TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Mark. G on March 22, 2005, 03:49:07 PM

Title: My PC is infected by about:blank
Post by: Mark. G on March 22, 2005, 03:49:07 PM

Can some help me?

My computer is infected by, at least the "about:blank" thing. apparently it has other things in there as well. I was getting help on another web forum, but The chap has dissappeared.

Please help if you can, I dont want to format the computer.

I'm not a computer wizard, so the help needs to be at walking pace. lol



My Hijack This log file is:

Logfile of HijackThis v1.99.1
Scan saved at 20:43:47, on 22/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\ABOUTBUSTER\ABOUTBUSTER\ABOUTBUSTER.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS1991.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {26C2A008-9AFE-11D9-845B-00001319E6A7} - C:\WINDOWS\SYSTEM\PCPD.DLL
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O18 - Filter: text/html - {80451DE0-9788-11D9-845B-0000484FEFE5} - C:\WINDOWS\SYSTEM\PCPD.DLL
O18 - Filter: text/plain - {80451DE0-9788-11D9-845B-0000484FEFE5} - C:\WINDOWS\SYSTEM\PCPD.DLL

Title: My PC is infected by about:blank
Post by: guestolo on March 23, 2005, 12:16:28 AM

You look like you may have  removed needed entries out of your log
How come?????

What have you fixed so far?
Can you open Hijackthis>>Open Backups list and Restore all backups

Could you also let me know, besides About:Buster, what other fixes you have tried

Can you also do this for me please
=============================================
Download STARTDRECK (http://\"http://members.blackbox.net/hp_links/21/nikolaus.rameis/_data/startdreck.zip\")

Unzip it to it's own folder

run StartDreck.exe:
Hit: -config
Hit: -Unmark all

Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log
================================================

Next: Download Findit9xme.zip
[attachment=81:attachment]
Save it and unzip it to your desktop
Open the folder FindIt9xMe and double click on Findit9xMe.bat. It will run for a bit, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.
Give this time to finish

Also post back a fresh Hijackthis log

Title: My PC is infected by about:blank
Post by: Mark. G on March 23, 2005, 11:09:35 AM

Hi guestolo, and thanks for answering my plea for help.

As for removing things, I just did what another guy told me to do. I cant get in touch with him now.

I'll now print your instructions and carry them out.

I've tried AboutBuster, Adaware se professional, spybot S&D, Avast, VX Anti-virus cleaner. I've also run Pocket KillBox as previously instructed, but I dont think it ran properly as I did not get any "pending operations" prompts like the other guy said I should, or a reboot prompt, also as he said I should.

I have End It All, and when I run it, there seems to be a Rundll 697 there whenever these pop ups appear?

As I said before, I dont know much about computers, viruses and such, so Im at your mercy, and need to go at walking pace.

Thanks, I'll post my latest log file when I've done what you say.

Mark.

Title: My PC is infected by about:blank
Post by: Mark. G on March 23, 2005, 11:36:01 AM

Done the StartDreck thing. Here is the log:


StartDreck (build 2.1.7 public stable) - 2005-03-23 @ 16:29:50 (GMT +00:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Mark and Tracey at MARK AND TRACEY

»Registry
 »Run Keys
  »Current User
   »Run
    *Srv32 spool service=C:\WINDOWS\System\spoolsrv32.exe
    *IncrediMail=C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
   »RunOnce
  »Default User
   »Run
    *Srv32 spool service=C:\WINDOWS\System\spoolsrv32.exe
    *IncrediMail=C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
   »RunOnce
  »Local Machine
   »Run
    *EnsoniqMixer=starter.exe
    *sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
    *VBouncer=C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    *vmss=C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
    *Dvx=C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
    *nsvcin=C:\N20050308.EXE
    *FARMMEXT=C:\WINDOWS\FARMMEXT.exe
    *ffis=C:\WINDOWS\isrvs\ffisearch.exe
    *Desktop Search=C:\WINDOWS\isrvs\desktop.exe
    *Srv32 spool service=C:\WINDOWS\System\spoolsrv32.exe
    *AWMON="C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE"
    *OmgStartup=C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
    *SystemTray=SysTray.Exe
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *Spy Protector=C:\PROGRAM FILES\SECURITY TASK MANAGER\SPYPROTECTOR.EXE /autostart
    *LoadQM=loadqm.exe
    *rlacgvvd=c:\windows\system\rlacgvvd.exe
    +OptionalComponents
     +IMAIL
      *Installed=1
     +MAPI
      *NoChange=1
      *Installed=1
     +MAPI
      *NoChange=1
      *Installed=1
   »RunOnce
   »RunServices
    *avast!=C:\Program Files\Alwil Software\Avast4\ashServ.exe
    *CSINJECT.EXE=C:\Program Files\Norton CleanSweep\CSINJECT.EXE
   »RunServicesOnce
    **j=rundll32 C:\WINDOWS\MSDOSDKV.TXT,DllGetClassObject
   »RunOnceEx
   »RunServicesOnceEx
 »Browser Helper Objects (LM)
  *{2472B9A8-9B8E-11D9-845B-0000DE6E8CA0}
   `InprocServer32=C:\WINDOWS\SYSTEM\BLAO.DLL
»Files
»System/Drivers
 »Running Processes
  +FF0F6DB3=C:\WINDOWS\SYSTEM\KERNEL32.DLL
  +FFFF192B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
  +FFFF1133=C:\WINDOWS\SYSTEM\SPOOL32.EXE
  +FFFF3E83=C:\WINDOWS\SYSTEM\MPREXE.EXE
  +FFFE6E6F=C:\WINDOWS\RUNDLL32.EXE
  +FFFE481B=C:\WINDOWS\SYSTEM\LEXBCES.EXE
  +FFFED9C3=C:\WINDOWS\SYSTEM\RPCSS.EXE
  +FFFE6C17=C:\WINDOWS\SYSTEM\mmtask.tsk
  +FFFDE267=C:\WINDOWS\EXPLORER.EXE
  +FFFC6BDB=C:\WINDOWS\RUNDLL32.EXE
  +FFFCD08F=C:\WINDOWS\RUNDLL32.EXE
  +FFFC9C43=C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
  +FFFAB03B=C:\WINDOWS\SYSTEM\DDHELP.EXE
  +FFF95EAF=C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
  +FFF60E6B=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
  +FFFBC40B=C:\WINDOWS\NETDDE.EXE
  +FFFBE52F=C:\WINDOWS\DESKTOP\HJT\STARTDRECK\STARTDRECK.EXE
»Application specific

