HIjackThis log regarding CWS about:blank

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Captain Morg

Thread Starter
Joined
Apr 10, 2004
Messages
37
Alright Steve, here it is:



Logfile of HijackThis v1.97.2
Scan saved at 4:12:11 AM, on 04/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\VirusScan\Avsynmgr.exe
C:\Program Files\VirusScan\VsStat.exe
C:\Program Files\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINNT\explorer.exe
C:\WINNT\sysupd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HIJACKTH.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {25D555CE-8B3A-4FFE-BA6B-87C1A205E512} - C:\WINNT\system32\dpfcf.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [Q828026] "C:\WINNT\INF\unregmp2.exe" /UpdateWMP
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: wallmast.exe.lnk = C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://63.251.53.205/SpeedTests/245
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4EBD0320-3FA7-4234-9461-638469C74E25} - http://www.pinksandsmediagroup.com/external/cabs/packages/cab_4.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38039.4529513889
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3EB7CAF-1938-4CC4-B5D5-EE3C3713A359}: NameServer = 130.65.3.1,130.65.25.1


I should note that a few of the attempted removals kept re-occuring. Now that I think about it I might have the first occurence of "dpfcf.dll" since google came up empty. :confused:
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Thisa version of the CWS hijacker uses random named files so searches won't turn anything up

This is a new fix that has been developed and has worked in several cases, we are not guaranteeing it, but it's worth trying

The experts are still trying to update cwshreder to fix it in all cases.

Make sure that Cwshredder ois at version 1.56.1 or later, earlier versions will not work.
First download CWshredder from http://www.thespykiller.co.uk and put it where you can find it easily
then

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
O2 - BHO: (no name) - {25D555CE-8B3A-4FFE-BA6B-87C1A205E512} - C:\WINNT\system32\dpfcf.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe

Delete these files

C:\WINNT\sysupd.exe
C:\WINNT\system32\dpfcf.dll
c:\filter.log

and Delete these folders

C:\WINNT\system32\P2P Networking

Then go to start/run and type regedit, press ok and when regedit opens navigate down &

find these keys and delete them

HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html

Make sure no other keys are deleted from the filter section


now run CWShredder
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

Now as CWS installs via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

then
Reboot normally & post a new log to check and let us know if the hijack has gone
 
Joined
Oct 9, 2001
Messages
9,396
Captain Morg........i dont suppose you can remember the site where you got this from can you?.........is would be very helpful if we had an infection source.
;)
 

Captain Morg

Thread Starter
Joined
Apr 10, 2004
Messages
37
It's all done like you said dvk, I skipped over a few things that looked suspicious because it wasn't on your list. I know DAP is spyware-ish but I'm willing to let that slide for now, since racingflix downloads are painfully slow and my computer likes to freeze when IE is running, wasting the entire download.

Here is the log:



Logfile of HijackThis v1.97.2
Scan saved at 4:53:54 AM, on 04/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\VirusScan\Avsynmgr.exe
C:\Program Files\VirusScan\VsStat.exe
C:\Program Files\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
C:\Program Files\HIJACKTH.EXE

O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: wallmast.exe.lnk = C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://63.251.53.205/SpeedTests/245
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4EBD0320-3FA7-4234-9461-638469C74E25} - http://www.pinksandsmediagroup.com/external/cabs/packages/cab_4.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38039.4529513889
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3EB7CAF-1938-4CC4-B5D5-EE3C3713A359}: NameServer = 130.65.3.1,130.65.25.1



$teve: I don't remember how exactly I got it, but I think it was a mis-click that got a banner/pop-up ad. I have tightened up ActiveX security accordingly. Btw, thanks for your welcome :)
 
Joined
Oct 9, 2001
Messages
9,396
Well i hope it stays gone.............you will have to give it a while before we know for sure.If we dont see you in here in the next hour we will assume its all clear.
(y)
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
There are a couple of minor clear ups to do, but I deliberately left them for now so as to concentrate on the cws hijack

It's now just a matter of waiting and seeing if it stays gone.

Did you manage to remove the 2 filters by using regedit
and did you actually delete these 3 files or where they already missing
C:\WINNT\sysupd.exe
C:\WINNT\system32\dpfcf.dll
c:\filter.log


hopefully it has cured, but we have had some instances of removing it, before we did the regedit bit and it came back in 24 hours,so we won't know for sure till then.

But you can try and do a couple of reboots and see if it still stays gone
 

Captain Morg

Thread Starter
Joined
Apr 10, 2004
Messages
37
I'll try the 30-seconds reboot soon. If it doesn't come back then I'll have an update in less than 24 hours.

The sysupd.exe did show up, I deleted that. There was a file with the Filter\text/ but it didn't match so I left it alone.

