1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HIjackThis log regarding CWS about:blank

Discussion in 'Virus & Other Malware Removal' started by Captain Morg, Apr 10, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Captain Morg

    Captain Morg Thread Starter

    Joined:
    Apr 10, 2004
    Messages:
    37
    Alright Steve, here it is:



    Logfile of HijackThis v1.97.2
    Scan saved at 4:12:11 AM, on 04/10/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\VirusScan\Avsynmgr.exe
    C:\Program Files\VirusScan\VsStat.exe
    C:\Program Files\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINNT\explorer.exe
    C:\WINNT\sysupd.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HIJACKTH.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {25D555CE-8B3A-4FFE-BA6B-87C1A205E512} - C:\WINNT\system32\dpfcf.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [Q828026] "C:\WINNT\INF\unregmp2.exe" /UpdateWMP
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: wallmast.exe.lnk = C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://63.251.53.205/SpeedTests/245
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4EBD0320-3FA7-4234-9461-638469C74E25} - http://www.pinksandsmediagroup.com/external/cabs/packages/cab_4.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38039.4529513889
    O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D3EB7CAF-1938-4CC4-B5D5-EE3C3713A359}: NameServer = 130.65.3.1,130.65.25.1


    I should note that a few of the attempted removals kept re-occuring. Now that I think about it I might have the first occurence of "dpfcf.dll" since google came up empty. :confused:
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Thisa version of the CWS hijacker uses random named files so searches won't turn anything up

    This is a new fix that has been developed and has worked in several cases, we are not guaranteeing it, but it's worth trying

    The experts are still trying to update cwshreder to fix it in all cases.

    Make sure that Cwshredder ois at version 1.56.1 or later, earlier versions will not work.
    First download CWshredder from http://www.thespykiller.co.uk and put it where you can find it easily
    then

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
    O2 - BHO: (no name) - {25D555CE-8B3A-4FFE-BA6B-87C1A205E512} - C:\WINNT\system32\dpfcf.dll
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe

    Delete these files

    C:\WINNT\sysupd.exe
    C:\WINNT\system32\dpfcf.dll
    c:\filter.log

    and Delete these folders

    C:\WINNT\system32\P2P Networking

    Then go to start/run and type regedit, press ok and when regedit opens navigate down &

    find these keys and delete them

    HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain
    HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html

    Make sure no other keys are deleted from the filter section


    now run CWShredder
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    Now as CWS installs via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then
    Reboot normally & post a new log to check and let us know if the hijack has gone
     
  3. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Captain Morg........i dont suppose you can remember the site where you got this from can you?.........is would be very helpful if we had an infection source.
    ;)
     
  4. Captain Morg

    Captain Morg Thread Starter

    Joined:
    Apr 10, 2004
    Messages:
    37
    It's all done like you said dvk, I skipped over a few things that looked suspicious because it wasn't on your list. I know DAP is spyware-ish but I'm willing to let that slide for now, since racingflix downloads are painfully slow and my computer likes to freeze when IE is running, wasting the entire download.

    Here is the log:



    Logfile of HijackThis v1.97.2
    Scan saved at 4:53:54 AM, on 04/10/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\VirusScan\Avsynmgr.exe
    C:\Program Files\VirusScan\VsStat.exe
    C:\Program Files\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\Program Files\Real\RealOne Player\RealPlay.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
    C:\Program Files\HIJACKTH.EXE

    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: wallmast.exe.lnk = C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://63.251.53.205/SpeedTests/245
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4EBD0320-3FA7-4234-9461-638469C74E25} - http://www.pinksandsmediagroup.com/external/cabs/packages/cab_4.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38039.4529513889
    O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D3EB7CAF-1938-4CC4-B5D5-EE3C3713A359}: NameServer = 130.65.3.1,130.65.25.1



    $teve: I don't remember how exactly I got it, but I think it was a mis-click that got a banner/pop-up ad. I have tightened up ActiveX security accordingly. Btw, thanks for your welcome :)
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Well i hope it stays gone.............you will have to give it a while before we know for sure.If we dont see you in here in the next hour we will assume its all clear.
    (y)
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    There are a couple of minor clear ups to do, but I deliberately left them for now so as to concentrate on the cws hijack

    It's now just a matter of waiting and seeing if it stays gone.

    Did you manage to remove the 2 filters by using regedit
    and did you actually delete these 3 files or where they already missing
    C:\WINNT\sysupd.exe
    C:\WINNT\system32\dpfcf.dll
    c:\filter.log


    hopefully it has cured, but we have had some instances of removing it, before we did the regedit bit and it came back in 24 hours,so we won't know for sure till then.

    But you can try and do a couple of reboots and see if it still stays gone
     
  7. Captain Morg

    Captain Morg Thread Starter

    Joined:
    Apr 10, 2004
    Messages:
    37
    I'll try the 30-seconds reboot soon. If it doesn't come back then I'll have an update in less than 24 hours.

    The sysupd.exe did show up, I deleted that. There was a file with the Filter\text/ but it didn't match so I left it alone.

