Help needed with about:blank

Discussion in 'adware, spyware & hijack cleaning' started by Ninox, May 25, 2004.

Thread Status:
Not open for further replies.
  1. Ninox

    Ninox Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Hello, my homepage has been locked onto about:blank (which isn't actually blank - it seems to be a web site directory) and some truly disturbing web sites keep showing up on my bookmarks. I've also been seeing a dialogue box very like the one I use to dial up the internet, come up and ask to be connected. I've run both ad-aware and spybot, but one object continues to reappear.
    Here it is from Ad-Aware:
    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP

    And here is:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:23:59 PM, on 5/24/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP4 (5.51.3020.2100)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\AMGRSRVC.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\VirusScan NT\MCSHIELD.EXE
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\VSTSKMGR.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINNT\System32\cdplayer.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\SYSTEM32\3cshtdwn.exe
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\My Download Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {48CAE454-28E4-455B-A3EE-8A44B78FA7F5} - C:\WINNT\system32\gfnbcna.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer.exe -tray
    O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RealDownload.lnk = C:\RealDownload\Realdownload.exe
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08b270e8c6037c010c06/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37949.8812037037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

    I hope someone can help.
    Thank you in advance.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi Ninox,

    First make sure Windows and IE are fully updated.

    Download and unzip: http://www.rokop-security.de/main/download.php?op=getit&lid=59
    Then close as many programs as possible and click *Desinfektion starten*

    Your computer wil reboot and start with the same program.
    Close it and run HijackThis again. Post the new log.

    Regards,

    Pieter
     
  3. Ninox

    Ninox Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Re: Help needed with about:blank (Just a question)

    Hello Pieter,

    No HijackThis log yet - I am at work and it's my home computer that has problems.

    But am I correct in my understanding? There is a program/file on my computer that is hidden from spybot and other similar programs. It creates a visible file which can be removed, but it remains. Like a weed.

    Would this work?

    Download http://www.resplendence.com/download/reglite.exe
    Open reglite and paste this value in the address bar:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Windows\\AppInit_DLLs

    Then double click:

    AppInit_DLLs

    You should be able to see a file with this address:

    C:\Windows\System32\"Hidden".dll

    Install the Windows Recovery Console Option.
    Then in the Windows Recovery Console go to C:\Windows\System32, there modify the file by using the Attrib command, otherwise you won't be able to erase it, another way you could, is to change the name of the file.

    C:\Winnt\System32: rename wdm.dll about_blank
    C:\Winnt\System32: attrib -R about_blank

    Reboot your system and open reglite again, go back to the same key:

    AppInit_DLLs and delete the value.


    So, what do you think?

    And thank you again for your time and assistance :)
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    That is another way to tackle the problem. (or rather doing manually what the program does)

    Whatever you prefer, Ninox.

    Regards,

    Pieter
     
  5. Ninox

    Ninox Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Hello Pieter,

    I'm sorry to say neither of the two options I tried worked.

    You suggested that I try this:

    Download and unzip: http://www.rokop-security.de/main/d...op=getit&lid=59
    Then close as many programs as possible and click *Desinfektion starten*

    Your computer wil reboot and start with the same program.
    Close it and run HijackThis again. Post the new log.


    However, when I clicked "start disinfection", the header bar read
    "SP.html - Hijack Fixer --> not infected!" and nothing else happened.

    I also tried:

    Download http://www.resplendence.com/download/reglite.exe
    Open reglite and paste this value in the address bar:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Windows\\AppInit_DLLs


    but nothing showed in the value.

