Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Mark. G

Pages: [1]

Tech Clinic / My PC is infected by about:blank

« on: March 24, 2005, 04:02:38 PM »

bump

Tech Clinic / My PC is infected by about:blank

« on: March 24, 2005, 12:09:27 PM »

Done it. Deleted old findit, downloaded and run the new one. Here's the log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C is HARD DISK
Volume Serial Number is 0211-1CDD
Directory of C:\WINDOWS\SYSTEM

IFMUPG DLL 227,104 15/03/05 19:21 IFMUPG.DLL
MXRPJT40 DLL 227,104 15/03/05 19:21 MXRPJT40.DLL
WFPLENC DLL 227,104 15/03/05 19:21 wfplenc.dll
WMKYSF EXE 401,408 11/01/05 14:11 wmkysf.exe
4 file(s) 1,082,720 bytes
0 dir(s) 1,642.37 MB free

------- Hidden Files in System Directory -------

Volume in drive C is HARD DISK
Volume Serial Number is 0211-1CDD
Directory of C:\WINDOWS\SYSTEM

BAND EXE 1,024 15/03/05 13:45 band.exe
VMSS <DIR> 03/03/05 16:32 vmss
WSXSVC <DIR> 03/03/05 16:32 wsxsvc
WMKYSF EXE 401,408 11/01/05 14:11 wmkysf.exe
ZLLICTBL DAT 4,212 27/11/04 17:12 zllictbl.dat
LXAIMA GID 45,735 05/02/04 19:10 lxaima.GID
DESKTOP INI 266 15/01/02 21:37 desktop.ini
5 file(s) 452,645 bytes
2 dir(s) 1,642.37 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F06B1D22-1EDC-6EC8-A9F6-713D02526492}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ifmupg.dll Tue 15 Mar 2005 19:21:54 ..S.R 227,104 221.78 K
wmkysf.exe Tue 11 Jan 2005 14:11:36 ..SHR 401,408 392.00 K
mxrpjt40.dll Tue 15 Mar 2005 19:21:54 ..S.R 227,104 221.78 K
band.exe Tue 15 Mar 2005 13:45:14 ...H. 1,024 1.00 K
wfplenc.dll Tue 15 Mar 2005 19:21:54 ..S.R 227,104 221.78 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,083,744 bytes 1.03 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\hosts.bak: 127.0.0.1 u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.bak: 127.0.0.1 qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1 adsrv.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1 updates.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1 www.qoologic.com
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1 u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1 qoologic.com
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1 adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1 updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1 www.qoologic.com
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1 u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1 qoologic.com
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1 adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1 updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1 www.qoologic.com