Now going to do the findit9xme.zip thing which I've already downloaded. Will post that log on another reply.

Mark.

Title: My PC is infected by about:blank
Post by: Mark. G on March 23, 2005, 12:03:49 PM

Findit log file:

Warning! This utility will find legitimate files in addition to malware.  
Do not remove anything unless you are sure you know what you're doing.
 
 ------- System Files in System Directory -------
 

 Volume in drive C is HARD DISK  
 Volume Serial Number is 0211-1CDD
 Directory of C:\WINDOWS\SYSTEM

IFMUPG   DLL       227,104  15/03/05  19:21 IFMUPG.DLL
WMKYSF   EXE       401,408  11/01/05  14:11 wmkysf.exe
         2 file(s)        628,512 bytes
         0 dir(s)        1,679.66 MB free
 
 ------- Hidden Files in System Directory -------
 

 Volume in drive C is HARD DISK  
 Volume Serial Number is 0211-1CDD
 Directory of C:\WINDOWS\SYSTEM

BAND     EXE         1,024  15/03/05  13:45 band.exe
VMSS           <DIR>        03/03/05  16:32 vmss
WSXSVC         <DIR>        03/03/05  16:32 wsxsvc
WMKYSF   EXE       401,408  11/01/05  14:11 wmkysf.exe
ZLLICTBL DAT         4,212  27/11/04  17:12 zllictbl.dat
LXAIMA   GID        45,735  05/02/04  19:10 lxaima.GID
DESKTOP  INI           266  15/01/02  21:37 desktop.ini
         5 file(s)        452,645 bytes
         2 dir(s)        1,679.66 MB free
 
 ---------------- User Agent ------------
 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F06B1D22-1EDC-6EC8-A9F6-713D02526492}"=""

 ------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
   ifmupg.dll     Tue 15 Mar 2005  19:21:54   ..S.R        227,104   221.78 K
   wmkysf.exe     Tue 11 Jan 2005  14:11:36   ..SHR        401,408   392.00 K
   band.exe       Tue 15 Mar 2005  13:45:14   ...H.          1,024     1.00 K

3 items found:  3 files, 0 directories.
   Total of file sizes:  629,536 bytes    614.78 K
 
 ------------ Strings.exe Qoologic Results ------------
 
C:\WINDOWS\hosts.bak: 127.0.0.1  u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.bak: 127.0.0.1  qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1  adsrv.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1  updates.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1  u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1  qoologic.com
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1  adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1  updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1  u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1  qoologic.com
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1  adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1  updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1  u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1  qoologic.com
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1  adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1  updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1  u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1  qoologic.com
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1  adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1  updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1  www.qoologic.com
 
