Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

HIjackThis log regarding CWS about:blank

4K views 56 replies 8 participants last post by  Flrman1 
#1 ·
Alright Steve, here it is:

Logfile of HijackThis v1.97.2
Scan saved at 4:12:11 AM, on 04/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\VirusScan\Avsynmgr.exe
C:\Program Files\VirusScan\VsStat.exe
C:\Program Files\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINNT\explorer.exe
C:\WINNT\sysupd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HIJACKTH.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {25D555CE-8B3A-4FFE-BA6B-87C1A205E512} - C:\WINNT\system32\dpfcf.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [Q828026] "C:\WINNT\INF\unregmp2.exe" /UpdateWMP
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: wallmast.exe.lnk = C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://63.251.53.205/SpeedTests/245
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4EBD0320-3FA7-4234-9461-638469C74E25} - http://www.pinksandsmediagroup.com/external/cabs/packages/cab_4.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38039.4529513889
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3EB7CAF-1938-4CC4-B5D5-EE3C3713A359}: NameServer = 130.65.3.1,130.65.25.1

I should note that a few of the attempted removals kept re-occuring. Now that I think about it I might have the first occurence of "dpfcf.dll" since google came up empty. :confused:
 
See less See more
#2 ·
Thisa version of the CWS hijacker uses random named files so searches won't turn anything up

This is a new fix that has been developed and has worked in several cases, we are not guaranteeing it, but it's worth trying

The experts are still trying to update cwshreder to fix it in all cases.

Make sure that Cwshredder ois at version 1.56.1 or later, earlier versions will not work.
First download CWshredder from http://www.thespykiller.co.uk and put it where you can find it easily
then

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dpfcf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
O2 - BHO: (no name) - {25D555CE-8B3A-4FFE-BA6B-87C1A205E512} - C:\WINNT\system32\dpfcf.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe

Delete these files

C:\WINNT\sysupd.exe
C:\WINNT\system32\dpfcf.dll
c:\filter.log

and Delete these folders

C:\WINNT\system32\P2P Networking

Then go to start/run and type regedit, press ok and when regedit opens navigate down &

find these keys and delete them

HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html

Make sure no other keys are deleted from the filter section

now run CWShredder
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

Now as CWS installs via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

then
Reboot normally & post a new log to check and let us know if the hijack has gone
 
#4 ·
It's all done like you said dvk, I skipped over a few things that looked suspicious because it wasn't on your list. I know DAP is spyware-ish but I'm willing to let that slide for now, since racingflix downloads are painfully slow and my computer likes to freeze when IE is running, wasting the entire download.

Here is the log:

Logfile of HijackThis v1.97.2
Scan saved at 4:53:54 AM, on 04/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\VirusScan\Avsynmgr.exe
C:\Program Files\VirusScan\VsStat.exe
C:\Program Files\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
C:\Program Files\HIJACKTH.EXE

O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: wallmast.exe.lnk = C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://63.251.53.205/SpeedTests/245
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4EBD0320-3FA7-4234-9461-638469C74E25} - http://www.pinksandsmediagroup.com/external/cabs/packages/cab_4.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38039.4529513889
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3EB7CAF-1938-4CC4-B5D5-EE3C3713A359}: NameServer = 130.65.3.1,130.65.25.1

$teve: I don't remember how exactly I got it, but I think it was a mis-click that got a banner/pop-up ad. I have tightened up ActiveX security accordingly. Btw, thanks for your welcome :)
 
#6 ·
There are a couple of minor clear ups to do, but I deliberately left them for now so as to concentrate on the cws hijack

It's now just a matter of waiting and seeing if it stays gone.

Did you manage to remove the 2 filters by using regedit
and did you actually delete these 3 files or where they already missing
C:\WINNT\sysupd.exe
C:\WINNT\system32\dpfcf.dll
c:\filter.log


hopefully it has cured, but we have had some instances of removing it, before we did the regedit bit and it came back in 24 hours,so we won't know for sure till then.

But you can try and do a couple of reboots and see if it still stays gone
 
#7 ·
I'll try the 30-seconds reboot soon. If it doesn't come back then I'll have an update in less than 24 hours.