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1 u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1 qoologic.com
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1 adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1 updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1 www.qoologic.com
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1 u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1 qoologic.com
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1 adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1 updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\QMV.DLL: UMonitor
C:\WINDOWS\SYSTEM\RKCLTSCM.DLL: UMonitor
C:\WINDOWS\SYSTEM\OVADM400.DLL: UMonitor
C:\WINDOWS\SYSTEM\PASPL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MYCMS.DLL: UMonitor
C:\WINDOWS\SYSTEM\NNTBIOS.DLL: UMonitor
C:\WINDOWS\SYSTEM\ADVGA.DLL: UMonitor
C:\WINDOWS\SYSTEM\PWPD.DLL: UMonitor
C:\WINDOWS\SYSTEM\MHXML3.DLL: UMonitor
C:\WINDOWS\SYSTEM\DYIMAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ilvu9_32.dll: UMonitor
C:\WINDOWS\SYSTEM\OSESVR.DLL: UMonitor
C:\WINDOWS\SYSTEM\RYCDLL.dll: UMonitor
C:\WINDOWS\SYSTEM\RICLTSPX.DLL: UMonitor
C:\WINDOWS\SYSTEM\wjspdmoe.dll: UMonitor
C:\WINDOWS\SYSTEM\IQNPSTUB.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVKMAINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\AZF16.DLL: UMonitor
C:\WINDOWS\SYSTEM\OZE2DISP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MXSTKPRP.DLL: UMonitor
C:\WINDOWS\SYSTEM\dq8vb.dll: UMonitor
C:\WINDOWS\SYSTEM\MMTASK.DLL: UMonitor
C:\WINDOWS\SYSTEM\lWprxy.dll: UMonitor
C:\WINDOWS\SYSTEM\wpv9vcm.dll: UMonitor
C:\WINDOWS\SYSTEM\DLRAW.DLL: UMonitor
C:\WINDOWS\SYSTEM\phapi.dll: UMonitor
C:\WINDOWS\SYSTEM\lyailpa.dll: UMonitor
C:\WINDOWS\SYSTEM\lbaisk0.dll: UMonitor
C:\WINDOWS\SYSTEM\DOVENUM.DLL: UMonitor
C:\WINDOWS\SYSTEM\CKMCAT.DLL: UMonitor
C:\WINDOWS\SYSTEM\iiagr5.dll: UMonitor
C:\WINDOWS\SYSTEM\mIpi32.dll: UMonitor
C:\WINDOWS\SYSTEM\dfscript.dll: UMonitor
C:\WINDOWS\SYSTEM\DACPROP.DLL: UMonitor
C:\WINDOWS\SYSTEM\dy8vb.dll: UMonitor
C:\WINDOWS\SYSTEM\MGCO30.DLL: UMonitor
C:\WINDOWS\SYSTEM\WKW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MCXML3.DLL: UMonitor
C:\WINDOWS\SYSTEM\dfmv2clt.dll: UMonitor
C:\WINDOWS\SYSTEM\DLngerous Creatures.dll: UMonitor
C:\WINDOWS\SYSTEM\WRDAP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ppgfilt.dll: UMonitor
C:\WINDOWS\SYSTEM\mzexch40.dll: UMonitor
C:\WINDOWS\SYSTEM\CAOOSUSR.DLL: UMonitor
C:\WINDOWS\SYSTEM\MLMG13W.DLL: UMonitor
C:\WINDOWS\SYSTEM\ocpdx32.dll: UMonitor
C:\WINDOWS\SYSTEM\MUCI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DSSERIAL.DLL: UMonitor
