINDOWS\INF\applets1.inf

    [PerUser_CVT_Inis] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

    [PerUser_Enable_Inis] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 C:\WINDOWS\INF\enable.inf

    [MotownRecPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

    [PerUser_Vol] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

    [MotownMPlayPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\motown.inf

    [PerUser_MSWordPad_Inis] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

    [PerUser_RNA_Inis] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

    [PerUser_Wingames_Inis] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf

    [PerUser_Onlinelnks_Inis] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 C:\WINDOWS\INF\appletpp.inf

    [PerUser_Dialer_Inis] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

    [{E4066320-E4AE-11CF-B1B0-00AA00BBAD66}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fpxprs16.inf,PerUserStub

    [MmoptMusicaPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 C:\WINDOWS\INF\mmopt.inf

    [MmoptJunglePerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 C:\WINDOWS\INF\mmopt.inf

    [MmoptRobotzPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 C:\WINDOWS\INF\mmopt.inf

    [MmoptUtopiaPerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 C:\WINDOWS\INF\mmopt.inf

    [PerUser_CDPlayer_Inis] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

    [Shell3PerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\WINDOWS\INF\shell3.inf

    [Theme_Windows_PerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 C:\WINDOWS\INF\themes.inf

    [Theme_MoreWindows_PerUser] *
    StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\WINDOWS\INF\themes.inf

    [{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie5x86.inf,PerUserStub

    [Chl99] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chl99.inf,InstallUser

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

    [{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DFLOW~1.SCR
    drivers=mmsystem.dll power.drv

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    C:\WINDOWS\WININIT.INI listing:
    (Created 12/5/2004, 10:50:54)

    [Rename]
    NUL=c:\windows\cookies\jimf@qksrv[1].txt
    NUL=c:\windows\cookies\jimf@as-us.falkag[1].txt
    NUL=c:\windows\cookies\jimf@centrport[1].txt
    NUL=c:\windows\cookies\jimf@atdmt[2].txt
    NUL=c:\windows\cookies\jimf@tribalfusion[1].txt

    C:\WINDOWS\WININIT.BAK listing:
    (Created 10/5/2004, 12:56:56)

    [Rename]
    NUL=C:\WINDOWS\SYSTEM\SHDOCVW.DLL
    C:\WINDOWS\SYSTEM\SHDOCVW.DLL=C:\WINDOWS\SYSTEM\SET2374.TMP
    NUL=C:\WINDOWS\SYSTEM\SHLWAPI.DLL
    C:\WINDOWS\SYSTEM\SHLWAPI.DLL=C:\WINDOWS\SYSTEM\SET2383.TMP
    NUL=C:\WINDOWS\SYSTEM\BROWSEUI.DLL
    C:\WINDOWS\SYSTEM\BROWSEUI.DLL=C:\WINDOWS\SYSTEM\SET2390.TMP
    NUL=C:\WINDOWS\SYSTEM\URLMON.DLL
    C:\WINDOWS\SYSTEM\URLMON.DLL=C:\WINDOWS\SYSTEM\SET2394.TMP
    NUL=C:\WINDOWS\SYSTEM\MSHTML.DLL
    C:\WINDOWS\SYSTEM\MSHTML.DLL=C:\WINDOWS\SYSTEM\SET23A5.TMP
    NUL=C:\WINDOWS\SYSTEM\WININET.DLL
    C:\WINDOWS\SYSTEM\WININET.DLL=C:\WINDOWS\SYSTEM\SET8386.TMP

    C:\AUTOEXEC.BAT listing:

    ECHO OFF
    SET BLASTER=A220 I7 D1 T2
    SET SNDSCAPE=C:\WINDOWS
    PROMPT $P$G
    PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\;C:\CDROM;C:\BRCD\BIN;C:\BRCD\COMMAND
    C:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\scan.exe C:\
    IF ERRORLEVEL 1 PAUSE

    C:\CONFIG.SYS listing:

    DEVICE=C:\WINDOWS\HIMEM.SYS
    DEVICE=C:\WINDOWS\EMM386.EXE
    ; SBPCI mod: DEVICE=C:\WINDOWS\EMM386.EXE NOEMS
    DOS=HIGH,UMB