 -------------- Strings.exe Aspack Results -------------
 
 
 ----------------- HKLM Run Key ------------------
 
 -------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\QMV.DLL: UMonitor
C:\WINDOWS\SYSTEM\RKCLTSCM.DLL: UMonitor
C:\WINDOWS\SYSTEM\OVADM400.DLL: UMonitor
C:\WINDOWS\SYSTEM\PASPL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MYCMS.DLL: UMonitor
C:\WINDOWS\SYSTEM\NNTBIOS.DLL: UMonitor
C:\WINDOWS\SYSTEM\ADVGA.DLL: UMonitor
C:\WINDOWS\SYSTEM\PWPD.DLL: UMonitor
C:\WINDOWS\SYSTEM\MHXML3.DLL: UMonitor
C:\WINDOWS\SYSTEM\DYIMAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ilvu9_32.dll: UMonitor
C:\WINDOWS\SYSTEM\OSESVR.DLL: UMonitor
C:\WINDOWS\SYSTEM\RYCDLL.dll: UMonitor
C:\WINDOWS\SYSTEM\RICLTSPX.DLL: UMonitor
C:\WINDOWS\SYSTEM\wjspdmoe.dll: UMonitor
C:\WINDOWS\SYSTEM\IQNPSTUB.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVKMAINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\AZF16.DLL: UMonitor
C:\WINDOWS\SYSTEM\OZE2DISP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MXSTKPRP.DLL: UMonitor
C:\WINDOWS\SYSTEM\dq8vb.dll: UMonitor
C:\WINDOWS\SYSTEM\MMTASK.DLL: UMonitor
C:\WINDOWS\SYSTEM\lWprxy.dll: UMonitor
C:\WINDOWS\SYSTEM\wpv9vcm.dll: UMonitor
C:\WINDOWS\SYSTEM\DLRAW.DLL: UMonitor
C:\WINDOWS\SYSTEM\phapi.dll: UMonitor
C:\WINDOWS\SYSTEM\lyailpa.dll: UMonitor
C:\WINDOWS\SYSTEM\lbaisk0.dll: UMonitor
C:\WINDOWS\SYSTEM\DOVENUM.DLL: UMonitor
C:\WINDOWS\SYSTEM\CKMCAT.DLL: UMonitor
C:\WINDOWS\SYSTEM\iiagr5.dll: UMonitor
C:\WINDOWS\SYSTEM\mIpi32.dll: UMonitor
C:\WINDOWS\SYSTEM\dfscript.dll: UMonitor
C:\WINDOWS\SYSTEM\DACPROP.DLL: UMonitor
C:\WINDOWS\SYSTEM\dy8vb.dll: UMonitor
C:\WINDOWS\SYSTEM\MGCO30.DLL: UMonitor
C:\WINDOWS\SYSTEM\WKW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MCXML3.DLL: UMonitor
C:\WINDOWS\SYSTEM\dfmv2clt.dll: UMonitor
C:\WINDOWS\SYSTEM\DLngerous Creatures.dll: UMonitor
C:\WINDOWS\SYSTEM\WRDAP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ppgfilt.dll: UMonitor
C:\WINDOWS\SYSTEM\mzexch40.dll: UMonitor
C:\WINDOWS\SYSTEM\CAOOSUSR.DLL: UMonitor
C:\WINDOWS\SYSTEM\MLMG13W.DLL: UMonitor
C:\WINDOWS\SYSTEM\ocpdx32.dll: UMonitor
C:\WINDOWS\SYSTEM\MUCI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DSSERIAL.DLL: UMonitor
C:\WINDOWS\SYSTEM\OYFIL400.DLL: UMonitor
C:\WINDOWS\SYSTEM\MMRPJT40.DLL: UMonitor
C:\WINDOWS\SYSTEM\mbpatcha.dll: UMonitor
C:\WINDOWS\SYSTEM\DNrtWeb.dll: UMonitor
C:\WINDOWS\SYSTEM\TNOLHELP.DLL: UMonitor
C:\WINDOWS\SYSTEM\VPODEC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\lvaiutil.dll: UMonitor
C:\WINDOWS\SYSTEM\DDGEST.DLL: UMonitor
C:\WINDOWS\SYSTEM\RVCRT4.DLL: UMonitor
C:\WINDOWS\SYSTEM\dNdim700.dll: UMonitor
C:\WINDOWS\SYSTEM\mibsync.dll: UMonitor
C:\WINDOWS\SYSTEM\SDI_CI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\lsaixc.dll: UMonitor
C:\WINDOWS\SYSTEM\VQAJET32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DIKAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\wppcd.dll: UMonitor
C:\WINDOWS\SYSTEM\VFR.DLL: UMonitor
C:\WINDOWS\SYSTEM\SBI_CI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\SOTUPX.DLL: UMonitor
C:\WINDOWS\SYSTEM\dGdref.dll: UMonitor
C:\WINDOWS\SYSTEM\MP3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\LRBAS06.DLL: UMonitor
C:\WINDOWS\SYSTEM\MQFS13W.DLL: UMonitor
C:\WINDOWS\SYSTEM\lsxlmpm.dll: UMonitor
C:\WINDOWS\SYSTEM\SUKIT432.DLL: UMonitor
C:\WINDOWS\SYSTEM\sfrrun.dll: UMonitor
C:\WINDOWS\SYSTEM\QJHNDLR.DLL: UMonitor
C:\WINDOWS\SYSTEM\RLCMQSVR.DLL: UMonitor
C:\WINDOWS\SYSTEM\ITGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\CFYPTUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\liaijswr.dll: UMonitor
C:\WINDOWS\SYSTEM\DVGEST.DLL: UMonitor
C:\WINDOWS\SYSTEM\LUNKINFO.DLL: UMonitor
C:\WINDOWS\SYSTEM\akfsipc.dll: UMonitor
C:\WINDOWS\SYSTEM\IZMIGRAT.DLL: UMonitor
C:\WINDOWS\SYSTEM\JGEG2X32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DRWSOCKX.DLL: UMonitor
C:\WINDOWS\SYSTEM\WK2_32.DLL: UMonitor
C:\WINDOWS\SYSTEM\SXTUP4.DLL: UMonitor
C:\WINDOWS\SYSTEM\SPCUR32.DLL: UMonitor
C:\WINDOWS\SYSTEM\orbcbcp.dll: UMonitor
C:\WINDOWS\SYSTEM\WJNTRUST.DLL: UMonitor
C:\WINDOWS\SYSTEM\MLCMS.DLL: UMonitor
C:\WINDOWS\SYSTEM\WLW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DQSERIAL.DLL: UMonitor
C:\WINDOWS\SYSTEM\DHCNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\vot3216.dll: UMonitor
C:\WINDOWS\SYSTEM\DKSKCP16.DLL: UMonitor
C:\WINDOWS\SYSTEM\wfvdmoe2.dll: UMonitor
C:\WINDOWS\SYSTEM\loaipsw.dll: UMonitor
C:\WINDOWS\SYSTEM\lQprxy.dll: UMonitor
C:\WINDOWS\SYSTEM\MHMC13W.DLL: UMonitor
C:\WINDOWS\SYSTEM\OHGFS400.DLL: UMonitor
C:\WINDOWS\SYSTEM\Mtvcp50.dll: UMonitor
C:\WINDOWS\SYSTEM\DOKMAINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\MXJDBC10.DLL: UMonitor
C:\WINDOWS\SYSTEM\RNASIG.DLL: UMonitor
C:\WINDOWS\SYSTEM\RNCHED.DLL: UMonitor
C:\WINDOWS\SYSTEM\uvp10.dll: UMonitor
C:\WINDOWS\SYSTEM\SGntfNT.dll: UMonitor
C:\WINDOWS\SYSTEM\wcerror.dll: UMonitor
 
 


Title: My PC is infected by about:blank
Post by: Mark. G on March 23, 2005, 12:06:16 PM

Hijack This 1991 log file (after restoring all backups):