C:\WINDOWS\SYSTEM\OYFIL400.DLL: UMonitor
C:\WINDOWS\SYSTEM\MMRPJT40.DLL: UMonitor
C:\WINDOWS\SYSTEM\mbpatcha.dll: UMonitor
C:\WINDOWS\SYSTEM\DNrtWeb.dll: UMonitor
C:\WINDOWS\SYSTEM\TNOLHELP.DLL: UMonitor
C:\WINDOWS\SYSTEM\VPODEC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\lvaiutil.dll: UMonitor
C:\WINDOWS\SYSTEM\DDGEST.DLL: UMonitor
C:\WINDOWS\SYSTEM\RVCRT4.DLL: UMonitor
C:\WINDOWS\SYSTEM\dNdim700.dll: UMonitor
C:\WINDOWS\SYSTEM\mibsync.dll: UMonitor
C:\WINDOWS\SYSTEM\SDI_CI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\lsaixc.dll: UMonitor
C:\WINDOWS\SYSTEM\VQAJET32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DIKAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\wppcd.dll: UMonitor
C:\WINDOWS\SYSTEM\VFR.DLL: UMonitor
C:\WINDOWS\SYSTEM\SBI_CI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\SOTUPX.DLL: UMonitor
C:\WINDOWS\SYSTEM\dGdref.dll: UMonitor
C:\WINDOWS\SYSTEM\MP3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\LRBAS06.DLL: UMonitor
C:\WINDOWS\SYSTEM\MQFS13W.DLL: UMonitor
C:\WINDOWS\SYSTEM\lsxlmpm.dll: UMonitor
C:\WINDOWS\SYSTEM\SUKIT432.DLL: UMonitor
C:\WINDOWS\SYSTEM\sfrrun.dll: UMonitor
C:\WINDOWS\SYSTEM\QJHNDLR.DLL: UMonitor
C:\WINDOWS\SYSTEM\RLCMQSVR.DLL: UMonitor
C:\WINDOWS\SYSTEM\ITGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\CFYPTUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\liaijswr.dll: UMonitor
C:\WINDOWS\SYSTEM\DVGEST.DLL: UMonitor
C:\WINDOWS\SYSTEM\LUNKINFO.DLL: UMonitor
C:\WINDOWS\SYSTEM\akfsipc.dll: UMonitor
C:\WINDOWS\SYSTEM\IZMIGRAT.DLL: UMonitor
C:\WINDOWS\SYSTEM\JGEG2X32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DRWSOCKX.DLL: UMonitor
C:\WINDOWS\SYSTEM\WK2_32.DLL: UMonitor
C:\WINDOWS\SYSTEM\SXTUP4.DLL: UMonitor
C:\WINDOWS\SYSTEM\SPCUR32.DLL: UMonitor
C:\WINDOWS\SYSTEM\orbcbcp.dll: UMonitor
C:\WINDOWS\SYSTEM\WJNTRUST.DLL: UMonitor
C:\WINDOWS\SYSTEM\MLCMS.DLL: UMonitor
C:\WINDOWS\SYSTEM\WLW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DQSERIAL.DLL: UMonitor
C:\WINDOWS\SYSTEM\DHCNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\vot3216.dll: UMonitor
C:\WINDOWS\SYSTEM\DKSKCP16.DLL: UMonitor
C:\WINDOWS\SYSTEM\wfvdmoe2.dll: UMonitor
C:\WINDOWS\SYSTEM\loaipsw.dll: UMonitor
C:\WINDOWS\SYSTEM\lQprxy.dll: UMonitor
C:\WINDOWS\SYSTEM\MHMC13W.DLL: UMonitor
C:\WINDOWS\SYSTEM\OHGFS400.DLL: UMonitor
C:\WINDOWS\SYSTEM\Mtvcp50.dll: UMonitor
C:\WINDOWS\SYSTEM\DOKMAINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\MXJDBC10.DLL: UMonitor
C:\WINDOWS\SYSTEM\RNASIG.DLL: UMonitor
C:\WINDOWS\SYSTEM\RNCHED.DLL: UMonitor
C:\WINDOWS\SYSTEM\uvp10.dll: UMonitor
C:\WINDOWS\SYSTEM\SGntfNT.dll: UMonitor
C:\WINDOWS\SYSTEM\wcerror.dll: UMonitor

