|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
![]() |
|
Topic Tools |
#1
|
|||
|
|||
About:Blank is not a blank start up page... some generic search engine
I have installed the lastest version of Spybot... CWShredder... SpywareBlaster... and I have used Hijackthis.exe to try to remove some of lines below that start with R1 - HKCU but everytime I reopen Internet Explorer again those show up again after I have removed them. Also when I run Spybot it shows nothing wrong. I run CWShredder I only fixes 6 websites?? but not after I delete the above mentioned lines. It will only state those fixes after I open Explorer again. Can someone give me some insite as to where to go from here. I have looked through source code of the page and the only real reference to a webpage is
res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%3 2%5c%64%63%6e%6f%2e%64%6c%6c/ and http://searchx.cc/search.php Also if I run search I get a reference at the bottom of the search page of this - CopyLeft © 1998 AdultArtel, Inc. All Rights Not Reserved Logfile of HijackThis v1.97.7 Scan saved at 8:51:57 PM, on 4/7/2004 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINNT\System32\ccsrvc.exe C:\PROGRA~1\Altiris\CARBON~1\shellker.exe C:\Program Files\DesktopAuthority\DesktopAuthority.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\Command Software\Command AntiVirus\dvpinit.exe C:\WINNT\System32\svchost.exe C:\Program Files\DesktopAuthority\RaMaint.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Command Software\Command AntiVirus\schscnt.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\PROGRA~1\Altiris\CARBON~1\client.exe C:\WINNT\Explorer.EXE C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe C:\WINNT\System32\hkcmd.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe C:\Program Files\RightFAX\FaxCtrl.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\BHOCop\BHOCop.exe C:\WINNT\system32\NOTEPAD.EXE C:\Documents and Settings\sdewey\My Documents\shredder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\dcno.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\dcno.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\dcno.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\dcno.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\dcno.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\dcno.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O1 - Hosts: 199.231.129.165 www.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 reports.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 fclaw.com # Necessary to access FTP site since AD Domain is fclaw.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0. dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\DOCUME~1\sdewey\LOCALS~1\Temp\WorkShare Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {198A20AD-D7C2-48BD-B9CE-A591B7A48EB0} - C:\WINNT\System32\dcno.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\sdewey\MYDOCU~1\spybot\SPYBOT~1\SDHelp er.dll O2 - BHO: (no name) - {74B01CB0-432A-46B7-8F1A-282582BF4C9A} - C:\WINNT\System32\dcno.dll O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll O2 - BHO: Unknown - {E5170DFA-0D1A-41A1-BCB0-68C410CE595E} - C:\WINNT\System32\dcno.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0. dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe" O4 - HKLM\..\Run: [cuagentExe] C:\PROGRA~1\COMMAN~1\COMMAN~1\cuagent.exe O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [DesktopAuthority GUI] "C:\Program Files\DesktopAuthority\ragui.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe O4 - Startup: BHO Cop.lnk = C:\Program Files\BHOCop\BHOCop.exe O4 - Startup: Calculator.lnk = C:\WINNT\system32\calc.exe O4 - Startup: Procomm Plus.lnk = C:\Program Files\Procomm Plus\programs\PW4.EXE O4 - Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe O4 - Global Startup: MCategory.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...040.5323842593 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D6A6A09C-C43C-4BCC-90B0-349B71239328} (AXfco Control) - http://workflow.fclaw.com/AXfco.cab O16 - DPF: {D6FB2DA3-A767-4D27-9926-B5F0528B0A08} (UAttach Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {DA018E54-7561-4AB5-A893-A3388C0F511C} (UltSignature Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {E09150AF-9388-450B-8098-0B4F6BBE1419} (Ultimus) - http://workflow.fclaw.com/UltAxClientMin.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fclaw.com |
#2
|
||||
|
||||
Welcome to CTH JustMe602. Before we start work on your log can you confirm that fclaw.com is either your ISP or local network. Also, what can you tell me about the below startup?
O4 - Global Startup: MCategory.exe If you dont know what it is, can you please make sure that you can view view hidden files and folders and run a search for MCategory.exe. When you find it, rightclick on it and post the Properties back in this thread. |
#3
|
|||
|
|||
Okay fclaw.com is indeed my ISP also the MCatagories.exe is a program that we use to for saving documents and catagorizing them in our system. Hope that information helps.
|
#4
|
||||
|
||||
Yes it does, thanks JustMe602. Could you please make sure that you can view hidden files and folders and run a search for dcno.dll. When you find it, copy it to a new folder, zip it up (this is important) and email it to me. My address is annmarie@cybertechhelp.com. I will post back when I have identified this parasite.