Logfile of HijackThis v1.99.1
Scan saved at 17:01:02, on 23/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NETDDE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS1991.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com (http://\"http://www.ntlworld.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = =%3D
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) -  - (no file)
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {07B15BBE-9B90-11D9-845B-00007914357D} - C:\WINDOWS\SYSTEM\BLAO.DLL
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: wckdlytbloo - {8d639061-bd1e-11d7-845b-0000e82202f3} - (no file)
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [nsvcin] C:\N20050308.EXE
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE"
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Spy Protector] C:\PROGRAM FILES\SECURITY TASK MANAGER\SPYPROTECTOR.EXE /autostart
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [rlacgvvd] c:\windows\system\rlacgvvd.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKCU\..\Run: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Hosts Manager.lnk = C:\Program Files\HOSTS File Manager\HOSTS_Back.exe
O4 - Startup: STRINGS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: slotchbar.com
O15 - Trusted IP range: flingstone.com
O15 - Trusted IP range: my-internet.info
O15 - Trusted IP range: awmdabest.com
O15 - Trusted IP range: overpro.com
O15 - Trusted IP range: ysbweb.com
O15 - Trusted IP range: c4tdownload.com
O15 - Trusted IP range: windupdates.com
O15 - Trusted IP range: clickspring.net
O15 - Trusted IP range: sp2admin.biz
O15 - Trusted IP range: iframe.biz
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: slotchbar.com (HKLM)
O15 - Trusted IP range: ysbweb.com (HKLM)
O15 - Trusted IP range: clickspring.net (HKLM)
O15 - Trusted IP range: flingstone.com (HKLM)
O15 - Trusted IP range: my-internet.info (HKLM)
O15 - Trusted IP range: windupdates.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba10.exe (http://\"http://66.117.37.13/dba10.exe\")
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://iframedollars.biz/dl/adv519/x.chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:oexist.mht!http://crdrcr.com/chm.chm::/a.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx (http://\"http://iframedollars.biz/tb/loader2.ocx\")
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - http://38.144.58.45/loader/GB.cab (http://\"http://38.144.58.45/loader/GB.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab (http://\"http://www.spywarestormer.com/files2/Install.cab\")
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/diamond.cab (http://\"http://cabs.media-motor.net/cabs/diamond.cab\")
O16 - DPF: {4B578A97-79DA-2369-81BA-54566168BF05} - http://66.117.37.5/1/rdgGB298.exe (http://\"http://66.117.37.5/1/rdgGB298.exe\")
O16 - DPF: {080A7742-D928-564C-FEC8-30CB61451EC6} - http://66.117.37.5/1/rdgGB298.exe (http://\"http://66.117.37.5/1/rdgGB298.exe\")
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int4.exe (http://\"http://207.234.185.217/ABoxInst_int4.exe\")
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup155.cab (http://\"http://download.abacast.com/download/files/abasetup155.cab\")
O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) - http://www9.advnt01.com/dialer/win98_P.CAB (http://\"http://www9.advnt01.com/dialer/win98_P.CAB\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - http://www5.incredimail.com/contents/setup...p1/imloader.cab (http://\"http://www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab\")
O18 - Filter: text/html - {094A06A5-946E-11D9-845B-0000C517528F} - C:\WINDOWS\SYSTEM\BLAO.DLL
O18 - Filter: text/plain - {094A06A5-946E-11D9-845B-0000C517528F} - C:\WINDOWS\SYSTEM\BLAO.DLL
O21 - SSODL: eplrr - {EA812AC0-9556-11D9-845B-0000E82202F3} - C:\WINDOWS\SYSTEM\eplrr3.dll

Title: My PC is infected by about:blank
Post by: guestolo on March 23, 2005, 10:19:31 PM

Never mind >> I'm editing this post
I didn't see your Startdreck log, If you can wait, I'll post a fix later
May I ask why you didn't download the version of Findit9xMe.zip that I asked for
You seem to be using an older version
Please don't try and help by assuming all fixes are the same, supply what I ask
Take care  /wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />

Title: My PC is infected by about:blank
Post by: guestolo on March 24, 2005, 11:19:22 AM

I got your PM Mark
There isn't that much difference in the 2 versions of Findit
But I'm on my way to work, actually running late
If could find the time to delete your copy of Findit and download the one I suggested and run the scan and post a log from it that would be great, thanks

Also, when your ran Pocket killbox, what procedure were you trying
Eg.. Delete on Reboot, Replace on Reboot?

Title: My PC is infected by about:blank
Post by: Mark. G on March 24, 2005, 12:09:27 PM

Done it. Deleted old findit, downloaded and run the new one. Here's the log:

Warning! This utility will find legitimate files in addition to malware.  
Do not remove anything unless you are sure you know what you're doing.
 
 ------- System Files in System Directory -------
 

 Volume in drive C is HARD DISK  
 Volume Serial Number is 0211-1CDD
 Directory of C:\WINDOWS\SYSTEM

IFMUPG   DLL       227,104  15/03/05  19:21 IFMUPG.DLL
MXRPJT40 DLL       227,104  15/03/05  19:21 MXRPJT40.DLL
WFPLENC  DLL       227,104  15/03/05  19:21 wfplenc.dll
WMKYSF   EXE       401,408  11/01/05  14:11 wmkysf.exe
         4 file(s)      1,082,720 bytes
         0 dir(s)        1,642.37 MB free
 
 ------- Hidden Files in System Directory -------
 

 Volume in drive C is HARD DISK  
 Volume Serial Number is 0211-1CDD
 Directory of C:\WINDOWS\SYSTEM