The sysupd.exe did show up, I deleted that. There was a file with the Filter\text/ but it didn't match so I left it alone.

ADDED: My desktop is now cooperating, we'll see how long that lasts. :rolleyes:
 
#8 ·
Here is an Ad-Aware log done with the updated list, right after I tried to get rid of CWS:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Saturday, April 10, 2004 5:21:03 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R282 10.04.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry

04-10-2004 5:21:03 AM - Scan started. (Custom mode)

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : captain morgan@0[1].txt
Object : C:\Profiles\Captain Morgan\Cookies\

Created on : 04/10/2004 12:20:30 PM
Last accessed : 04/10/2004 12:20:31 PM
Last modified : 04/10/2004 12:20:31 PM

Tracking Cookie Object recognized!
Type : File
Data : captain morgan@adserving.autotrader[2].txt
Object : C:\Profiles\Captain Morgan\Cookies\

Created on : 04/10/2004 8:43:09 AM
Last accessed : 04/10/2004 12:08:38 PM
Last modified : 04/10/2004 8:43:09 AM

Tracking Cookie Object recognized!
Type : File
Data : captain morgan@questionmarket[1].txt
Object : C:\Profiles\Captain Morgan\Cookies\

Created on : 04/10/2004 8:53:44 AM
Last accessed : 04/10/2004 12:08:38 PM
Last modified : 04/10/2004 8:54:21 AM

Tracking Cookie Object recognized!
Type : File
Data : captain morgan@realmedia[1].txt
Object : C:\Profiles\Captain Morgan\Cookies\

Created on : 04/10/2004 7:25:33 AM
Last accessed : 04/10/2004 12:08:38 PM
Last modified : 04/10/2004 7:25:33 AM

Tracking Cookie Object recognized!
Type : File
Data : captain morgan@server.iad.liveperson[1].txt
Object : C:\Profiles\Captain Morgan\Cookies\

Created on : 04/10/2004 7:26:52 AM
Last accessed : 04/10/2004 12:08:38 PM
Last modified : 04/10/2004 7:27:00 AM

Tracking Cookie Object recognized!
Type : File
Data : captain morgan@statcounter[1].txt
Object : C:\Profiles\Captain Morgan\Cookies\

Created on : 04/10/2004 6:41:43 AM
Last accessed : 04/10/2004 12:08:39 PM
Last modified : 04/10/2004 6:41:43 AM

scam.noadware.net Object recognized!
Type : File
Data : noadware.exe
Object : C:\Program Files\NoAdware\
FileSize : 1568 KB
FileVersion : 2.0
ProductVersion : 2.0
Copyright : Copyright (C) 2003
CompanyName : NoAdware (http://www.noadware.net)
FileDescription : NoAdware Application
InternalName : NoAdware
OriginalFilename : NoAdware.EXE
ProductName : NoAdware Application
Created on : 01/31/2004 8:17:39 PM
Last accessed : 04/10/2004 12:10:17 PM
Last modified : 01/31/2004 8:17:39 PM

CoolWebSearch Object recognized!
Type : File
Data : accpoa.dll
Object : C:\WINNT\system32\
FileSize : 39 KB
Created on : 04/07/2004 2:48:57 PM
Last accessed : 04/10/2004 12:16:34 PM
Last modified : 04/07/2004 2:48:57 PM

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 8

5:30:28 AM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:09:25:52
Objects scanned :93997
Objects identified :8
Objects ignored :0
New objects :8

CWS did show up in this one, I'll remove it and get back here sometime later with an update.
 
#10 ·
Eh, got some bad news... the blasted about:blank search window just came back when I opened up a new window. I have rejected all ActiveX queries during this time and have not clicked on any ads/pop-ups.
 
