[solved]HijackThis log (possible StartPage-DU trojan / about:blank infection)

Discussion in 'adware, spyware & hijack cleaning' started by sirbartonslady, Jul 11, 2004.

Thread Status:
Not open for further replies.
  1. sirbartonslady

    sirbartonslady Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14
    Location:
    Oregon
    Here's my HijackThis log

    NOTE: I inserted the word <deleted> in place of certain directories that I feel uncomfortable revealing

    ------------------------------

    Logfile of HijackThis v1.97.7
    Scan saved at 9:42:40 PM, on 7/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    c:\program files\mcafee.com\vso\mcvsshld.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Microsoft Office\Office10\msohtmed.exe
    C:\Program Files\Microsoft Office\Office10\msohtmed.exe
    C:\Program Files\Microsoft Office\Office10\msohtmed.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft Office\Office10\msohtmed.exe
    C:\Program Files\Microsoft Office\Office10\msohtmed.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\<deleted>\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
    O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38065.0173611111
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    Hello sirbartonslady,

    First things first. Go to Add/Remove programs and uninstall MyWebSearch/MyWay. If I remember correctly, you need to be online when uninstalling.

    Run Hijackthis again and check these items and then on Fix:

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab

    Reboot and run Hijackthis again and post a new log here.
     
  3. sirbartonslady

    sirbartonslady Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14
    Location:
    Oregon
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    Updated HIJACKTHIS Log

    ~~~

    Logfile of HijackThis v1.97.7
    Scan saved at 2:39:31 AM, on 7/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    c:\program files\mcafee.com\vso\mcvsshld.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Documents and Settings\<deleted>\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\<deleted>\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\<deleted>\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\<deleted>\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\<deleted>\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\<deleted>\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\<deleted>\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {7E793E41-E33C-431F-95BF-5D460AE6242C} - C:\WINDOWS\System32\oamhi.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
    O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38065.0173611111
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab


    I also want to get rid of that stupid Casino Online thingy, it pops up every now and then, and the only way to get rid of it is it go into my task-manager and disable that process. I don't know where I picked it up but it's not leaving me alone!


    I read somewhere online that that SP.HTML is the little devil I need to ditch, that that is the root of this infection.... is this true?
     
  4. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    Hello,

    Yes you are right. Temp\sp.html is the devil and it didn't show itself on your first log. But that may not be the only devil. This usually has a hidden dll we need to find.

    Ok, this is how we fix:

    I would first like you to download Adaware if you don't already have it (don't run it yet, but I would like you to open it and update the reference file and then close it.)

    Next, Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

    Close all windows except HijackThis and check these lines then click on Fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\<deleted>\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\<deleted>\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\<deleted>\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\<deleted>\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\<deleted>\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\<deleted>\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {7E793E41-E33C-431F-95BF-5D460AE6242C} - C:\WINDOWS\System32\oamhi.dll (file missing)


    Don't reboot yet.

    Start APM (the program you downloaded second)
    In the upper window select explorer.exe
    In the lower window find and rightclick C:\WINDOWS\System32\oamhi.dll (you may not find this in the list, if not, go straight to the part about the coping of the text box and do that. You can also skip running Adaware if you don't find this dll)
    Select Unload DLL and click OK on the prompts that follow.

    Reboot and scan with AdAware (the first program you downloaded)

    Reboot. Now, do the following

    Copy the contents of the quote box to Notepad.
    Name the file Appinit.bat
    Save as type All Files
    Save on the Desktop.

    Double click on Appinit.bat
    This will create a file on the desktop named windows.txt
    Copy and paste that log here along with a new HJT log.
     
  5. sirbartonslady

    sirbartonslady Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14
    Location:
    Oregon
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    ....are you sure you want this "windows.txt" printout? Talk about gibberish... well, if you say so. ;)

    Windows.txt content
    ------------------------------

    regf       Pugf hbin  ¨ÿÿÿnk, ö-x=a'Ä ÿÿÿÿ ÿÿÿÿÿÿÿÿ ð x ÿÿÿÿ 0 8 0 0  Windows ÿÿÿsk x x  Ô  „¸ È   ¤       !  €  !  ?          ?               Øÿÿÿvk 8    fùAppInit_DLLsÖæGÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ s q l . d l l [‹¸ h Ðÿÿÿvk     ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  ( ðÿÿÿ9 0  ë=tÀÐÿÿÿvk  €'   zGDIProcessHandleQuota"þàÿÿÿvk  x   °ºSpooler2ðÿÿÿy e s
    Ñ_å h Ø ( X * àÿÿÿvk  €   5swapdiskÐÿÿÿvk     . TransmissionRetryTimeoutàÿÿÿh Ø ( X * À  Ðÿÿÿvk  €'   b USERProcessHandleQuota3 À

    ------------------------------

    Latest HijackThis log
    ------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 6:42:52 PM, on 7/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\wanmpsvc.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\fxssvc.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Documents and Settings\<deleted>\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38065.0173611111
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
     
  6. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    Hello,

    Yep, it gave me what I needed. You have a hidden dll we need to get rid of.
    It is C:\WINDOWS\System32\sql.dll

    I need to ask you a few questions before we go on with the fix:

    Do you have Window XP or Pro?

    Is your file system NTFS or Fat32? You can check this by going to My Computer and highlighting your C:drive and right clicking on it. Go to Properties and select. It will tell you near the top what file system you have.
     
  7. sirbartonslady

    sirbartonslady Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14
    Location:
    Oregon
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    I have the Home Edition with the Service Pack, and the file system is NTFS
     
  8. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    Ok, this is what we need to do:

    If you don't know how to boot into Safe Mode, go here and learn:
    safe mode

    You will have to do this further down.