    Nonetheless, I ran HijackThis:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:54:14 PM, on 5/25/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP4 (5.51.3020.2100)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\AMGRSRVC.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\VirusScan NT\MCSHIELD.EXE
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\VSTSKMGR.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\WINNT\SYSTEM32\3cshtdwn.exe
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINNT\System32\cdplayer.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\sphjfix107\SpHjfix.exe
    C:\My Download Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {48CAE454-28E4-455B-A3EE-8A44B78FA7F5} - C:\WINNT\system32\gfnbcna.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer.exe -tray
    O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RealDownload.lnk = C:\RealDownload\Realdownload.exe
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08b270e8c6037c010c06/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37949.8812037037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D2ADB4D1-5860-472D-A8B2-5198ED742B42}: NameServer = 207.69.188.187 207.69.188.186

    On the positive side of things, the disturbing web sites seem to have disappeared from my bookmarks. :D But my home page is still captive. :(

    Can you help me?

    Thanks bunches.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi Ninox,

    I can help but you will need IE6 SP1. Select the correct language here: http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp
    and visit Windows update after you finished the install

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {48CAE454-28E4-455B-A3EE-8A44B78FA7F5} - C:\WINNT\system32\gfnbcna.dll

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08b270e8c6037c010c06/netzip/RdxIE601.cab

    Regards,

    Pieter
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

    Then reboot and scan with AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913
     
  7. Ninox

    Ninox Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Hello Pieter,

    I'm not sure if it worked. I do have my home page again :D. I ran Ad-aware as you recommended and came up with a number of things which I got rid of. I ran it again as a double-check. All clear.

    However, when I ran Spybot (just in case), I came up with one item. I fixed it, but pasted the log here. I also ran HijackThis again. There is at least one more additional item than the last time I ran it (just before removing the items you listed). (I'm referring to the last item in the list. Where did it come from?)

    Spybot
    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\S-1-5-21-790525478-484763869-1957994488-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


    --- Spybot - Search && Destroy version: 1.3 ---
    2004-05-12 Includes\Cookies.sbi
    2004-05-12 Includes\Dialer.sbi
    2004-05-12 Includes\Hijackers.sbi
    2004-05-12 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2004-05-12 Includes\Malware.sbi
    2004-05-12 Includes\Revision.sbi
    2004-05-12 Includes\Security.sbi
    2004-05-12 Includes\Spybots.sbi
    2004-05-12 Includes\Tracks.uti
    2004-05-12 Includes\Trojans.sbi


    HijackThis
    Logfile of HijackThis v1.97.7
    Scan saved at 1:51:20 AM, on 5/27/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\AMGRSRVC.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\VirusScan NT\MCSHIELD.EXE
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\VSTSKMGR.EXE
    C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINNT\SYSTEM32\3cshtdwn.exe
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\WINNT\System32\cdplayer.exe
    C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\WINNT\msagent\AgentSvr.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
    C:\My Download Files\hijackthis\HijackThis.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer.exe -tray
    O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RealDownload.lnk = C:\RealDownload\Realdownload.exe
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37949.8812037037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D2ADB4D1-5860-472D-A8B2-5198ED742B42}: NameServer = 207.69.188.187 207.69.188.186

    Is my computer close to being clean? (And these are just random questions in the off chance you feel like answering: What was this thing doing? Is some of my stuff now floating around in some other computer system somewhere? Assuming everything gets fixed/is already fixed, how much should I worry about what it did?)

    Anyways, again, thank you very much for your help :)
     
  8. Ninox

    Ninox Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    :doubt: Okay, maybe that last line was fine. But Spybot keeps finding the same object. I tell it to fix the problem, but it reappears again. Ad-aware, however, says everything is fine.

    Thanks again :)
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi Ninox,

    I would ignore the Spybot warning since general consensus is it's a false positive.

    CWS is obnoxious and hard to remove, but mostly a hijacker using trojan techniques. It does not copy and/or sell personal data as far as I know.

    Your log looks clean.
    Read here: https://www.wilderssecurity.com/showthread.php?t=27971
    how to keep it that way.

    Regards,

    Pieter
     
  10. Ninox

    Ninox Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Hello Pieter,

    "I would ignore the Spybot warning since general consensus is it's a false positive."

    General consensus?

    Anyways, everything seems good. My computer behaves. I'm happy. You're absolutely wonderful. Thank you so very much!

    :D
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.