Tech Clinic / My PC is infected by about:blank

« on: March 23, 2005, 12:06:16 PM »

Hijack This 1991 log file (after restoring all backups):

Logfile of HijackThis v1.99.1
Scan saved at 17:01:02, on 23/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NETDDE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS1991.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = =%3D
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {07B15BBE-9B90-11D9-845B-00007914357D} - C:\WINDOWS\SYSTEM\BLAO.DLL
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: wckdlytbloo - {8d639061-bd1e-11d7-845b-0000e82202f3} - (no file)
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [nsvcin] C:\N20050308.EXE
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE"
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Spy Protector] C:\PROGRAM FILES\SECURITY TASK MANAGER\SPYPROTECTOR.EXE /autostart
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [rlacgvvd] c:\windows\system\rlacgvvd.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKCU\..\Run: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Hosts Manager.lnk = C:\Program Files\HOSTS File Manager\HOSTS_Back.exe
O4 - Startup: STRINGS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: slotchbar.com
O15 - Trusted IP range: flingstone.com
O15 - Trusted IP range: my-internet.info
O15 - Trusted IP range: awmdabest.com
O15 - Trusted IP range: overpro.com
O15 - Trusted IP range: ysbweb.com
O15 - Trusted IP range: c4tdownload.com
O15 - Trusted IP range: windupdates.com
O15 - Trusted IP range: clickspring.net
O15 - Trusted IP range: sp2admin.biz
O15 - Trusted IP range: iframe.biz
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - Trusted IP range: slotchbar.com (HKLM)
O15 - Trusted IP range: ysbweb.com (HKLM)
O15 - Trusted IP range: clickspring.net (HKLM)
O15 - Trusted IP range: flingstone.com (HKLM)
O15 - Trusted IP range: my-internet.info (HKLM)
O15 - Trusted IP range: windupdates.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba10.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://iframedollars.biz/dl/adv519/x.chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:oexist.mht!http://crdrcr.com/chm.chm::/a.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - http://38.144.58.45/loader/GB.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {4B578A97-79DA-2369-81BA-54566168BF05} - http://66.117.37.5/1/rdgGB298.exe
O16 - DPF: {080A7742-D928-564C-FEC8-30CB61451EC6} - http://66.117.37.5/1/rdgGB298.exe
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int4.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup155.cab
O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) - http://www9.advnt01.com/dialer/win98_P.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - http://www5.incredimail.com/contents/setup...p1/imloader.cab
O18 - Filter: text/html - {094A06A5-946E-11D9-845B-0000C517528F} - C:\WINDOWS\SYSTEM\BLAO.DLL
O18 - Filter: text/plain - {094A06A5-946E-11D9-845B-0000C517528F} - C:\WINDOWS\SYSTEM\BLAO.DLL
O21 - SSODL: eplrr - {EA812AC0-9556-11D9-845B-0000E82202F3} - C:\WINDOWS\SYSTEM\eplrr3.dll