Close IE and all open windows and run Hijack This again. Check the below entries and click on Fix Checked. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\dcno.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\dcno.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\dcno.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\dcno.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\dcno.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\dcno.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {198A20AD-D7C2-48BD-B9CE-A591B7A48EB0} - C:\WINNT\System32\dcno.dll O2 - BHO: (no name) - {74B01CB0-432A-46B7-8F1A-282582BF4C9A} - C:\WINNT\System32\dcno.dll O2 - BHO: Unknown - {E5170DFA-0D1A-41A1-BCB0-68C410CE595E} - C:\WINNT\System32\dcno.dll Reboot and post back a new log. |
#5
|
|||
|
|||
Second log after removing....
Logfile of HijackThis v1.97.7
Scan saved at 6:44:44 PM, on 4/8/2004 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINNT\System32\ccsrvc.exe C:\PROGRA~1\Altiris\CARBON~1\shellker.exe C:\Program Files\DesktopAuthority\DesktopAuthority.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\Command Software\Command AntiVirus\dvpinit.exe C:\WINNT\System32\svchost.exe C:\Program Files\DesktopAuthority\RaMaint.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Command Software\Command AntiVirus\schscnt.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\PROGRA~1\Altiris\CARBON~1\client.exe C:\WINNT\Explorer.EXE C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe C:\WINNT\System32\hkcmd.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe C:\Program Files\RightFAX\FaxCtrl.exe C:\Documents and Settings\sdewey\My Documents\shredder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mjkpa.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mjkpa.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mjkpa.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mjkpa.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mjkpa.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mjkpa.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O1 - Hosts: 199.231.129.165 www.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 reports.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 fclaw.com # Necessary to access FTP site since AD Domain is fclaw.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0. dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\DOCUME~1\sdewey\LOCALS~1\Temp\WorkShare Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {24D7FA4D-D47B-431B-9EE9-61EF7DA077DE} - C:\WINNT\System32\mjkpa.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\sdewey\MYDOCU~1\spybot\SPYBOT~1\SDHelp er.dll O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0. dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe" O4 - HKLM\..\Run: [cuagentExe] C:\PROGRA~1\COMMAN~1\COMMAN~1\cuagent.exe O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [DesktopAuthority GUI] "C:\Program Files\DesktopAuthority\ragui.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe O4 - Startup: BHO Cop.lnk = C:\Program Files\BHOCop\BHOCop.exe O4 - Startup: Calculator.lnk = C:\WINNT\system32\calc.exe O4 - Startup: Procomm Plus.lnk = C:\Program Files\Procomm Plus\programs\PW4.EXE O4 - Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe O4 - Global Startup: MCategory.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...040.5323842593 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D6A6A09C-C43C-4BCC-90B0-349B71239328} (AXfco Control) - http://workflow.fclaw.com/AXfco.cab O16 - DPF: {D6FB2DA3-A767-4D27-9926-B5F0528B0A08} (UAttach Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {DA018E54-7561-4AB5-A893-A3388C0F511C} (UltSignature Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {E09150AF-9388-450B-8098-0B4F6BBE1419} (Ultimus) - http://workflow.fclaw.com/UltAxClientMin.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fclaw.com |
#6
|
||||
|
||||
Thank you JustMe602. I received the file you sent me. This is definitely a coolwebsearch hijack and I understood that the latest version of CWShredder removed it. We will try again with Hijack This though. I see that there is a BHO running this time so we might have better luck.
Close IE and all open windows and run Hijack This again. Check the below entries and click on Fix Checked. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mjkpa.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mjkpa.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mjkpa.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mjkpa.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mjkpa.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mjkpa.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {24D7FA4D-D47B-431B-9EE9-61EF7DA077DE} - C:\WINNT\System32\mjkpa.dll Reboot and post back a new log. |
#7
|
|||
|
|||
Well I erased as you asked however it worked the first time I opened IE but the second time I opened it up the page came back. I ran the scan again and have posted the log again. They just will not stay away.
Thanks for the help on this matter. Logfile of HijackThis v1.97.7 Scan saved at 8:07:52 AM, on 4/9/2004 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINNT\System32\ccsrvc.exe C:\PROGRA~1\Altiris\CARBON~1\shellker.exe C:\Program Files\DesktopAuthority\DesktopAuthority.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\Command Software\Command AntiVirus\dvpinit.exe C:\WINNT\System32\svchost.exe C:\Program Files\DesktopAuthority\RaMaint.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Command Software\Command AntiVirus\schscnt.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\PROGRA~1\Altiris\CARBON~1\client.exe C:\WINNT\Explorer.EXE C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe C:\WINNT\System32\hkcmd.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe C:\Program Files\RightFAX\FaxCtrl.exe C:\Documents and Settings\sdewey\My Documents\shredder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\fpg.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\fpg.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\fpg.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\fpg.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\fpg.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\fpg.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O1 - Hosts: 199.231.129.165 www.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 reports.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 fclaw.com # Necessary to access FTP site since AD Domain is fclaw.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0. dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\DOCUME~1\sdewey\LOCALS~1\Temp\WorkShare Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\sdewey\MYDOCU~1\spybot\SPYBOT~1\SDHelp er.dll O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll O2 - BHO: (no name) - {B7144429-2D18-4A6C-9C41-F53D39D6692C} - C:\WINNT\System32\fpg.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0. dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe" O4 - HKLM\..\Run: [cuagentExe] C:\PROGRA~1\COMMAN~1\COMMAN~1\cuagent.exe O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [DesktopAuthority GUI] "C:\Program Files\DesktopAuthority\ragui.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe O4 - Startup: BHO Cop.lnk = C:\Program Files\BHOCop\BHOCop.exe O4 - Startup: Calculator.lnk = C:\WINNT\system32\calc.exe O4 - Startup: Procomm Plus.lnk = C:\Program Files\Procomm Plus\programs\PW4.EXE O4 - Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe O4 - Global Startup: MCategory.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...040.5323842593 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D6A6A09C-C43C-4BCC-90B0-349B71239328} (AXfco Control) - http://workflow.fclaw.com/AXfco.cab O16 - DPF: {D6FB2DA3-A767-4D27-9926-B5F0528B0A08} (UAttach Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {DA018E54-7561-4AB5-A893-A3388C0F511C} (UltSignature Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {E09150AF-9388-450B-8098-0B4F6BBE1419} (Ultimus) - http://workflow.fclaw.com/UltAxClientMin.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fclaw.com |
#8
|
||||
|
||||
We will have to try this in Safe Mode.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\fpg.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\fpg.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\fpg.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\fpg.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\fpg.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\fpg.dll/sp.html (obfuscated) O2 - BHO: (no name) - {B7144429-2D18-4A6C-9C41-F53D39D6692C} - C:\WINNT\System32\fpg.dll Note that the filename of the BHO (fpg.dll) and the search is the same. Boot into Safe Mode and fix all entries corresponding to those above (the name of the dll may have changed though) When you have done this, make sure that you can view view hidden files and folders and run a search for fpg.dll (and whatever it is named now) and make sure it has been deleted. Also search for dcno.dll and mjkpa.dll and delete them if you find them. Reboot and post back a new log. |
#9
|
|||
|
|||
Okay I still can't get this to work.....
I keep trying to remove following however it they just come back renamed. I also remove the ______.dll from the system32 folder... and I can't seem to get my computer to login in safe mode either... I have the newest version of Shredder & Hijack this... I also am running Spybot with Spywareblaster as well as a BHO Cop... What else can I do.... sorry for the time lap in my reply... Again thanks for the help on this matter....
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\hpnp.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\hpnp.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\hpnp.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\hpnp.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\hpnp.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\hpnp.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank Logfile of HijackThis v1.97.7 Scan saved at 8:53:03 AM, on 4/23/2004 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe C:\Program Files\DesktopAuthority\DesktopAuthority.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\Command Software\Command AntiVirus\dvpinit.exe C:\WINNT\System32\svchost.exe C:\Program Files\DesktopAuthority\RaMaint.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Command Software\Command AntiVirus\schscnt.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\System32\ccsrvc.exe C:\PROGRA~1\Altiris\CARBON~1\shellker.exe C:\PROGRA~1\Altiris\CARBON~1\client.exe C:\WINNT\Explorer.EXE C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe C:\WINNT\System32\hkcmd.exe C:\WINNT\goff.exe C:\WINNT\System32\calc.exe C:\Program Files\Procomm Plus\programs\PW4.EXE C:\Program Files\RightFAX\FaxCtrl.exe C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Microsoft Office\Office\EXCEL.EXE C:\APPS\DOCSOPEN\docsopen.exe C:\Program Files\Microsoft Office\Office\Winword.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\sdewey\My Documents\shredder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\hpnp.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\hpnp.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\hpnp.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\hpnp.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\hpnp.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\hpnp.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O1 - Hosts: 199.231.129.165 www.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 reports.fclaw.com # Necessary to access site since AD Domain is fclaw.com O1 - Hosts: 199.231.129.165 fclaw.com # Necessary to access FTP site since AD Domain is fclaw.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\DOCUME~1\sdewey\LOCALS~1\Temp\WorkShare Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {74C4C66D-A3EF-4B3A-983E-3FE9B9B98E44} - C:\WINNT\System32\hpnp.dll O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe" O4 - HKLM\..\Run: [cuagentExe] C:\PROGRA~1\COMMAN~1\COMMAN~1\cuagent.exe O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [DesktopAuthority GUI] "C:\Program Files\DesktopAuthority\ragui.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe O4 - HKLM\..\Run: [Kernel.] C:\WINNT\goff.exe O4 - Startup: BHO Cop.lnk = C:\Program Files\BHOCop\BHOCop.exe O4 - Startup: Calculator.lnk = C:\WINNT\system32\calc.exe O4 - Startup: Procomm Plus.lnk = C:\Program Files\Procomm Plus\programs\PW4.EXE O4 - Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe O4 - Global Startup: MCategory.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...040.5323842593 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D6A6A09C-C43C-4BCC-90B0-349B71239328} (AXfco Control) - http://workflow.fclaw.com/AXfco.cab O16 - DPF: {D6FB2DA3-A767-4D27-9926-B5F0528B0A08} (UAttach Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {DA018E54-7561-4AB5-A893-A3388C0F511C} (UltSignature Control) - http://workflow.fclaw.com/UAdvCtls2.ocx O16 - DPF: {E09150AF-9388-450B-8098-0B4F6BBE1419} (Ultimus) - http://workflow.fclaw.com/UltAxClientMin.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fclaw.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fclaw.com |
#10
|
|||
|
|||
Sorry that I get between your conversation !
I just (think) deleted the root problem of about:blank lets see: go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows right click on AppInit.dll choose "change binary" do you see something like that ? 0000 00 00 3A 00 5C 00 77 00 ..:.\.w. 0008 69 00 6E 00 64 00 6F 00 i.n.d.o. 0010 77 00 73 00 5C 00 73 00 w.s.\.s. 0018 79 00 73 00 74 00 65 00 y.s.t.e. 0020 6D 00 33 00 32 00 5C 00 m.3.2.\. 0028 63 00 6F 00 6D 00 6C 00 c.o.m.l. 0030 6B 00 6D 00 6A 00 2E 00 k.m.j… 0038 64 00 6C 00 6C 00 00 00 d.l.l… 0040 if yes can you reed that code on the right (.:windows\system32\.......dll) what is your code? |
#11
|
|||
|
|||
??? Questions...
??? I am not sure what was just stated..
I do that I can't find the AppInit.dll and I am not sure how to edit my registry??... I tried to get to c:\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows but I dont have the rights do so... So am I going about this wrong... ?? |
#12
|
|||
|
|||
go to start - run -
type "regedit" - OK then go the path described above |
#13
|
|||
|
|||
??/
I don't have a run command in the start menu....??
|
#14
|
|||
|
|||
which languge is your windows?
english: run german: ausführen spanish: ejecutar |
#15
|
|||
|
|||
its the windows-button in the lower left corner with which you open the programms!
you have it ! |
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
Lots of missing text, blank start button, blank system restore calender | JetVega | Windows XP | 2 | January 7th, 2006 10:18 PM |
blank/search start page on IE | JamieE | Malware Removal | 32 | August 18th, 2005 06:18 PM |
Please Help with this Trojan - search page About:blank | sunnysthename | Malware Removal | 6 | January 12th, 2005 05:55 PM |
about:blank start-up page | Rryanc | Malware Removal | 1 | September 2nd, 2004 04:13 PM |
Homepage keeps changing to about:blank search page! help plz | Nordhauser | Malware Removal | 2 | May 18th, 2004 07:15 PM |
All times are GMT +1. The time now is 03:59 PM.