Help needed with about:blank

Discussion in 'adware, spyware & hijack cleaning' started by Ninox, May 25, 2004.

Thread Status:
Not open for further replies.
  1. Ninox

    Ninox Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Hello, my homepage has been locked onto about:blank (which isn't actually blank - it seems to be a web site directory) and some truly disturbing web sites keep showing up on my bookmarks. I've also been seeing a dialogue box very like the one I use to dial up the internet, come up and ask to be connected. I've run both ad-aware and spybot, but one object continues to reappear.
    Here it is from Ad-Aware:
    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP

    And here is:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:23:59 PM, on 5/24/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP4 (5.51.3020.2100)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\AMGRSRVC.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\VirusScan NT\MCSHIELD.EXE
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\VSTSKMGR.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINNT\System32\cdplayer.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\SYSTEM32\3cshtdwn.exe
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\My Download Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {48CAE454-28E4-455B-A3EE-8A44B78FA7F5} - C:\WINNT\system32\gfnbcna.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer.exe -tray
    O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RealDownload.lnk = C:\RealDownload\Realdownload.exe
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08b270e8c6037c010c06/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37949.8812037037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

    I hope someone can help.
    Thank you in advance.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Ninox,

    First make sure Windows and IE are fully updated.

    Download and unzip: http://www.rokop-security.de/main/download.php?op=getit&lid=59
    Then close as many programs as possible and click *Desinfektion starten*

    Your computer wil reboot and start with the same program.
    Close it and run HijackThis again. Post the new log.

    Regards,

    Pieter
     
  3. Ninox

    Ninox Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Re: Help needed with about:blank (Just a question)

    Hello Pieter,

    No HijackThis log yet - I am at work and it's my home computer that has problems.

    But am I correct in my understanding? There is a program/file on my computer that is hidden from spybot and other similar programs. It creates a visible file which can be removed, but it remains. Like a weed.

    Would this work?

    Download http://www.resplendence.com/download/reglite.exe
    Open reglite and paste this value in the address bar:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Windows\\AppInit_DLLs

    Then double click:

    AppInit_DLLs

    You should be able to see a file with this address:

    C:\Windows\System32\"Hidden".dll

    Install the Windows Recovery Console Option.
    Then in the Windows Recovery Console go to C:\Windows\System32, there modify the file by using the Attrib command, otherwise you won't be able to erase it, another way you could, is to change the name of the file.

    C:\Winnt\System32: rename wdm.dll about_blank
    C:\Winnt\System32: attrib -R about_blank

    Reboot your system and open reglite again, go back to the same key:

    AppInit_DLLs and delete the value.


    So, what do you think?

    And thank you again for your time and assistance :)
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That is another way to tackle the problem. (or rather doing manually what the program does)

    Whatever you prefer, Ninox.

    Regards,

    Pieter
     
  5. Ninox

    Ninox Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Hello Pieter,

    I'm sorry to say neither of the two options I tried worked.

    You suggested that I try this:

    Download and unzip: http://www.rokop-security.de/main/d...op=getit&lid=59
    Then close as many programs as possible and click *Desinfektion starten*

    Your computer wil reboot and start with the same program.
    Close it and run HijackThis again. Post the new log.


    However, when I clicked "start disinfection", the header bar read
    "SP.html - Hijack Fixer --> not infected!" and nothing else happened.

    I also tried:

    Download http://www.resplendence.com/download/reglite.exe
    Open reglite and paste this value in the address bar:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Windows\\AppInit_DLLs


    but nothing showed in the value.