Tech Clinic / My PC is infected by about:blank

« on: March 23, 2005, 12:03:49 PM »

Findit log file:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C is HARD DISK
Volume Serial Number is 0211-1CDD
Directory of C:\WINDOWS\SYSTEM

IFMUPG DLL 227,104 15/03/05 19:21 IFMUPG.DLL
WMKYSF EXE 401,408 11/01/05 14:11 wmkysf.exe
2 file(s) 628,512 bytes
0 dir(s) 1,679.66 MB free

------- Hidden Files in System Directory -------

Volume in drive C is HARD DISK
Volume Serial Number is 0211-1CDD
Directory of C:\WINDOWS\SYSTEM

BAND EXE 1,024 15/03/05 13:45 band.exe
VMSS <DIR> 03/03/05 16:32 vmss
WSXSVC <DIR> 03/03/05 16:32 wsxsvc
WMKYSF EXE 401,408 11/01/05 14:11 wmkysf.exe
ZLLICTBL DAT 4,212 27/11/04 17:12 zllictbl.dat
LXAIMA GID 45,735 05/02/04 19:10 lxaima.GID
DESKTOP INI 266 15/01/02 21:37 desktop.ini
5 file(s) 452,645 bytes
2 dir(s) 1,679.66 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F06B1D22-1EDC-6EC8-A9F6-713D02526492}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ifmupg.dll Tue 15 Mar 2005 19:21:54 ..S.R 227,104 221.78 K
wmkysf.exe Tue 11 Jan 2005 14:11:36 ..SHR 401,408 392.00 K
band.exe Tue 15 Mar 2005 13:45:14 ...H. 1,024 1.00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 629,536 bytes 614.78 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\hosts.bak: 127.0.0.1 u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.bak: 127.0.0.1 qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1 adsrv.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1 updates.qoologic.com
C:\WINDOWS\hosts.bak: 127.0.0.1 www.qoologic.com
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1 u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1 qoologic.com
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1 adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1 updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-185347.backup: 127.0.0.1 www.qoologic.com
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1 u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1 qoologic.com
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1 adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1 updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-185348.backup: 127.0.0.1 www.qoologic.com
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1 u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1 qoologic.com
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1 adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1 updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-190703.backup: 127.0.0.1 www.qoologic.com
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1 u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1 qoologic.com
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1 adsrv.qoologic.com
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1 updates.qoologic.com #[TROJ_NARRATOR.A]
C:\WINDOWS\hosts.20050311-191938.backup: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\QMV.DLL: UMonitor
C:\WINDOWS\SYSTEM\RKCLTSCM.DLL: UMonitor
C:\WINDOWS\SYSTEM\OVADM400.DLL: UMonitor
C:\WINDOWS\SYSTEM\PASPL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MYCMS.DLL: UMonitor
C:\WINDOWS\SYSTEM\NNTBIOS.DLL: UMonitor
C:\WINDOWS\SYSTEM\ADVGA.DLL: UMonitor
C:\WINDOWS\SYSTEM\PWPD.DLL: UMonitor
C:\WINDOWS\SYSTEM\MHXML3.DLL: UMonitor
C:\WINDOWS\SYSTEM\DYIMAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ilvu9_32.dll: UMonitor
C:\WINDOWS\SYSTEM\OSESVR.DLL: UMonitor
C:\WINDOWS\SYSTEM\RYCDLL.dll: UMonitor
C:\WINDOWS\SYSTEM\RICLTSPX.DLL: UMonitor
C:\WINDOWS\SYSTEM\wjspdmoe.dll: UMonitor
C:\WINDOWS\SYSTEM\IQNPSTUB.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVKMAINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\AZF16.DLL: UMonitor
C:\WINDOWS\SYSTEM\OZE2DISP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MXSTKPRP.DLL: UMonitor
C:\WINDOWS\SYSTEM\dq8vb.dll: UMonitor
C:\WINDOWS\SYSTEM\MMTASK.DLL: UMonitor
C:\WINDOWS\SYSTEM\lWprxy.dll: UMonitor
C:\WINDOWS\SYSTEM\wpv9vcm.dll: UMonitor
C:\WINDOWS\SYSTEM\DLRAW.DLL: UMonitor
C:\WINDOWS\SYSTEM\phapi.dll: UMonitor
C:\WINDOWS\SYSTEM\lyailpa.dll: UMonitor
C:\WINDOWS\SYSTEM\lbaisk0.dll: UMonitor
C:\WINDOWS\SYSTEM\DOVENUM.DLL: UMonitor
C:\WINDOWS\SYSTEM\CKMCAT.DLL: UMonitor
C:\WINDOWS\SYSTEM\iiagr5.dll: UMonitor
C:\WINDOWS\SYSTEM\mIpi32.dll: UMonitor
C:\WINDOWS\SYSTEM\dfscript.dll: UMonitor
C:\WINDOWS\SYSTEM\DACPROP.DLL: UMonitor
C:\WINDOWS\SYSTEM\dy8vb.dll: UMonitor
C:\WINDOWS\SYSTEM\MGCO30.DLL: UMonitor
C:\WINDOWS\SYSTEM\WKW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MCXML3.DLL: UMonitor
C:\WINDOWS\SYSTEM\dfmv2clt.dll: UMonitor
C:\WINDOWS\SYSTEM\DLngerous Creatures.dll: UMonitor
C:\WINDOWS\SYSTEM\WRDAP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ppgfilt.dll: UMonitor
C:\WINDOWS\SYSTEM\mzexch40.dll: UMonitor
C:\WINDOWS\SYSTEM\CAOOSUSR.DLL: UMonitor
C:\WINDOWS\SYSTEM\MLMG13W.DLL: UMonitor
C:\WINDOWS\SYSTEM\ocpdx32.dll: UMonitor
C:\WINDOWS\SYSTEM\MUCI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DSSERIAL.DLL: UMonitor
C:\WINDOWS\SYSTEM\OYFIL400.DLL: UMonitor
C:\WINDOWS\SYSTEM\MMRPJT40.DLL: UMonitor
C:\WINDOWS\SYSTEM\mbpatcha.dll: UMonitor
C:\WINDOWS\SYSTEM\DNrtWeb.dll: UMonitor
C:\WINDOWS\SYSTEM\TNOLHELP.DLL: UMonitor
C:\WINDOWS\SYSTEM\VPODEC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\lvaiutil.dll: UMonitor
C:\WINDOWS\SYSTEM\DDGEST.DLL: UMonitor
C:\WINDOWS\SYSTEM\RVCRT4.DLL: UMonitor
C:\WINDOWS\SYSTEM\dNdim700.dll: UMonitor
C:\WINDOWS\SYSTEM\mibsync.dll: UMonitor
C:\WINDOWS\SYSTEM\SDI_CI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\lsaixc.dll: UMonitor
C:\WINDOWS\SYSTEM\VQAJET32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DIKAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\wppcd.dll: UMonitor
C:\WINDOWS\SYSTEM\VFR.DLL: UMonitor
C:\WINDOWS\SYSTEM\SBI_CI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\SOTUPX.DLL: UMonitor
C:\WINDOWS\SYSTEM\dGdref.dll: UMonitor
C:\WINDOWS\SYSTEM\MP3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\LRBAS06.DLL: UMonitor
C:\WINDOWS\SYSTEM\MQFS13W.DLL: UMonitor
C:\WINDOWS\SYSTEM\lsxlmpm.dll: UMonitor
C:\WINDOWS\SYSTEM\SUKIT432.DLL: UMonitor
C:\WINDOWS\SYSTEM\sfrrun.dll: UMonitor
C:\WINDOWS\SYSTEM\QJHNDLR.DLL: UMonitor
C:\WINDOWS\SYSTEM\RLCMQSVR.DLL: UMonitor
C:\WINDOWS\SYSTEM\ITGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\CFYPTUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\liaijswr.dll: UMonitor
C:\WINDOWS\SYSTEM\DVGEST.DLL: UMonitor
C:\WINDOWS\SYSTEM\LUNKINFO.DLL: UMonitor
C:\WINDOWS\SYSTEM\akfsipc.dll: UMonitor
C:\WINDOWS\SYSTEM\IZMIGRAT.DLL: UMonitor
C:\WINDOWS\SYSTEM\JGEG2X32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DRWSOCKX.DLL: UMonitor
C:\WINDOWS\SYSTEM\WK2_32.DLL: UMonitor
C:\WINDOWS\SYSTEM\SXTUP4.DLL: UMonitor
C:\WINDOWS\SYSTEM\SPCUR32.DLL: UMonitor
C:\WINDOWS\SYSTEM\orbcbcp.dll: UMonitor
C:\WINDOWS\SYSTEM\WJNTRUST.DLL: UMonitor
C:\WINDOWS\SYSTEM\MLCMS.DLL: UMonitor
C:\WINDOWS\SYSTEM\WLW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DQSERIAL.DLL: UMonitor
C:\WINDOWS\SYSTEM\DHCNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\vot3216.dll: UMonitor
C:\WINDOWS\SYSTEM\DKSKCP16.DLL: UMonitor
C:\WINDOWS\SYSTEM\wfvdmoe2.dll: UMonitor
C:\WINDOWS\SYSTEM\loaipsw.dll: UMonitor
C:\WINDOWS\SYSTEM\lQprxy.dll: UMonitor
C:\WINDOWS\SYSTEM\MHMC13W.DLL: UMonitor
C:\WINDOWS\SYSTEM\OHGFS400.DLL: UMonitor
C:\WINDOWS\SYSTEM\Mtvcp50.dll: UMonitor
C:\WINDOWS\SYSTEM\DOKMAINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\MXJDBC10.DLL: UMonitor
C:\WINDOWS\SYSTEM\RNASIG.DLL: UMonitor
C:\WINDOWS\SYSTEM\RNCHED.DLL: UMonitor
C:\WINDOWS\SYSTEM\uvp10.dll: UMonitor
C:\WINDOWS\SYSTEM\SGntfNT.dll: UMonitor
C:\WINDOWS\SYSTEM\wcerror.dll: UMonitor

Tech Clinic / My PC is infected by about:blank

« on: March 23, 2005, 11:36:01 AM »

Done the StartDreck thing. Here is the log:

StartDreck (build 2.1.7 public stable) - 2005-03-23 @ 16:29:50 (GMT +00:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Mark and Tracey at MARK AND TRACEY

»Registry
»Run Keys
»Current User
»Run
*Srv32 spool service=C:\WINDOWS\System\spoolsrv32.exe
*IncrediMail=C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
»RunOnce
»Default User
»Run
*Srv32 spool service=C:\WINDOWS\System\spoolsrv32.exe
*IncrediMail=C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
»RunOnce
»Local Machine
»Run
*EnsoniqMixer=starter.exe
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
*VBouncer=C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
*vmss=C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
*Dvx=C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
*nsvcin=C:\N20050308.EXE
*FARMMEXT=C:\WINDOWS\FARMMEXT.exe
*ffis=C:\WINDOWS\isrvs\ffisearch.exe
*Desktop Search=C:\WINDOWS\isrvs\desktop.exe
*Srv32 spool service=C:\WINDOWS\System\spoolsrv32.exe
*AWMON="C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE"
*OmgStartup=C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
*SystemTray=SysTray.Exe
*TaskMonitor=C:\WINDOWS\taskmon.exe
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Spy Protector=C:\PROGRAM FILES\SECURITY TASK MANAGER\SPYPROTECTOR.EXE /autostart
*LoadQM=loadqm.exe
*rlacgvvd=c:\windows\system\rlacgvvd.exe
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*avast!=C:\Program Files\Alwil Software\Avast4\ashServ.exe
*CSINJECT.EXE=C:\Program Files\Norton CleanSweep\CSINJECT.EXE
»RunServicesOnce
**j=rundll32 C:\WINDOWS\MSDOSDKV.TXT,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{2472B9A8-9B8E-11D9-845B-0000DE6E8CA0}
`InprocServer32=C:\WINDOWS\SYSTEM\BLAO.DLL
»Files
»System/Drivers
»Running Processes
+FF0F6DB3=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF192B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF1133=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFF3E83=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE6E6F=C:\WINDOWS\RUNDLL32.EXE
+FFFE481B=C:\WINDOWS\SYSTEM\LEXBCES.EXE
+FFFED9C3=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFE6C17=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFDE267=C:\WINDOWS\EXPLORER.EXE
+FFFC6BDB=C:\WINDOWS\RUNDLL32.EXE
+FFFCD08F=C:\WINDOWS\RUNDLL32.EXE
+FFFC9C43=C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
+FFFAB03B=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF95EAF=C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
+FFF60E6B=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFBC40B=C:\WINDOWS\NETDDE.EXE
+FFFBE52F=C:\WINDOWS\DESKTOP\HJT\STARTDRECK\STARTDRECK.EXE
»Application specific

Now going to do the findit9xme.zip thing which I've already downloaded. Will post that log on another reply.

Mark.

Tech Clinic / My PC is infected by about:blank

« on: March 23, 2005, 11:09:35 AM »

Hi guestolo, and thanks for answering my plea for help.

As for removing things, I just did what another guy told me to do. I cant get in touch with him now.

I'll now print your instructions and carry them out.

I've tried AboutBuster, Adaware se professional, spybot S&D, Avast, VX Anti-virus cleaner. I've also run Pocket KillBox as previously instructed, but I dont think it ran properly as I did not get any "pending operations" prompts like the other guy said I should, or a reboot prompt, also as he said I should.

I have End It All, and when I run it, there seems to be a Rundll 697 there whenever these pop ups appear?

As I said before, I dont know much about computers, viruses and such, so Im at your mercy, and need to go at walking pace.

Thanks, I'll post my latest log file when I've done what you say.

Mark.

Tech Clinic / My PC is infected by about:blank

« on: March 22, 2005, 03:49:07 PM »

Can some help me?

My computer is infected by, at least the "about:blank" thing. apparently it has other things in there as well. I was getting help on another web forum, but The chap has dissappeared.

Please help if you can, I dont want to format the computer.

I'm not a computer wizard, so the help needs to be at walking pace. lol

My Hijack This log file is:

Logfile of HijackThis v1.99.1
Scan saved at 20:43:47, on 22/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\ABOUTBUSTER\ABOUTBUSTER\ABOUTBUSTER.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS1991.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {26C2A008-9AFE-11D9-845B-00001319E6A7} - C:\WINDOWS\SYSTEM\PCPD.DLL
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O18 - Filter: text/html - {80451DE0-9788-11D9-845B-0000484FEFE5} - C:\WINDOWS\SYSTEM\PCPD.DLL
O18 - Filter: text/plain - {80451DE0-9788-11D9-845B-0000484FEFE5} - C:\WINDOWS\SYSTEM\PCPD.DLL

Pages: [1]

TheTechGuide Forum

News:

Show Posts

Messages - Mark. G

Tech Clinic / My PC is infected by about:blank

Tech Clinic / My PC is infected by about:blank

Tech Clinic / My PC is infected by about:blank

Tech Clinic / My PC is infected by about:blank

Tech Clinic / My PC is infected by about:blank

Tech Clinic / My PC is infected by about:blank

Tech Clinic / My PC is infected by about:blank