    C:\WINDOWS\WINSTART.BAT listing:

    *File not found*

    C:\WINDOWS\DOSSTART.BAT listing:

    REM DOS MOUSE DRIVER ADDED BY MICROSOFT INTELLIPOINT MOUSE SETUP
    LH C:\PROGRA~1\MICROS~1\MOUSE\mouse.exe
    C:\SBPCI\APINIT

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    Enumerating Browser Helper Objects:

    *No BHO's found*

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job

    Enumerating Download Program Files:

    [Microsoft XML Parser for Java]
    CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
    OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [DirectAnimation Java Classes]
    CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
    OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

    [Internet Explorer Classes for Java]
    CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
    OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38093.6087962963

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
    CODEBASE = http://software-dl.real.com/1907d69a6f1406f90216/netzip/RdxIE601.cab

    [{33564D57-0000-0010-8000-00AA00389B71}]
    CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    [{62475759-9E84-458E-A1AB-5D2C442ADFDE}]
    CODEBASE = http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

    [Java Plug-in 1.4.2_04]
    InProcServer32 = C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
    CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

    [Java Plug-in 1.4.2_04]
    InProcServer32 = C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
    CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
    Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
    Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll
    Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll
    Protocol #4: C:\WINDOWS\SYSTEM\msafd.dll
    Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll
    Protocol #6: C:\WINDOWS\SYSTEM\rsvpsp.dll

    Enumerating Win9x VxD services:

    VNETSUP: vnetsup.vxd
    NDIS: ndis.vxd,ndis2sup.vxd
    JAVASUP: JAVASUP.VXD
    CONFIGMG: *CONFIGMG
    NTKern: *NTKERN
    VWIN32: *VWIN32
    VFBACKUP: *VFBACKUP
    VCOMM: *VCOMM
    COMBUFF: *COMBUFF
    IFSMGR: *IFSMGR
    IOS: *IOS
    MTRR: *mtrr
    SPOOLER: *SPOOLER
    UDF: *UDF
    VFAT: *VFAT
    VCACHE: *VCACHE
    VCOND: *VCOND
    VCDFSD: *VCDFSD
    VXDLDR: *VXDLDR
    VDEF: *VDEF
    VPICD: *VPICD
    VTD: *VTD
    REBOOT: *REBOOT
    VDMAD: *VDMAD
    VSD: *VSD
    V86MMGR: *V86MMGR
    PAGESWAP: *PAGESWAP
    DOSMGR: *DOSMGR
    VMPOLL: *VMPOLL
    SHELL: *SHELL
    PARITY: *PARITY
    BIOSXLAT: *BIOSXLAT
    VMCPD: *VMCPD
    VTDAPI: *VTDAPI
    PERF: *PERF
    VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386
    VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd
    VNETBIOS: vnetbios.vxd
    VREDIR: vredir.vxd
    DFS: dfs.vxd
    NDISWAN: ndiswan.vxd

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    End of report, 22,373 bytes
    Report generated in 0.250 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    Here is my HJT log after making the changes suggested by Dexter and cleaning my computer this morning:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:04:55 AM, on 5/12/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\OTHER PROGRAMS\HIJACKTHIS.EXE

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38093.6087962963
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1907d69a6f1406f90216/netzip/RdxIE601.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    It seems the reinstaller has a clock and operates only once a day (or after more than 8 to 10 hours). The reinstaller is triggered not by rebooting, but by launching IE.

    In response to Dexter’s question, no one else uses this computer, and it is not used after I leave the office.