ADDED: My desktop is now cooperating, we'll see how long that lasts. :rolleyes:
 

Captain Morg

Thread Starter
Joined
Apr 10, 2004
Messages
37
Here is an Ad-Aware log done with the updated list, right after I tried to get rid of CWS:



Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Saturday, April 10, 2004 5:21:03 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R282 10.04.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


04-10-2004 5:21:03 AM - Scan started. (Custom mode)


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : captain [email protected][1].txt
Object : C:\Profiles\Captain Morgan\Cookies\

Created on : 04/10/2004 12:20:30 PM
Last accessed : 04/10/2004 12:20:31 PM
Last modified : 04/10/2004 12:20:31 PM



Tracking Cookie Object recognized!
Type : File
Data : captain [email protected][2].txt
Object : C:\Profiles\Captain Morgan\Cookies\

Created on : 04/10/2004 8:43:09 AM
Last accessed : 04/10/2004 12:08:38 PM
Last modified : 04/10/2004 8:43:09 AM



Tracking Cookie Object recognized!
Type : File
Data : captain [email protected][1].txt
Object : C:\Profiles\Captain Morgan\Cookies\

Created on : 04/10/2004 8:53:44 AM
Last accessed : 04/10/2004 12:08:38 PM
Last modified : 04/10/2004 8:54:21 AM



Tracking Cookie Object recognized!
Type : File
Data : captain [email protected][1].txt
Object : C:\Profiles\Captain Morgan\Cookies\

Created on : 04/10/2004 7:25:33 AM
Last accessed : 04/10/2004 12:08:38 PM
Last modified : 04/10/2004 7:25:33 AM



Tracking Cookie Object recognized!
Type : File
Data : captain [email protected].liveperson[1].txt
Object : C:\Profiles\Captain Morgan\Cookies\

Created on : 04/10/2004 7:26:52 AM
Last accessed : 04/10/2004 12:08:38 PM
Last modified : 04/10/2004 7:27:00 AM



Tracking Cookie Object recognized!
Type : File
Data : captain [email protected][1].txt
Object : C:\Profiles\Captain Morgan\Cookies\

Created on : 04/10/2004 6:41:43 AM
Last accessed : 04/10/2004 12:08:39 PM
Last modified : 04/10/2004 6:41:43 AM



scam.noadware.net Object recognized!
Type : File
Data : noadware.exe
Object : C:\Program Files\NoAdware\
FileSize : 1568 KB
FileVersion : 2.0
ProductVersion : 2.0
Copyright : Copyright (C) 2003
CompanyName : NoAdware (http://www.noadware.net)
FileDescription : NoAdware Application
InternalName : NoAdware
OriginalFilename : NoAdware.EXE
ProductName : NoAdware Application
Created on : 01/31/2004 8:17:39 PM
Last accessed : 04/10/2004 12:10:17 PM
Last modified : 01/31/2004 8:17:39 PM



CoolWebSearch Object recognized!
Type : File
Data : accpoa.dll
Object : C:\WINNT\system32\
FileSize : 39 KB
Created on : 04/07/2004 2:48:57 PM
Last accessed : 04/10/2004 12:16:34 PM
Last modified : 04/07/2004 2:48:57 PM



Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 8

5:30:28 AM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:09:25:52
Objects scanned :93997
Objects identified :8
Objects ignored :0
New objects :8



CWS did show up in this one, I'll remove it and get back here sometime later with an update.
 
Joined
Apr 9, 2004
Messages
21
I posted in this thread too about my about:blank problems and
now my posts are gone (including dvk01's fix). What happened???
 

Captain Morg

Thread Starter
Joined
Apr 10, 2004
Messages
37
Eh, got some bad news... the blasted about:blank search window just came back when I opened up a new window. I have rejected all ActiveX queries during this time and have not clicked on any ads/pop-ups.
 

Captain Morg

Thread Starter
Joined
Apr 10, 2004
Messages
37
Here is the new log, CWShredder is most recent version as is Ad-Aware:


Logfile of HijackThis v1.97.2
Scan saved at 8:06:45 PM, on 04/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\VirusScan\Avsynmgr.exe
C:\Program Files\VirusScan\VsStat.exe
C:\Program Files\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\HIJACKTH.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {086FABE3-4EF9-49DF-BE7D-60E34B528EDF} - C:\WINNT\system32\cae.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: wallmast.exe.lnk = C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://63.251.53.205/SpeedTests/245
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4EBD0320-3FA7-4234-9461-638469C74E25} - http://www.pinksandsmediagroup.com/external/cabs/packages/cab_4.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38039.4529513889
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3EB7CAF-1938-4CC4-B5D5-EE3C3713A359}: NameServer = 130.65.3.1,130.65.25.1



Looks like more random dlls! (n)
 
Joined
Jul 26, 2002
Messages
46,349
Did you find and delete these reg keys as Derek suggested before?:

HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
 

Captain Morg

Thread Starter
Joined
Apr 10, 2004
Messages
37
Those keys did not show up under my safemode check - however there was one with a "\Filter\text/" line in the name. It did not match and I didn't want to risk deleting something important.
 
Joined
Jul 26, 2002
Messages
46,349
First copy these instructions to notepad. I'm going to have you do the fix in safe mode so you'll need these instrutions.

Make sure you have the latest version of CWShredder ie...1.56.1. Have it in a convenient location and ready to run in safe mode. You can Click here to download the latest version if you do not already have it. DO NOT run it yet.

Now copy the text inside the quote box to Notepad, and save it to your Desktop as remove.reg (make sure you save as type: 'all files'). DO NOT run it yet.

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

Now boot to safe mode.

How to start your computer in safe mode

In safe mode run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {086FABE3-4EF9-49DF-BE7D-60E34B528EDF} - C:\WINNT\system32\cae.dll



Next Doubleclick the remove.reg file you created earlier, and answer yes when prompted to add its contents to the Registry.


Finally run CWShredder and then boot back to normal and come back here and post another Hijack This log.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top