    ADDED: My desktop is now cooperating, we'll see how long that lasts. :rolleyes:
     
  8. Captain Morg

    Captain Morg Thread Starter

    Joined:
    Apr 10, 2004
    Messages:
    37
    Here is an Ad-Aware log done with the updated list, right after I tried to get rid of CWS:



    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :Saturday, April 10, 2004 5:21:03 AM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R282 10.04.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    04-10-2004 5:21:03 AM - Scan started. (Custom mode)


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Tracking Cookie Object recognized!
    Type : File
    Data : captain [email protected][1].txt
    Object : C:\Profiles\Captain Morgan\Cookies\

    Created on : 04/10/2004 12:20:30 PM
    Last accessed : 04/10/2004 12:20:31 PM
    Last modified : 04/10/2004 12:20:31 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : captain [email protected][2].txt
    Object : C:\Profiles\Captain Morgan\Cookies\

    Created on : 04/10/2004 8:43:09 AM
    Last accessed : 04/10/2004 12:08:38 PM
    Last modified : 04/10/2004 8:43:09 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : captain [email protected][1].txt
    Object : C:\Profiles\Captain Morgan\Cookies\

    Created on : 04/10/2004 8:53:44 AM
    Last accessed : 04/10/2004 12:08:38 PM
    Last modified : 04/10/2004 8:54:21 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : captain [email protected][1].txt
    Object : C:\Profiles\Captain Morgan\Cookies\

    Created on : 04/10/2004 7:25:33 AM
    Last accessed : 04/10/2004 12:08:38 PM
    Last modified : 04/10/2004 7:25:33 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : captain [email protected][1].txt
    Object : C:\Profiles\Captain Morgan\Cookies\

    Created on : 04/10/2004 7:26:52 AM
    Last accessed : 04/10/2004 12:08:38 PM
    Last modified : 04/10/2004 7:27:00 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : captain [email protected][1].txt
    Object : C:\Profiles\Captain Morgan\Cookies\

    Created on : 04/10/2004 6:41:43 AM
    Last accessed : 04/10/2004 12:08:39 PM
    Last modified : 04/10/2004 6:41:43 AM



    scam.noadware.net Object recognized!
    Type : File
    Data : noadware.exe
    Object : C:\Program Files\NoAdware\
    FileSize : 1568 KB
    FileVersion : 2.0
    ProductVersion : 2.0
    Copyright : Copyright (C) 2003
    CompanyName : NoAdware (http://www.noadware.net)
    FileDescription : NoAdware Application
    InternalName : NoAdware
    OriginalFilename : NoAdware.EXE
    ProductName : NoAdware Application
    Created on : 01/31/2004 8:17:39 PM
    Last accessed : 04/10/2004 12:10:17 PM
    Last modified : 01/31/2004 8:17:39 PM



    CoolWebSearch Object recognized!
    Type : File
    Data : accpoa.dll
    Object : C:\WINNT\system32\
    FileSize : 39 KB
    Created on : 04/07/2004 2:48:57 PM
    Last accessed : 04/10/2004 12:16:34 PM
    Last modified : 04/07/2004 2:48:57 PM



    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 8

    5:30:28 AM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:09:25:52
    Objects scanned :93997
    Objects identified :8
    Objects ignored :0
    New objects :8



    CWS did show up in this one, I'll remove it and get back here sometime later with an update.
     
  9. ALTYHOLIC

    ALTYHOLIC

    Joined:
    Apr 9, 2004
    Messages:
    21
    I posted in this thread too about my about:blank problems and
    now my posts are gone (including dvk01's fix). What happened???
     
  10. Captain Morg

    Captain Morg Thread Starter

    Joined:
    Apr 10, 2004
    Messages:
    37
    Eh, got some bad news... the blasted about:blank search window just came back when I opened up a new window. I have rejected all ActiveX queries during this time and have not clicked on any ads/pop-ups.
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Let's see your current Hijck This log please.
     
  12. Captain Morg

    Captain Morg Thread Starter

    Joined:
    Apr 10, 2004
    Messages:
    37
    Here is the new log, CWShredder is most recent version as is Ad-Aware:


    Logfile of HijackThis v1.97.2
    Scan saved at 8:06:45 PM, on 04/10/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\VirusScan\Avsynmgr.exe
    C:\Program Files\VirusScan\VsStat.exe
    C:\Program Files\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\Program Files\Real\RealOne Player\RealPlay.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\HIJACKTH.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {086FABE3-4EF9-49DF-BE7D-60E34B528EDF} - C:\WINNT\system32\cae.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: wallmast.exe.lnk = C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://63.251.53.205/SpeedTests/245
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4EBD0320-3FA7-4234-9461-638469C74E25} - http://www.pinksandsmediagroup.com/external/cabs/packages/cab_4.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38039.4529513889
    O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D3EB7CAF-1938-4CC4-B5D5-EE3C3713A359}: NameServer = 130.65.3.1,130.65.25.1



    Looks like more random dlls! (n)
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Did you find and delete these reg keys as Derek suggested before?:

    HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain
    HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
     
  14. Captain Morg

    Captain Morg Thread Starter

    Joined:
    Apr 10, 2004
    Messages:
    37
    Those keys did not show up under my safemode check - however there was one with a "\Filter\text/" line in the name. It did not match and I didn't want to risk deleting something important.
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    First copy these instructions to notepad. I'm going to have you do the fix in safe mode so you'll need these instrutions.

    Make sure you have the latest version of CWShredder ie...1.56.1. Have it in a convenient location and ready to run in safe mode. You can Click here to download the latest version if you do not already have it. DO NOT run it yet.

    Now copy the text inside the quote box to Notepad, and save it to your Desktop as remove.reg (make sure you save as type: 'all files'). DO NOT run it yet.


    Now boot to safe mode.

    How to start your computer in safe mode

    In safe mode run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {086FABE3-4EF9-49DF-BE7D-60E34B528EDF} - C:\WINNT\system32\cae.dll



    Next Doubleclick the remove.reg file you created earlier, and answer yes when prompted to add its contents to the Registry.


    Finally run CWShredder and then boot back to normal and come back here and post another Hijack This log.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - HIjackThis regarding blank
  1. migolfergirl
    Replies:
    31
    Views:
    2,071
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218970

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice