cnbabe.dll

Discussion in 'adware, spyware & hijack cleaning' started by pgilmour, Apr 20, 2004.

Thread Status:
Not open for further replies.
  1. pgilmour

    pgilmour Guest

    Sorry but I need your help - I've run ad-aware, spysweeper, and spybot S&D, and there's still an infuriating piece of code somewhere that wants cnbabe.dll the dll file got destroyed a while ago, probably by all 3 anti adware programs, but some of whatever it is survived. Please help - I've had 4 error messages in the time it took to type this.

    Here's my hijackthis log

    Running processes:
    E:\WINNT\System32\smss.exe
    E:\WINNT\system32\winlogon.exe
    E:\WINNT\system32\services.exe
    E:\WINNT\system32\lsass.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\system32\spoolsv.exe
    E:\WINNT\System32\svchost.exe
    E:\WINNT\system32\gearsec.exe
    E:\WINNT\system32\regsvc.exe
    E:\WINNT\system32\MSTask.exe
    E:\WINNT\system32\stisvc.exe
    E:\WINNT\System32\WBEM\WinMgmt.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\Explorer.EXE
    E:\WINNT\system32\unldrexe.exe
    E:\Program Files\Common Files\Real\Update_OB\realsched.exe
    E:\winnt\system32\sncntr.exe
    E:\Program Files\QuickTime\qttask.exe
    E:\Program Files\iTunes\iTunesHelper.exe
    E:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    E:\WINNT\system32\internat.exe
    E:\Program Files\MSN Messenger\msnmsgr.exe
    E:\Program Files\iPod\bin\iPodService.exe
    E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    E:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
    E:\Program Files\Internet Explorer\IEXPLORE.EXE
    E:\DOCUME~2\ADMINI~1\LOCALS~1\Temp\HijackThis.exe
    E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    E:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btinternet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = partner;<local>
    R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - E:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    F1 - win.ini: run=e:\winnt\system32\unldrexe.exe
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-AB2D-8D32436313D9} - E:\WINNT\bsx5.dll
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - E:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - E:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2B3452C5-1B9A-440F-A203-F6ED0F64C895} - E:\WINNT\rem00001.dll
    O2 - BHO: (no name) - {392BE62B-E7DE-430A-8859-0AFE677DE6E1} - E:\WINNT\bs2.dll
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - E:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\winnt\downloaded program files\googletoolbar1.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - E:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\winnt\downloaded program files\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\Program Files\Navnt\NPSCheck.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [sncntr] e:\winnt\system32\sncntr.exe /nocomm
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [winnet] E:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    O4 - HKLM\..\Run: [bxsx5] RunDLL32.EXE E:\WINNT\bsx5.dll,DllRun
    O4 - HKLM\..\Run: [BookedSpace] RunDLL32.EXE E:\WINNT\bs2.dll,DllRun
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Unldrexe] e:\winnt\system32\unldrexe.exe
    O4 - Startup: BBCTicker.lnk = E:\Program Files\BBC Ticker\BBCTicker.exe
    O4 - Startup: DLHelperEXE.exe
    O4 - Startup: WinProxy 1.5.lnk = C:\WinProxy\WinProxy.exe
    O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://e:\winnt\downloaded program files\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://e:\winnt\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://e:\winnt\downloaded program files\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://e:\winnt\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://e:\winnt\downloaded program files\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: BT Yahoo! Sidebar (HKLM)
    O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)
    O9 - Extra button: Coches (HKLM)
    O12 - Plugin for .ccn: E:\Program Files\Internet Explorer\PLUGINS\npcnc32.dll
    O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
    O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://hamptonpool.squarespace.com/universal/activex/XUpload.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3D707309-993C-4DD7-B5C5-41704F189985}: NameServer = 207.44.140.102 64.191.22.247
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3D707309-993C-4DD7-B5C5-41704F189985}: NameServer = 207.44.140.102 64.191.22.247

    Incase that doesn't solve it, has anybody got a hammer they can lend me?
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

    R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - E:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    F1 - win.ini: run=e:\winnt\system32\unldrexe.exe
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-AB2D-8D32436313D9} - E:\WINNT\bsx5.dll
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - E:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - E:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {2B3452C5-1B9A-440F-A203-F6ED0F64C895} - E:\WINNT\rem00001.dll
    O2 - BHO: (no name) - {392BE62B-E7DE-430A-8859-0AFE677DE6E1} - E:\WINNT\bs2.dll
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - E:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - E:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O4 - HKLM\..\Run: [sncntr] e:\winnt\system32\sncntr.exe /nocomm
    O4 - HKLM\..\Run: [winnet] E:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    O4 - HKLM\..\Run: [bxsx5] RunDLL32.EXE E:\WINNT\bsx5.dll,DllRun
    O4 - HKLM\..\Run: [BookedSpace] RunDLL32.EXE E:\WINNT\bs2.dll,DllRun
    O4 - HKCU\..\Run: [Unldrexe] e:\winnt\system32\unldrexe.exe

    O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/diale...Recomendada.cab
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
    O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3D707309-993C-4DD7-B5C5-41704F189985}: NameServer = 207.44.140.102 64.191.22.247
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3D707309-993C-4DD7-B5C5-41704F189985}: NameServer = 207.44.140.102 64.191.22.247

    Reboot, and delete

    files
    e:\winnt\system32\unldrexe.exe
    e:\winnt\system32\sncntr.exe
    E:\WINNT\bsx5.dll
    E:\WINNT\bs2.dll

    folders
    E:\Program Files\CommonName

    These may be hidden files. See HERE for how to show hidden files.

    If you ISP is still BTinternet, fix the two O17 entries also, as they point at Everyones Internet, and Network Operations, both US providers!
     
Thread Status:
Not open for further replies.