    Nonetheless, I ran HijackThis:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:54:14 PM, on 5/25/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP4 (5.51.3020.2100)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\AMGRSRVC.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\VirusScan NT\MCSHIELD.EXE
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\VSTSKMGR.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\WINNT\SYSTEM32\3cshtdwn.exe
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINNT\System32\cdplayer.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\sphjfix107\SpHjfix.exe
    C:\My Download Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {48CAE454-28E4-455B-A3EE-8A44B78FA7F5} - C:\WINNT\system32\gfnbcna.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer.exe -tray
    O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RealDownload.lnk = C:\RealDownload\Realdownload.exe
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08b270e8c6037c010c06/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37949.8812037037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D2ADB4D1-5860-472D-A8B2-5198ED742B42}: NameServer = 207.69.188.187 207.69.188.186

    On the positive side of things, the disturbing web sites seem to have disappeared from my bookmarks. :D But my home page is still captive. :(

    Can you help me?

    Thanks bunches.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Ninox,

    I can help but you will need IE6 SP1. Select the correct language here: http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp
    and visit Windows update after you finished the install

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gfnbcna.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {48CAE454-28E4-455B-A3EE-8A44B78FA7F5} - C:\WINNT\system32\gfnbcna.dll

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08b270e8c6037c010c06/netzip/RdxIE601.cab

    Regards,

    Pieter
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

    Then reboot and scan with AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913
     
  7. Ninox

    Ninox Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Hello Pieter,

    I'm not sure if it worked. I do have my home page again :D. I ran Ad-aware as you recommended and came up with a number of things which I got rid of. I ran it again as a double-check. All clear.

    However, when I ran Spybot (just in case), I came up with one item. I fixed it, but pasted the log here. I also ran HijackThis again. There is at least one more additional item than the last time I ran it (just before removing the items you listed). (I'm referring to the last item in the list. Where did it come from?)

    Spybot
    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\S-1-5-21-790525478-484763869-1957994488-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


    --- Spybot - Search && Destroy version: 1.3 ---
    2004-05-12 Includes\Cookies.sbi
    2004-05-12 Includes\Dialer.sbi
    2004-05-12 Includes\Hijackers.sbi
    2004-05-12 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2004-05-12 Includes\Malware.sbi
    2004-05-12 Includes\Revision.sbi
    2004-05-12 Includes\Security.sbi
    2004-05-12 Includes\Spybots.sbi
    2004-05-12 Includes\Tracks.uti
    2004-05-12 Includes\Trojans.sbi


    HijackThis
    Logfile of HijackThis v1.97.7
    Scan saved at 1:51:20 AM, on 5/27/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\AMGRSRVC.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\VirusScan NT\MCSHIELD.EXE
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\VSTSKMGR.EXE
    C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINNT\SYSTEM32\3cshtdwn.exe
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\WINNT\System32\cdplayer.exe
    C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\WINNT\msagent\AgentSvr.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
    C:\My Download Files\hijackthis\HijackThis.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer.exe -tray
    O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RealDownload.lnk = C:\RealDownload\Realdownload.exe
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37949.8812037037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D2ADB4D1-5860-472D-A8B2-5198ED742B42}: NameServer = 207.69.188.187 207.69.188.186

    Is my computer close to being clean? (And these are just random questions in the off chance you feel like answering: What was this thing doing? Is some of my stuff now floating around in some other computer system somewhere? Assuming everything gets fixed/is already fixed, how much should I worry about what it did?)

    Anyways, again, thank you very much for your help :)
     
  8. Ninox

    Ninox Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    :doubt: Okay, maybe that last line was fine. But Spybot keeps finding the same object. I tell it to fix the problem, but it reappears again. Ad-aware, however, says everything is fine.

    Thanks again :)
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Ninox,

    I would ignore the Spybot warning since general consensus is it's a false positive.

    CWS is obnoxious and hard to remove, but mostly a hijacker using trojan techniques. It does not copy and/or sell personal data as far as I know.

    Your log looks clean.
    Read here: https://www.wilderssecurity.com/showthread.php?t=27971
    how to keep it that way.

    Regards,

    Pieter
     
  10. Ninox

    Ninox Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Hello Pieter,

    "I would ignore the Spybot warning since general consensus is it's a false positive."

    General consensus?

    Anyways, everything seems good. My computer behaves. I'm happy. You're absolutely wonderful. Thank you so very much!

    :D
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.