    Here is what I did this morning:

    “Woke”the computer (It is not turned off overnight, but the monitor and hard disc turn off after time)

    Checked C:\Windows\System found no “bug”

    Checked registry and found no apparent changes

    Reboot—Normal

    Checked C:\Windows\System found no “bug”

    Checked registry and found no apparent changes

    Reboot—Safe

    Checked C:\Windows\System found no “bug”

    Checked registry and found no apparent changes

    Ran CWShredder—Clean

    Ran HJT—Saved log

    Ran HJT—Removed items suggested by Dexter

    Ran HJT—Saved a StartUp log

    Checked C:\Windows\System found no “bug”

    Reboot—Normal

    Checked C:\Windows\System found no “bug”

    Ran CWShredder—Clean

    Launch IE—Home page http://www.msn.com/ (Normal)

    Immediately exit IE

    Checked C:\Windows\System Today’s “bug” = cmmc.dll

    Checked registry and found “C:\Windows\System\cmmc.dll” as the value in:

    HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{52A40AE1-A3FF-11D8-962B-005042B139EF}\InProcServer32\\(default)

    HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{52A40AE2-A3FF-11D8-962B-0050B263A798}\InProcServer32\\(default)

    “About:blank” was in four registries

    Launched IE—Home page = about:blank

    Reboot—Safe

    Ran CWShredder—Removed CWS.Searchx and restored 6 IE registry values

    Ran Ad-Aware 3 times—found some stuff (last time clean)

    Ran Spybot—Clean

    Ran HJT—Saved log (see previous post)

    Ran HJT—Saved StartUp log (see previous post)

    Reboot—Normal

    Everything normal (i.e. home page = msn)

    Checked C:\Windows\System found no “bug”

    Checked registry and found no apparent changes from yesterday

    Only noticeable problem is that when I type an invalid URL in IE, I am redirected to http://th.msie.cc/index.php?aid=20038, plus I get a pop-up telling me there is spyware on my computer (DUH—whoever is redirecting me to the pop-up put it there)

    I have no doubt that about:blank is gone for today, but will be here to greet me first thing tomorrow morning. AAAAAARRRRRRGH!!!!!!!
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    This will take a while to thouroughly hunt through, but one thing that makes me suspicious is this:


    C:\WINDOWS\WININIT.INI listing:
    (Created 12/5/2004, 10:50:54)

    [Rename]
    NUL=c:\windows\cookies\jimf@qksrv[1].txt
    NUL=c:\windows\cookies\jimf@as-us.falkag[1].txt
    NUL=c:\windows\cookies\jimf@centrport[1].txt
    NUL=c:\windows\cookies\jimf@atdmt[2].txt
    NUL=c:\windows\cookies\jimf@tribalfusion[1].txt


    I don't know why cookies would be sitting in a Wininet.INI file. Personally, I would hunt for those cookies and delete them.

    One more thing...can you check your Control Panel -> Scheduled Tasks for any scheduled tasks on your computer. I don't see any listed on the startup log, but let's manually check the task scheduker to be safe.

    Dexter...
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    I think I found the little bastard.

    Using PrcView, I found a resbb.dll

    I did a search on my drive and a registry search, and neither could locate it (except in the registry as MRU search entry).

    Sounds like a "hidden" reloader to me.

    I did a google search for it and returned no results.

    I'm going to wipe it out and cross my fingers.

    Will post tomorrow with results.

    Jim
  • vanagon40vanagon40 Indiana Member
    edited May 2004
    It is GONE. Thank you Dexter and Mr. Kwitko for your help. I will post my solution in a new thread.
  • autorep
    edited May 2004
    I figured I would drop a short note, as none of the above referenced suggestions would help me this go around. Between Norton Antivirus & Firewall, CWShredder, Spybot Search & Destroy, and Hijack This (all good programs) I could not fix this problem this time. My homepage would still revert back to the about:blank search page no matter what I did! After fooling around with my computer for nearly 4 hours, I finally fixed it by logging in as the administrator under safe mode and running the CWShredder, man that program is awesome (thanks merjin)!. Normally, my anti-virus would pick up everything under safe mode, or CWShredder would normally pick up everything in regular Windows operation, but not this time, my home page would still revert back to the about:blank. So I guess the virus coming in would effect even at the administrator level.

    Anyway, hope that helps someone. I swear these viruses are getting more and more nasty! They seem to start spoofing or blocking themselves from being detected by my anti-virus and even start controlling it, like keeping my Live update from working and stopping from detecting viruses as well! It's getting harder and harder to stop the attacks! Thinking about getting a Mac instead!! LOL. Either that or stay away from the porn sites!!!
Sign In or Register to comment.