jojohns Posted May 10, 2005 Report Share Posted May 10, 2005 Somehow, probably thanks to my 16 year old son, I've been infected with the about:blank malware. I am running ZoneAlarm security suite and Ad-Ware but it is beating them. I switched to FireFox and love it but I'd really like to be able to use IE for security updates etc. Also my non-computer literate husband doesn't want to make the switch to a different browser so for the time being he is banned from using the computer.Below is the log file from HijackThis. Thanks in advance for all of your help.Logfile of HijackThis v1.99.1Scan saved at 9:04:51 PM, on 5/9/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\WINDOWS\System32\ZoneLabs\isafe.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\system32\cidaemon.exeC:\WINDOWS\system32\cidaemon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Dell\EUSW\Support.exeC:\Program Files\Support.com\bin\tgcmd.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\WINDOWS\System32\wuauclt.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exeC:\WINDOWS\System32\DSentry.exeC:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Picasa2\PicasaMediaDetector.exeC:\WINDOWS\System32\ctfmon.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exeC:\Program Files\Nikon\NkView6\NkvMon.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exeC:\Program Files\Wegmans\ScreenSaver\TA\WGSSTray.exeC:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exeC:\WINDOWS\System32\HPZipm12.exeC:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exeC:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXEC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG05.EXEC:\Documents and Settings\JoanneM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exeC:\Program Files\Real\RealPlayer\RealPlay.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1R3 - Default URLSearchHook is missingO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {0785516A-99D7-B02D-1CAF-A1BA393086F8} - C:\WINDOWS\system32\atllv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exeO4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /serverO4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeO4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exeO4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"O4 - HKLM\..\Run: [Windows Meedia Player] wmediaplayer.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exeO4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exeO4 - HKLM\..\RunServices: [Windows Meedia Player] wmediaplayer.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - Startup: Wegmans ScreenSaver.lnk = ?O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exeO4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exeO4 - Global Startup: officejet 6100.lnk = ?O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cabO16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cabO16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cabO16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - https://cs8b.instantservice.com/jars/customerxsigned41.cabO16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,20/mcgdmgr.cabO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cabO16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/Lig...loadControl.cabO18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOAD\RNetPin.dllO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeO23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: IntelĀ® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: OracleDevSuiteHomeClientCache - Unknown owner - C:\DevSuiteHome\BIN\ONRSD.EXEO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Link to post Share on other sites
alsocom Posted May 10, 2005 Report Share Posted May 10, 2005 Hello jojohns and welcome to BestTechie. :wavey:You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.Move HijackThis to Permanent Folder:HijackThis needs to be unzipped into a permanent folder in order to save backups just in case something goes wrong.Go to Start > My Computer > and double click on C:. Now right click an open area and click New > folder and change the folder name to HJT. Extract HijackThis from the zipped file into this new folder.[*]Prepare CWShredder for use:Download CWShredder.Save CWShredder.exe to a convenient location.Please do not do anything with it yet.[*]Prepare AboutBuster for use:Download AboutBuster.Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.Navigate to the AboutBuster directory and double-click on AboutBuster.exe.Click "OK" at the prompt with instructions.Click "Update" and then "Check For Update" to begin the update process.If any updates exist please download them by clicking "Download Update".You should not run the program yet so click "Exit".[*]Reconfigure Windows XP to show hidden files:Click Start. Open My Computer.Select the Tools menu and click Folder Options. Select the View Tab.Under the Hidden files and folders heading select "Show hidden files and folders".Uncheck the "Hide protected operating system files (recommended)" option.Uncheck the "Hide file extensions for known file types" option.Click Yes to confirm. Click OK.Boot into Safe Mode:Restart your computer and immediately begin tapping the F8 key on your keyboard.If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.To return to normal mode just restart your computer as you normally would.Run CWShredder:Double-click on CWShredder.exe.Click "Fix ->" and click "OK" at the prompt.CWShredder will scan and clean your system of CWS files.Click "Next->" and then "Exit".[*]Run AboutBuster and save the logs:Browse to where you saved AboutBuster and run AboutBuster.exe.Click OK at the directions prompt.Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.Click Yes to allow it to shutdown explorer.exe.It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.When it has finished, click Save Log. Make sure you save it as I need a copy of it.[*]Fix with Hijackthis:Open Hijackthis, Run a scan and check the following:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hknea.dll/sp.html#12345R3 - Default URLSearchHook is missingO2 - BHO: (no name) - {0785516A-99D7-B02D-1CAF-A1BA393086F8} - C:\WINDOWS\system32\atllv.dllO4 - HKLM\..\Run: [Windows Meedia Player] wmediaplayer.exeO4 - HKLM\..\RunServices: [Windows Meedia Player] wmediaplayer.exeO16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -With all other programs and browsers closed, click fix checked.[*]Delete the following file:You'll need to search for this file with Explorer to delete. It may be in C:\WINDOWS\system32\ or C:\WINDOWS\(Start > Search > All files and folders > More advanced options place a check in the first three boxes)wmediaplayer.exe[*]Clean out temporary files:Start | Run | type cleanmgr | OKLet it scan your system for files to remove.Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Click "OK" to remove them.Click "Yes" to confirm the deletion.[*]Restart your computer normally to return to normal mode.[*]Free TrendMicro Housecall scan:You'll need to use Internet Explorer or Netscape browsers to run this scan.Vist the TrendMicro Housecall website.Select your country from the drop-down list and click "Go".Choose "Yes" at the ActiveX Security Warning prompt.Please wait while the Housecall engine is updated.Select the drives to be scanned by placing a check in their respective boxes.Check the "Auto Clean" box.Click "SCAN" in order to begin scanning your system.Please be patient while Housecall scans your system for malicious files.If not auto-cleaned, remove anything it finds.Click "Close" to exit the Housecall scanner.Choose "Yes" at the HouseCall message prompt.[*]Prepare your reply:Please post a fresh HijackThis log as a reply to this thread.Please post the AboutBuster log.Please note any complications you had. Link to post Share on other sites
Recommended Posts