BAND     EXE         1,024  15/03/05  13:45 band.exe
VMSS           <DIR>        03/03/05  16:32 vmss
WSXSVC         <DIR>        03/03/05  16:32 wsxsvc
WMKYSF   EXE       401,408  11/01/05  14:11 wmkysf.exe
ZLLICTBL DAT         4,212  27/11/04  17:12 zllictbl.dat
LXAIMA   GID        45,735  05/02/04  19:10 lxaima.GID
DESKTOP  INI           266  15/01/02  21:37 desktop.ini
         5 file(s)        452,645 bytes
         2 dir(s)        1,642.37 MB free
 
 ---------------- User Agent ------------
 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F06B1D22-1EDC-6EC8-A9F6-713D02526492}"=""

 ------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
   ifmupg.dll     Tue 15 Mar 2005  19:21:54   ..S.R        227,104   221.78 K
   wmkysf.exe     Tue 11 Jan 2005  14:11:36   ..SHR        401,408   392.00 K
   mxrpjt40.dll   Tue 15 Mar 2005  19:21:54   ..S.R        227,104   221.78 K
   band.exe       Tue 15 Mar 2005  13:45:14   ...H.          1,024     1.00 K
   wfplenc.dll    Tue 15 Mar 2005  19:21:54   ..S.R        227,104   221.78 K

5 items found:  5 files, 0 directories.
   Total of file sizes:  1,083,744 bytes      1.03 M
 
 ------------ Strings.exe Qoologic Results ------------
 
C:\WINDOWS\hosts.bak: 127.0.0.1  u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.bak: 127.0.0.1  qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1  adsrv.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1  updates.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1  u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1  qoologic.com
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1  adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1  updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1  u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1  qoologic.com
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1  adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1  updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1  u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1  qoologic.com
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1  adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1  updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1  www.qoologic.com
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1  u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1  qoologic.com
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1  adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1  updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1  www.qoologic.com
 
