I just don't get it

KilJaedenKilJaeden USA
edited July 2004 in Spyware & Virus Removal
Everytime I think I get rid of this crap it just comes back. It is that about:blank crap again. I no longer find any coolweb stuff anymore. It is really getting on my nearves. I removed all instances that I could find from the registry. I deleted the dll in the system32 folder and some files in the temp folders. WERE IS IT COMING FROM! System resotre is off too. BLAST!

Comments

  • KilJaedenKilJaeden USA
    edited July 2004
    Does anyone know of all the ways it can come back? I am completely stumped. Whenever it comes back on my brother's laptop, the internet goes down. It seems like it comes back on my computer everyday.
  • TBonZTBonZ Ottawa, ON Icrontian
    edited July 2004
    How about posting a hijackthis log, your brothers too. Something must have been overlooked.
  • KilJaedenKilJaeden USA
    edited July 2004
    I know that one of the R1s can be deleted.
    Logfile of HijackThis v1.97.7
    Scan saved at 5:50:13 PM, on 7/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\palmOne\HOTSYNC.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\hjt\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pittsburghpenguins.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pittsburghpenguins.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7bea8f78-98b7-4de4-87a2-f72e5d72a5c8} - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/172a57c7a5756cd3cc00/netzip/RdxIE601.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37898.9919212963
    O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
  • TBonZTBonZ Ottawa, ON Icrontian
    edited July 2004
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O2 - BHO: (no name) - {7bea8f78-98b7-4de4-87a2-f72e5d72a5c8} - (no file)


    Not sure about those, make sure they're backed up before you get rid of them. Everything else looks legit however I would still get rid of a lot of them personally.

    Along with spybot, have you also ran adaware?

    How about regcleaner? Attack this beotch from all sides. http://www.worldstart.com/weekly-download/archives/reg-cleaner4.3.htm
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2004
    About : blank trojan reloads from an appinit DLL registry entry. Whenever you launch an application, the hidden reloader DLL is called up, and reinfects your computer.

    I think HJT 1.98 will show appinit dll entries. Try updating HJT and post a new log.
  • KilJaedenKilJaeden USA
    edited July 2004
    I had a feeling my HJT was out of date. Were can I get an updated copy. I am going to try the regcleaner now. I will let you know of any improvements.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2004
    From our downloads section, of course!
  • KilJaedenKilJaeden USA
    edited July 2004
    I didn't find much of anything with the registry cleaner.

    If you were wondering what Hot Sync is, it is how I syncronise my palm pilot with the virtual one on my computer

    Here is the new log:
    Hijack This Log wrote:
    Logfile of HijackThis v1.98.0
    Scan saved at 9:40:46 PM, on 7/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\palmOne\HOTSYNC.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\hjt\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pittsburghpenguins.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pittsburghpenguins.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7bea8f78-98b7-4de4-87a2-f72e5d72a5c8} - (no file)
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: (no name) - {3FA60DC0-65C1-4398-9908-E7FE17DA3C1E} - (no file) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/172a57c7a5756cd3cc00/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
    O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
  • KilJaedenKilJaeden USA
    edited July 2004
    Would it matter if I am running WinXP pro, instead of home?
  • KilJaedenKilJaeden USA
    edited July 2004
    It Came Back Again!
  • KilJaedenKilJaeden USA
    edited July 2004
    and again!
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited July 2004
    What kind of websites are you visiting? Any pr0n/p2p type places, or anything that you can think would cause the problem?
  • KilJaedenKilJaeden USA
    edited July 2004
    Not anymore, it has been a month since I have gone to a pron site. Which was when this all started, but not since.
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited July 2004
    Basicly, a random-named or replacement .dll or .exe got missed. Try going here:

    http://www.commandondemand.com/ and run the Command On Demand online scanner. These folks are actually integrating good BOT and TROJAN defs into thier AV online scanner. Provide the info requested, you will get an email with the online scanner specific URL. Go to that place, then scan. By defs, it can tell you more of teh trojans than any US AV mfr, and can also by Heuristics tell you if some things are acting strangely. The defs there can ID many bots also, especially those of type SpyBot.

    It is sponsored by Authenium's Command Software division. Command AV is ICSA, and EICAR, and Virus Bulletin approved. It is one of the best in the world. Period. Kaspersly Lab's AV and F-Prot AV are close to it in quality. Symantec's consumer AV is not detecting Trojans real well, and is detecting spybot droppers so poorly I no longer recommend it.
  • KilJaedenKilJaeden USA
    edited July 2004
    This is odd, it keeps on closing itself.
  • LeonardoLeonardo Wake up and smell the glaciers Eagle River, Alaska Icrontian
    edited July 2004
    In Spybot, are you use the immunize option?
  • KilJaedenKilJaeden USA
    edited July 2004
    yes I am
  • KilJaedenKilJaeden USA
    edited July 2004
    Guess What Happened Again!
  • KilJaedenKilJaeden USA
    edited July 2004
    Would a repair install help?
  • NomadNomad A Small Piece of Hell Icrontian
    edited July 2004
    Did you try a real virus scan yet?
  • madmatmadmat
    edited July 2004
    If I might make a suggestion, I've had similar problems with customers computers being eaten up like that and after I'd get rid of the problem upon reboot it would be back.
    I found the cure was to boot into safe mode (hit F5 upon boot up before the XP boot screen shows) disable System Restore on any hard drive then run your removal software.
    After that reboot into normal mode and re-enable System Restore and you should be good to go.
    Some of that scumware goes into System Restore and when it sees it's been removed under normal running will slip itself back into the folders it was in.
    The programs for killing the scumware can't get into the System Restore files while it's enabled so you keep having it magically re-appear.
    This is also helpful for trojans and certain worms as well.
    I hope this helps.
  • KilJaedenKilJaeden USA
    edited July 2004
    I will give that a try when it comes back tomarrow. I will let you know if it works.
  • KilJaedenKilJaeden USA
    edited July 2004
    I think I did that before. We will see if it comes back.

    I have run Norton before, but my definitions are 3 months old and my license expired.

    Worse comes to worse, I will format.
  • madmatmadmat
    edited July 2004
    Don't just run norton, run adaware and spybot s&d as well...give it the full magilla.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2004
    Use AVG AntiVirus free edition from www.grisoft.com. I use it at home, it works great and it's totally free.
  • KilJaedenKilJaeden USA
    edited July 2004
    As soon as I installed it, I think she found it! The problem is, is that I can not find the file. Nor will it allow me to delete it.

    I guess I will try it again in safe mode.

    EDIT:// odd, I still can't seem to find the dll. The virus scanner keeps picking it up every minute or so, but I just can't find it. Does anyone have any ideas?
  • KilJaedenKilJaeden USA
    edited July 2004
    THE BITCH IS DEAD!!!

    Thanks prime. That program did the trick. That thing just didn't want to be deleted.
Sign In or Register to comment.