#12 ·
Here is the new log, CWShredder is most recent version as is Ad-Aware:

Logfile of HijackThis v1.97.2
Scan saved at 8:06:45 PM, on 04/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\VirusScan\Avsynmgr.exe
C:\Program Files\VirusScan\VsStat.exe
C:\Program Files\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\HIJACKTH.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {086FABE3-4EF9-49DF-BE7D-60E34B528EDF} - C:\WINNT\system32\cae.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: wallmast.exe.lnk = C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://63.251.53.205/SpeedTests/245
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4EBD0320-3FA7-4234-9461-638469C74E25} - http://www.pinksandsmediagroup.com/external/cabs/packages/cab_4.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38039.4529513889
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3EB7CAF-1938-4CC4-B5D5-EE3C3713A359}: NameServer = 130.65.3.1,130.65.25.1

Looks like more random dlls! :down:
 
#15 ·
First copy these instructions to notepad. I'm going to have you do the fix in safe mode so you'll need these instrutions.

Make sure you have the latest version of CWShredder ie...1.56.1. Have it in a convenient location and ready to run in safe mode. You can Click here to download the latest version if you do not already have it. DO NOT run it yet.

Now copy the text inside the quote box to Notepad, and save it to your Desktop as remove.reg (make sure you save as type: 'all files'). DO NOT run it yet.

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
Now boot to safe mode.

How to start your computer in safe mode

In safe mode run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {086FABE3-4EF9-49DF-BE7D-60E34B528EDF} - C:\WINNT\system32\cae.dll


Next Doubleclick the remove.reg file you created earlier, and answer yes when prompted to add its contents to the Registry.

Finally run CWShredder and then boot back to normal and come back here and post another Hijack This log.
 
#18 ·
Hi Captain:)

Copy the BOLD to Notepad, and save in a location of your choice as remove.reg (make sure you save as type: 'all files')

REGEDIT4

[-HKEY_CURRENT_USER\Software\iSearch]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\Explorer]
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000


Boot to safe mode.....
Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windows and "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {086FABE3-4EF9-49DF-BE7D-60E34B528EDF} - C:\WINNT\system32\cae.dll


Doubleclick Remove.reg, and answer yes when prompted to add its contents to the Registry.
Run CWShredder once more.....Boot back into normal mode and hopefully
its gone.
Fingers crossed.
;)
 
#19 ·
New log after flrman1's instructions:

Logfile of HijackThis v1.97.2
Scan saved at 7:51:12 PM, on 04/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\VirusScan\Avsynmgr.exe
C:\Program Files\VirusScan\VsStat.exe
C:\Program Files\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
C:\Program Files\HIJACKTH.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: wallmast.exe.lnk = C:\Temp\Jason's Transfered Stuff\WallMaster\wallmast.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://63.251.53.205/SpeedTests/245
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4EBD0320-3FA7-4234-9461-638469C74E25} - http://www.pinksandsmediagroup.com/external/cabs/packages/cab_4.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38039.4529513889
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3EB7CAF-1938-4CC4-B5D5-EE3C3713A359}: NameServer = 130.65.3.1,130.65.25.1

I haven't done what $teve posted above yet, will do that now.

ADDED: Did what $teve said above, will know soon if it comes back. :cool:
 
#24 ·
I've had the same darn about:this hijack
as Capt Morgan for the last week and I
can't seem to find the source file.

No matter how many of the random dll and bho's
I delete, about:blank always seems to come back
within 24 hrs.

I just ran the Shredder V. 1.56.2 and then ran a Hijack This
log and the dll's and about:this entry is still there!
Aren't these suppose to be deleted off my registry
after V. 1.56.2 is ran?
 
#25 ·
Ive just tried this on another poster and so far its worked......

Copy the bold text to Notepad, and save in a location of your choice as remove.reg (make sure you save as type: 'all files') Dont merge it yet.

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]


Download the latest CWShredder.

Click on th icon to bring it up but dont run it.

i) From the Start Menu go Start > Shutdown. This displays the system shutdown confirmation dialog.
ii) Press and hold Shift + Ctrl + Alt at the same time. While holding these three keys use the mouse to click the Cancel button.
Explorer will now shutdown.

Hit fix mode on shredder.....after its finnished Ctrl-Alt-Delete and restart explorer with the new task button.

Merge the regfile that you created.

Re-boot and this SHOULD be the last of it.
;)
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top