 -------------- Strings.exe Aspack Results -------------
 
 
 ----------------- HKLM Run Key ------------------
 
 -------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\QMV.DLL: UMonitor
C:\WINDOWS\SYSTEM\RKCLTSCM.DLL: UMonitor
C:\WINDOWS\SYSTEM\OVADM400.DLL: UMonitor
C:\WINDOWS\SYSTEM\PASPL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MYCMS.DLL: UMonitor
C:\WINDOWS\SYSTEM\NNTBIOS.DLL: UMonitor
C:\WINDOWS\SYSTEM\ADVGA.DLL: UMonitor
C:\WINDOWS\SYSTEM\PWPD.DLL: UMonitor
C:\WINDOWS\SYSTEM\MHXML3.DLL: UMonitor
C:\WINDOWS\SYSTEM\DYIMAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ilvu9_32.dll: UMonitor
C:\WINDOWS\SYSTEM\OSESVR.DLL: UMonitor
C:\WINDOWS\SYSTEM\RYCDLL.dll: UMonitor
C:\WINDOWS\SYSTEM\RICLTSPX.DLL: UMonitor
C:\WINDOWS\SYSTEM\wjspdmoe.dll: UMonitor
C:\WINDOWS\SYSTEM\IQNPSTUB.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVKMAINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\AZF16.DLL: UMonitor
C:\WINDOWS\SYSTEM\OZE2DISP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MXSTKPRP.DLL: UMonitor
C:\WINDOWS\SYSTEM\dq8vb.dll: UMonitor
C:\WINDOWS\SYSTEM\MMTASK.DLL: UMonitor
C:\WINDOWS\SYSTEM\lWprxy.dll: UMonitor
C:\WINDOWS\SYSTEM\wpv9vcm.dll: UMonitor
C:\WINDOWS\SYSTEM\DLRAW.DLL: UMonitor
C:\WINDOWS\SYSTEM\phapi.dll: UMonitor
C:\WINDOWS\SYSTEM\lyailpa.dll: UMonitor
C:\WINDOWS\SYSTEM\lbaisk0.dll: UMonitor
C:\WINDOWS\SYSTEM\DOVENUM.DLL: UMonitor
C:\WINDOWS\SYSTEM\CKMCAT.DLL: UMonitor
C:\WINDOWS\SYSTEM\iiagr5.dll: UMonitor
C:\WINDOWS\SYSTEM\mIpi32.dll: UMonitor
C:\WINDOWS\SYSTEM\dfscript.dll: UMonitor
C:\WINDOWS\SYSTEM\DACPROP.DLL: UMonitor
C:\WINDOWS\SYSTEM\dy8vb.dll: UMonitor
C:\WINDOWS\SYSTEM\MGCO30.DLL: UMonitor
C:\WINDOWS\SYSTEM\WKW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MCXML3.DLL: UMonitor
C:\WINDOWS\SYSTEM\dfmv2clt.dll: UMonitor
C:\WINDOWS\SYSTEM\DLngerous Creatures.dll: UMonitor
C:\WINDOWS\SYSTEM\WRDAP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ppgfilt.dll: UMonitor
C:\WINDOWS\SYSTEM\mzexch40.dll: UMonitor
C:\WINDOWS\SYSTEM\CAOOSUSR.DLL: UMonitor
C:\WINDOWS\SYSTEM\MLMG13W.DLL: UMonitor
C:\WINDOWS\SYSTEM\ocpdx32.dll: UMonitor
C:\WINDOWS\SYSTEM\MUCI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DSSERIAL.DLL: UMonitor
C:\WINDOWS\SYSTEM\OYFIL400.DLL: UMonitor
C:\WINDOWS\SYSTEM\MMRPJT40.DLL: UMonitor
C:\WINDOWS\SYSTEM\mbpatcha.dll: UMonitor
C:\WINDOWS\SYSTEM\DNrtWeb.dll: UMonitor
C:\WINDOWS\SYSTEM\TNOLHELP.DLL: UMonitor
C:\WINDOWS\SYSTEM\VPODEC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\lvaiutil.dll: UMonitor
C:\WINDOWS\SYSTEM\DDGEST.DLL: UMonitor
C:\WINDOWS\SYSTEM\RVCRT4.DLL: UMonitor
C:\WINDOWS\SYSTEM\dNdim700.dll: UMonitor
C:\WINDOWS\SYSTEM\mibsync.dll: UMonitor
C:\WINDOWS\SYSTEM\SDI_CI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\lsaixc.dll: UMonitor
C:\WINDOWS\SYSTEM\VQAJET32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DIKAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\wppcd.dll: UMonitor
C:\WINDOWS\SYSTEM\VFR.DLL: UMonitor
C:\WINDOWS\SYSTEM\SBI_CI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\SOTUPX.DLL: UMonitor
C:\WINDOWS\SYSTEM\dGdref.dll: UMonitor
C:\WINDOWS\SYSTEM\MP3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\LRBAS06.DLL: UMonitor
C:\WINDOWS\SYSTEM\MQFS13W.DLL: UMonitor
C:\WINDOWS\SYSTEM\lsxlmpm.dll: UMonitor
C:\WINDOWS\SYSTEM\SUKIT432.DLL: UMonitor
C:\WINDOWS\SYSTEM\sfrrun.dll: UMonitor
C:\WINDOWS\SYSTEM\QJHNDLR.DLL: UMonitor
C:\WINDOWS\SYSTEM\RLCMQSVR.DLL: UMonitor
C:\WINDOWS\SYSTEM\ITGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\CFYPTUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\liaijswr.dll: UMonitor
C:\WINDOWS\SYSTEM\DVGEST.DLL: UMonitor
C:\WINDOWS\SYSTEM\LUNKINFO.DLL: UMonitor
C:\WINDOWS\SYSTEM\akfsipc.dll: UMonitor
C:\WINDOWS\SYSTEM\IZMIGRAT.DLL: UMonitor
C:\WINDOWS\SYSTEM\JGEG2X32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DRWSOCKX.DLL: UMonitor
C:\WINDOWS\SYSTEM\WK2_32.DLL: UMonitor
C:\WINDOWS\SYSTEM\SXTUP4.DLL: UMonitor
C:\WINDOWS\SYSTEM\SPCUR32.DLL: UMonitor
C:\WINDOWS\SYSTEM\orbcbcp.dll: UMonitor
C:\WINDOWS\SYSTEM\WJNTRUST.DLL: UMonitor
C:\WINDOWS\SYSTEM\MLCMS.DLL: UMonitor
C:\WINDOWS\SYSTEM\WLW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DQSERIAL.DLL: UMonitor
C:\WINDOWS\SYSTEM\DHCNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\vot3216.dll: UMonitor
C:\WINDOWS\SYSTEM\DKSKCP16.DLL: UMonitor
C:\WINDOWS\SYSTEM\wfvdmoe2.dll: UMonitor
C:\WINDOWS\SYSTEM\loaipsw.dll: UMonitor
C:\WINDOWS\SYSTEM\lQprxy.dll: UMonitor
C:\WINDOWS\SYSTEM\MHMC13W.DLL: UMonitor
C:\WINDOWS\SYSTEM\OHGFS400.DLL: UMonitor
C:\WINDOWS\SYSTEM\Mtvcp50.dll: UMonitor
C:\WINDOWS\SYSTEM\DOKMAINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\MXJDBC10.DLL: UMonitor
C:\WINDOWS\SYSTEM\RNASIG.DLL: UMonitor
C:\WINDOWS\SYSTEM\RNCHED.DLL: UMonitor
C:\WINDOWS\SYSTEM\uvp10.dll: UMonitor
C:\WINDOWS\SYSTEM\SGntfNT.dll: UMonitor
C:\WINDOWS\SYSTEM\wcerror.dll: UMonitor
 
 


Title: My PC is infected by about:blank
Post by: Mark. G on March 24, 2005, 04:02:38 PM

bump

Title: My PC is infected by about:blank
Post by: guestolo on March 25, 2005, 04:00:12 AM

Well, we have to reduce the amount of files and another hidden infection

Please try everything I ask, even if you tried it before

Download and save to desktop
DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf (http://\"http://www.mvps.org/winhelp2002/DelDomains.inf\") and save it to desktop
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As, save it to desktop


Please copy and paste these instructions to an empty  Notepad file and leave it on your desktop and then Disconnect completely from the Internet
Open these instructions and leave them open until we have restarted your computer

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = =%3D
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {07B15BBE-9B90-11D9-845B-00007914357D} - C:\WINDOWS\SYSTEM\BLAO.DLL
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: wckdlytbloo - {8d639061-bd1e-11d7-845b-0000e82202f3} - (no file)
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - (no file)

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [nsvcin] C:\N20050308.EXE
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [rlacgvvd] c:\windows\system\rlacgvvd.exe

O4 - HKCU\..\Run: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe

O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: slotchbar.com
O15 - Trusted IP range: flingstone.com
O15 - Trusted IP range: my-internet.info
O15 - Trusted IP range: awmdabest.com
O15 - Trusted IP range: overpro.com
O15 - Trusted IP range: ysbweb.com
O15 - Trusted IP range: c4tdownload.com
O15 - Trusted IP range: windupdates.com
O15 - Trusted IP range: clickspring.net
O15 - Trusted IP range: sp2admin.biz
O15 - Trusted IP range: iframe.biz
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: slotchbar.com (HKLM)
O15 - Trusted IP range: ysbweb.com (HKLM)
O15 - Trusted IP range: clickspring.net (HKLM)
O15 - Trusted IP range: flingstone.com (HKLM)
O15 - Trusted IP range: my-internet.info (HKLM)
O15 - Trusted IP range: windupdates.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba10.exe (http://\"http://66.117.37.13/dba10.exe\")
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://iframedollars.biz/dl/adv519/x.chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:oexist.mht!http://crdrcr.com/chm.chm::/a.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx (http://\"http://iframedollars.biz/tb/loader2.ocx\")
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - http://38.144.58.45/loader/GB.cab (http://\"http://38.144.58.45/loader/GB.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab (http://\"http://www.spywarestormer.com/files2/Install.cab\")
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/diamond.cab (http://\"http://cabs.media-motor.net/cabs/diamond.cab\")
O16 - DPF: {4B578A97-79DA-2369-81BA-54566168BF05} - http://66.117.37.5/1/rdgGB298.exe (http://\"http://66.117.37.5/1/rdgGB298.exe\")
O16 - DPF: {080A7742-D928-564C-FEC8-30CB61451EC6} - http://66.117.37.5/1/rdgGB298.exe (http://\"http://66.117.37.5/1/rdgGB298.exe\")
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int4.exe (http://\"http://207.234.185.217/ABoxInst_int4.exe\")
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup155.cab (http://\"http://download.abacast.com/download/files/abasetup155.cab\")
O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) - http://www9.advnt01.com/dialer/win98_P.CAB (http://\"http://www9.advnt01.com/dialer/win98_P.CAB\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis


==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Run Pocket KillBox>>Now you have Killbox and this notepad file open

At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them
click on Tools --> Select Delete Temp Files. Click OK.

Again, in Killbox
At the main screen of Pocket Killbox

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM\QMV.DLL

Press the Delete button>>The Red circle and a white X
Do the same for the rest of these below
Keep track of any files that won't delete, we'll need those in a bit


