I spoke too soon

Unknown
edited March 2005 in Spyware & Virus Removal
Well, I thought that my about:blank problem and my pop-up problems were solved but I spoke too soon. This afternoon I got the exact same symptoms except the pop-ups were much worse. So I ran my CWShredder and it deleted one problem and I ran a Hijack log and it shows several 'about:blank' keys in my registry. Here's a log.

Logfile of HijackThis v1.99.1
Scan saved at 5:32:30 PM, on 2/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\HIJACK THIS\ZLSSETUP_55_062_011.EXE
C:\HIJACK THIS\ZLSSETUP_55_062_011.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\WINDOWS\PEOPLEPC\DIALER\DIALER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\HIJACK THIS\ZLSSETUP_55_062_011.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.peoplepc.com/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PeoplePC
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Wallet - {F05B7DAE-337E-11D3-83B6-00E0980647AC} - C:\WINDOWS\PEOPLEPC\BIN\PAYMEN~1.DLL
O9 - Extra button: Guide - {A6E07A80-436A-11d3-83B6-00902747E82E} - c:\windows\system\shdocvw.dll
O9 - Extra button: PeoplePC - {A6E07A82-436A-11d3-83B6-00902747E82E} - c:\windows\PeoplePC\hta\peopledialer.hta
O14 - IERESET.INF: START_PAGE_URL=http://home.peoplepc.com/home
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

This is so very frustrating. I had my firewall up but I don't know what all of the address numbers mean on there.

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    • Download DLLCompare.
    • Double-click on DllCompare.exe to run the program.
    • Click "Run Locate.com" and it will scan your system for files.
    • Once the scan has finished click "Compare" to compare your files to valid Windows files.
    • Once it has finished comparing click "Make a Log of what was found".
    • Click "Yes" at the View Log file? prompt to view the log.
    • Copy and paste the entire log into this topic.
    • If you accidentally close out of the log it is also saved as log.txt to where you saved DllCompare.exe.
    • Click "Exit" to exit DLLCompare.
  • FowVay
    edited February 2005
    Here's what was logged:

    * DLLCompare Log version()
    Files Found that Windows does not See or cannot Access
    *Not everything listed here means you are infected!
    ________________________________________________

    O^E says: "There were no files found :)"
    ________________________________________________

    681 items found: 681 files, 0 directories.
    Total of file sizes: 116,688,297 bytes 111.28 M

    Any ideas??
    End log
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    Let's take one more look just to be sure.

    Download the following file:

    http://castlecops.com/zx/Zupe/FindIt9xME.zip


    and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

    Please copy and paste that log here.
  • FowVay
    edited February 2005
    OK, i'm not sure what came up on my screen. One thing looked like a DOS file and another was logged in a notebook file. Here is the notebook file that was saved:

    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.
    System Files in System Directory


    Volume in drive C is HP_PAVILION
    Volume Serial Number is 1B31-110E
    Directory of C:\WINDOWS\SYSTEM

    12,968.27 MB free
    Hidden Files in System Directory


    Volume in drive C is HP_PAVILION
    Volume Serial Number is 1B31-110E
    Directory of C:\WINDOWS\SYSTEM

    VSCONFIG XML 890 02-27-05 1:25p vsconfig.xml
    ZLLICTBL DAT 4,212 02-23-05 6:07p zllictbl.dat
    FOLDER HTT 13,122 02-03-00 12:14p folder.htt
    DESKTOP INI 266 02-03-00 12:14p desktop.ini
    4 file(s) 18,490 bytes
    0 dir(s) 12,968.27 MB free
    User Agent

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "PeoplePC 1.0; HP/IBM"="IEAKPeoplePC"
    Locate.com Results
    Strings.exe Qoologic Results

    Strings.exe Aspack Results

    HKLM Run Key
    Strings.exe Umonitor Results


  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    Still not showing up. Let's check one last place.

    Download StartDreck from this link.
    http://www.niksoft.at/download/startdreck.htm

    1. Once it is downloaded, extract the file into c:\startdreck.

    2. Navigate to c:\startdreck and double-click on Startdreck.exe

    3. When the program opens click on the Config button.

    4. Then click on the unmark all button.

    5. Then put checkmarks in the following checkboxes:

    * Under Registry put a checkmark in the Run Keys checkbox.

    * Under System/Drivers put a check in the Running Proccess checkbox.

    6. Press the OK button.

    7. Copy the text that appears and post it here.



    Also please post a hijackthis log.
  • FowVay
    edited March 2005
    Hello Sam,

    I wish to thank you very much for your efforts of resolving my problem. It is a bit ridiculous to have to download dozens of programs and spend hours at a terminal to resolve problems that have been created by obvious socio-trash mentalities. I simply do not understand what is to be gained when people damage or obstruct unsuspecting users of a otherwise fascinating medium.

    You are very admirable for helping people with their problems and you are to be commended. I have resolved my problem by simply inserting my recovery disc and reformating my hard drive.

    Again, I thank you very much for your assistance!!
This discussion has been closed.