    If you don't have CWShredder on your computer, download it now from here:
    http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Don't run it yet.

    Download this file and then immediately sign off the
    internet and stay off until all steps are finished.

    http://computercops.biz/modules.php?nam...ad&id=1183

    Extract the batch file (hiving.bat) and run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box. Double click on the batch to run it. After a reboot the super hidden nasty file will no longer be loaded and will be visible. This will end the constant reinstall of about:Blank.

    ----------------------
    You run Home and so you will restart into Safe mode.

    Restart into Safe mode and find this file:
    C:\WINDOWS\System32\sql.dll


    Use the security tab on sql.dll and take ownership.
    Change the 'everyone special' to
    'you> with Admin rights-> FULL control
    Then try to delete it, if that fails try to rename
    it first to different name+ext.
    Example:
    log.dll>bleh.txt
    bleh.txt > badfile.111

    Once you have successfully deleted the file restart into Regular Windows mode.

    Extract and Run CWShredder immediately (check for updates first and then make sure you click on Fix and not Scan.)
    Press the fix button to clean.

    Restart and run hijackThis again.

    Post your new log here in your next reply.

    Also please create a new Windows.txt and attach it so we can doublecheck.
     
  9. sirbartonslady

    sirbartonslady Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14
    Location:
    Oregon
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    I'm getting ready to do as you said, but there is one problem...

    I have DSL -- the internet is always on. I can close all browsers, but I can't really "sign off" the internet because it's an always-on connection.

    Should I temporarily disconnect the cable (don't really want to do that, because I've had problems before with it not wanting to work right)?
     
  10. sirbartonslady

    sirbartonslady Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14
    Location:
    Oregon
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    I also can't seem to access that one file... it gives me...
     
  11. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    Hi,

    You just need to have all browsers closed so that you are not on the internet.

    I am looking for someplace else for you to get that file. I will post back with one.
     
  12. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    Ok, try this one:

    hiving.bat

    If it works, then continue with the instructions.

    If this link doesn't work then do this:

    Copy the contents of this qoute box into NotePad and save it
    as hiving.bat

    Code:
    @echo off 
    Echo Working
    
    Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
    If ERRORLEVEL==1 GoTo End  
     GoTo DOIT
    :End
    
     echo >not.vbs MsgBox "No Appinit_Dlls value Present" ^& vbcrlf ^& "Removal Aborted"
    Wscript.exe not.vbs
    del not.vbs
    Exit
    
    :DOIT
    If exist backup.hiv del  backup.hiv
    If exist f.hiv del f.hiv
    
    reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" backup.hiv
    :one
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    if not exist backup.hiv goto one
    
    Reg Delete  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f
    
    
    Reg add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
    :Notthere
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
    IF ERRORLEVEL ==1 Go to Notthere
    
    reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" backup.hiv
    
    :two
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    Reg Query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls 
    IF ERRORLEVEL==1   GOTO two
    
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls /f
    :appy
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls
    If Not ERRORLEVEL==1   GOTO appy
    
    Reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" f.hiv
    :three
    
    PING 1.1.1.1 -n 4 -w 1000 >NUL
    if not exist f.hiv GOTO three
    
    Reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /f
    
    Reg Add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    :four
    
    PING 1.1.1.1 -n 1 -w 1000 >NUL
    Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    If ERRORLEVEL==1 GOTO  four
    
    :five
    
    
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    Reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" f.hiv
    Reg Query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v USERProcessHandleQuota
    If ErrorLevel==1  GOTO five
    
    If exist f.hiv ren f.hiv fbackup.hiv
    
    Echo > finished.vbs MsgBox "Done"
    Wscript.exe finished.vbs
    del finished.vbs
     
  13. sirbartonslady

    sirbartonslady Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14
    Location:
    Oregon
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    @_@ oy vey, what an ordeal!

    Okay, new windows.txt printout

    ~~~~~~~~~~

    regf       Pugf hbin  *ÿÿÿnk, ”s“ªøiÄ ÿÿÿÿ ÿÿÿÿÿÿÿÿ À € ÿÿÿÿ 0 8 0 0  Windowsows Ž6ÿÿÿsk € €  Ô  „¸ È   ¤       !  €  !  ?          ?               Ðÿÿÿvk  *   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  (  p Ðÿÿÿvk  €'   zGDIProcessHandleQuota"þðÿÿÿ9 0  ë=tÀàÿÿÿvk     °ºSpooler2ðÿÿÿy e s
    Ñ_åàÿÿÿvk  €   5swapdisk p ¸ ø ( ` Ðÿÿÿvk  è   . TransmissionRetryTimeoutÐÿÿÿvk  €'   b USERProcessHandleQuota3 àÿÿÿp ¸ ø ( ` 

    ~~~~~~~~~~


    And new HijackThis log


    Logfile of HijackThis v1.97.7
    Scan saved at 4:53:05 PM, on 7/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\AIM\aim.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\system32\svchost.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\<deleted>\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
    O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38065.0173611111
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
     
  14. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    Hi,

    Oh yeah, much better and the hidden dll is gone. How are things working for you now? Log looks good. You did a great job following directions.
     
  15. sirbartonslady

    sirbartonslady Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14
    Location:
    Oregon
    Re: HijackThis log (possible StartPage-DU trojan / about:blank infection)

    So I'm done? I haven't had that virus-scan come up again. Yay! Cool! Thank you muchly! :D
     
  16. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
Thread Status:
Not open for further replies.