C:\WINDOWS\SYSTEM\RKCLTSCM.DLL
C:\WINDOWS\SYSTEM\OVADM400.DLL
C:\WINDOWS\SYSTEM\PASPL.DLL
C:\WINDOWS\SYSTEM\MYCMS.DLL
C:\WINDOWS\SYSTEM\NNTBIOS.DLL
C:\WINDOWS\SYSTEM\ADVGA.DLL
C:\WINDOWS\SYSTEM\PWPD.DLL
C:\WINDOWS\SYSTEM\MHXML3.DLL
C:\WINDOWS\SYSTEM\DYIMAN32.DLL
C:\WINDOWS\SYSTEM\ilvu9_32.dll
C:\WINDOWS\SYSTEM\OSESVR.DLL
C:\WINDOWS\SYSTEM\RYCDLL.dll
C:\WINDOWS\SYSTEM\RICLTSPX.DLL
C:\WINDOWS\SYSTEM\wjspdmoe.dll
C:\WINDOWS\SYSTEM\IQNPSTUB.DLL
C:\WINDOWS\SYSTEM\DVKMAINT.DLL
C:\WINDOWS\SYSTEM\AZF16.DLL
C:\WINDOWS\SYSTEM\OZE2DISP.DLL
C:\WINDOWS\SYSTEM\MXSTKPRP.DLL
C:\WINDOWS\SYSTEM\dq8vb.dll
C:\WINDOWS\SYSTEM\MMTASK.DLL
C:\WINDOWS\SYSTEM\lWprxy.dll
C:\WINDOWS\SYSTEM\wpv9vcm.dll
C:\WINDOWS\SYSTEM\DLRAW.DLL
C:\WINDOWS\SYSTEM\phapi.dll
C:\WINDOWS\SYSTEM\lyailpa.dll
C:\WINDOWS\SYSTEM\lbaisk0.dll
C:\WINDOWS\SYSTEM\DOVENUM.DLL
C:\WINDOWS\SYSTEM\CKMCAT.DLL
C:\WINDOWS\SYSTEM\iiagr5.dll
C:\WINDOWS\SYSTEM\mIpi32.dll
C:\WINDOWS\SYSTEM\dfscript.dll
C:\WINDOWS\SYSTEM\DACPROP.DLL
C:\WINDOWS\SYSTEM\dy8vb.dll
C:\WINDOWS\SYSTEM\MGCO30.DLL
C:\WINDOWS\SYSTEM\WKW32.DLL
C:\WINDOWS\SYSTEM\MCXML3.DLL
C:\WINDOWS\SYSTEM\dfmv2clt.dll
C:\WINDOWS\SYSTEM\DLngerousCreatures.dll
C:\WINDOWS\SYSTEM\WRDAP32.DLL
C:\WINDOWS\SYSTEM\ppgfilt.dll
C:\WINDOWS\SYSTEM\mzexch40.dll
C:\WINDOWS\SYSTEM\CAOOSUSR.DLL
C:\WINDOWS\SYSTEM\MLMG13W.DLL
C:\WINDOWS\SYSTEM\ocpdx32.dll
C:\WINDOWS\SYSTEM\MUCI.DLL
C:\WINDOWS\SYSTEM\DSSERIAL.DLL
C:\WINDOWS\SYSTEM\OYFIL400.DLL
C:\WINDOWS\SYSTEM\MMRPJT40.DLL
C:\WINDOWS\SYSTEM\mbpatcha.dll
C:\WINDOWS\SYSTEM\DNrtWeb.dll
C:\WINDOWS\SYSTEM\TNOLHELP.DLL
C:\WINDOWS\SYSTEM\VPODEC32.DLL
C:\WINDOWS\SYSTEM\lvaiutil.dll
C:\WINDOWS\SYSTEM\DDGEST.DLL
C:\WINDOWS\SYSTEM\RVCRT4.DLL
C:\WINDOWS\SYSTEM\dNdim700.dll
C:\WINDOWS\SYSTEM\mibsync.dll
C:\WINDOWS\SYSTEM\SDI_CI32.DLL
C:\WINDOWS\SYSTEM\lsaixc.dll
C:\WINDOWS\SYSTEM\VQAJET32.DLL
C:\WINDOWS\SYSTEM\DIKAPI32.DLL
C:\WINDOWS\SYSTEM\wppcd.dll
C:\WINDOWS\SYSTEM\VFR.DLL
C:\WINDOWS\SYSTEM\SBI_CI32.DLL
C:\WINDOWS\SYSTEM\SOTUPX.DLL
C:\WINDOWS\SYSTEM\dGdref.dll
C:\WINDOWS\SYSTEM\MP3216.DLL
C:\WINDOWS\SYSTEM\LRBAS06.DLL
C:\WINDOWS\SYSTEM\MQFS13W.DLL
C:\WINDOWS\SYSTEM\lsxlmpm.dll
C:\WINDOWS\SYSTEM\SUKIT432.DLL
C:\WINDOWS\SYSTEM\sfrrun.dll
C:\WINDOWS\SYSTEM\QJHNDLR.DLL
C:\WINDOWS\SYSTEM\RLCMQSVR.DLL
C:\WINDOWS\SYSTEM\ITGUTIL.DLL
C:\WINDOWS\SYSTEM\CFYPTUI.DLL
C:\WINDOWS\SYSTEM\liaijswr.dll
C:\WINDOWS\SYSTEM\DVGEST.DLL
C:\WINDOWS\SYSTEM\LUNKINFO.DLL
C:\WINDOWS\SYSTEM\akfsipc.dll
C:\WINDOWS\SYSTEM\IZMIGRAT.DLL
C:\WINDOWS\SYSTEM\JGEG2X32.DLL
C:\WINDOWS\SYSTEM\DRWSOCKX.DLL
C:\WINDOWS\SYSTEM\WK2_32.DLL
C:\WINDOWS\SYSTEM\SXTUP4.DLL
C:\WINDOWS\SYSTEM\orbcbcp.dll
C:\WINDOWS\SYSTEM\SPCUR32.DLL
C:\WINDOWS\SYSTEM\WJNTRUST.DLL
C:\WINDOWS\SYSTEM\MLCMS.DLL
C:\WINDOWS\SYSTEM\WLW32.DLL
C:\WINDOWS\SYSTEM\DQSERIAL.DLL
C:\WINDOWS\SYSTEM\DHCNDI.DLL
C:\WINDOWS\SYSTEM\vot3216.dll
C:\WINDOWS\SYSTEM\DKSKCP16.DLL
C:\WINDOWS\SYSTEM\wfvdmoe2.dll
C:\WINDOWS\SYSTEM\loaipsw.dll
C:\WINDOWS\SYSTEM\lQprxy.dll
C:\WINDOWS\SYSTEM\MHMC13W.DLL
C:\WINDOWS\SYSTEM\OHGFS400.DLL
C:\WINDOWS\SYSTEM\Mtvcp50.dll
C:\WINDOWS\SYSTEM\DOKMAINT.DLL
C:\WINDOWS\SYSTEM\MXJDBC10.DLL
C:\WINDOWS\SYSTEM\RNASIG.DLL
C:\WINDOWS\SYSTEM\RNCHED.DLL
C:\WINDOWS\SYSTEM\uvp10.dll
C:\WINDOWS\SYSTEM\SGntfNT.dll
C:\WINDOWS\SYSTEM\wcerror.dll
C:\WINDOWS\SYSTEM\ ifmupg.dll
C:\WINDOWS\SYSTEM\MXRPJT40.DLL
C:\WINDOWS\SYSTEM\wfplenc.dll
C:\WINDOWS\SYSTEM\band.exe
C:\WINDOWS\SYSTEM\eplrr3.dll
C:\WINDOWS\SYSTEM\BLAO.DLL
C:\WINDOWS\System\spoolsrv32.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
c:\windows\system\rlacgvvd.exe
C:\N20050308.EXE

C:\WINDOWS\hosts.bak
C:\WINDOWS\hosts.20050311-185348.backup
C:\WINDOWS\TEMP\se.dll


For any file that wouldn't delete, again copy and paste that entry into Killbox, but this time, use the Delete on Reboot radio button
Press the button with a red circle and a white X.
If asked to Reboot now, don't until you have entered the last entry
After entering the the last path to any file that wouldn't delete
Restart your computer
Don't worry about any error messages, and don't assume you tried this all before
Please restart the computer in this manner

I need you to Restart your computer into MS-Dos Mode
START>>Shutdown>>select Restart in MS-DOS mode
OK

At restart you should be at this prompt

C:\WINDOWS>

Type in the below excluding the (Enter), that indicates hitting Enter on your Keyboard>>>Take note of all the spaces too

attrib -r -s -h C:\WINDOWS\MSDOSDKV.TXT (Enter)
del MSDOSDKV.TXT (Enter)

If you want a rundown of what that should all look like with all the spaces, I've included below the same commands with = signs indicating where there should be a single space, you will not input the = sign, just the space
======================================================
attrib=-r=-s=-h=C:\WINDOWS\MSDOSDKV.TXT
del MSDOSDKV.TXT
======================================================

Use CTRL+ALT+DEL to Restart your computer back to Normal mode

This should restart the computer back in Normal mode
When your back in Windows

Open Hijackthis>>Open Misc Tools>>Open Hosts File Manager
Delete any lines Below
127.0.0.1 localhost <--don't delete this and nothing above
But only any below that entry you didn't add yourself or don't recognize

Post back a fresh hijackthis log afterwards

Run Findit9xme.bat again and post the Whole log

Try not too restart the computer again until we have tried another round of fixes