Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
237 Posts
Discussion Starter · #1 ·
I'm gettin all sorts of popups.

An uninvited program called WareOut has appeared on my computer.

Something keeps starting my internet explorer with "about:blank" in the address bar.

Something else keeps trying to change this value to a long string with lot's of "%" signs in it

I think I've been malwared.

I removed "WareOut" using the control panel install/uninstall but I see there is still an "run" entry for it in the Hijack log.

I had been running spybot and adaware programs but *today* downloaded, installed, updeted and ran the latest
Spybot S&D 1.3, Adaware SE, and SpyBlaster 3.2.

Found and fixed over 100 issues but still the popups persist.

I also have the latest Norton AV that I update and run regularly

Below is a HijackThis log

What can I do?

ADDED INFO>>>>>

I've read MFDnCS's advice to pkboucher regarding about:blank
http://forums.techguy.org/t321144.html
and have downloaded the indicated files but cannot install or run them when IExplorer is not running because whenever I close IE it pops up again. I've tried to rename IEXPLORE.exe to keep it from popping up but the system won't let me (says its in use). Can this be done with iexplore running? in the alternative, how can I stop it form running.

Logfile of HijackThis v1.99.0
Scan saved at 1:05:04 PM, on 1/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ZIPCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\IPCFG.EXE
C:\WINDOWS\SYSTEM\SCANDS32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ZIPCD\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROTEK\SCANWIZARD 5\SCANNERFINDER.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\GREG\TRIALEXES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\MCICDB.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\MCICDB.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\MCICDB.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\MCICDB.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\MCICDB.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\MCICDB.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - {44A530F2-72BD-5100-C012-61EDC15643FC} - xwiz.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\SYSTEM\SPM1316.DLL
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\SYSTEM\WER1316.DLL
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D61788264} - C:\WINDOWS\SYSTEM\MAX8264.DLL
O2 - BHO: (no name) - {B6478460-675D-11D9-A377-000D8858D528} - C:\WINDOWS\SYSTEM\MSTIU.DLL
O2 - BHO: (no name) - {8689FF25-6816-11D9-A377-000DC6D51799} - C:\WINDOWS\SYSTEM\MCICDB.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\IECUST.DLL
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ZIPCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\Run: [ipcfg.exe] C:\WINDOWS\SYSTEM\IPCFG.EXE
O4 - HKLM\..\Run: [scands32.exe] C:\WINDOWS\SYSTEM\SCANDS32.EXE
O4 - HKLM\..\Run: [srbho] ftbar.exe
O4 - HKLM\..\Run: [InpriseMon] systemdll.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ZIPCD\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [TForm1] 321102.exe
O4 - HKCU\..\Run: [startman] AppMasterCenter.exe
O4 - HKCU\..\Run: [MNTP] wormexe.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\REFRESH.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,195.225.176.31
O18 - Filter: text/html - {99F981E1-6A1A-11D9-A377-000D0243E123} - C:\WINDOWS\SYSTEM\MCICDB.DLL
O18 - Filter: text/plain - {99F981E1-6A1A-11D9-A377-000D0243E123} - C:\WINDOWS\SYSTEM\MCICDB.DLL
 

·
Registered
Joined
·
49,014 Posts
Download About:Buster from:
http://downloads.subratam.org/AboutBuster.zip unzip it

Print this out and boot to safe mode

Double click aboutbuster.exe, click Update, click OK, click Start, then click OK.
This will scan your computer for the bad files and delete them.

Fix these with HJT

Fix every R0 and R1 entry

R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

R3 - URLSearchHook: (no name) - {44A530F2-72BD-5100-C012-61EDC15643FC} - xwiz.dll (file missing)

O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\SYSTEM\SPM1316.DLL

O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\SYSTEM\WER1316.DLL

O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D61788264} - C:\WINDOWS\SYSTEM\MAX8264.DLL

O2 - BHO: (no name) - {B6478460-675D-11D9-A377-000D8858D528} - C:\WINDOWS\SYSTEM\MSTIU.DLL

O2 - BHO: (no name) - {8689FF25-6816-11D9-A377-000DC6D51799} - C:\WINDOWS\SYSTEM\MCICDB.DLL

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\IECUST.DLL

O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe

O4 - HKLM\..\Run: [ipcfg.exe] C:\WINDOWS\SYSTEM\IPCFG.EXE

O4 - HKLM\..\Run: [scands32.exe] C:\WINDOWS\SYSTEM\SCANDS32.EXE

O4 - HKLM\..\Run: [srbho] ftbar.exe

O4 - HKLM\..\Run: [InpriseMon] systemdll.exe

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"

O4 - HKCU\..\Run: [TForm1] 321102.exe

O4 - HKCU\..\Run: [startman] AppMasterCenter.exe

O4 - HKCU\..\Run: [MNTP] wormexe.exe

O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe

O18 - Filter: text/html - {99F981E1-6A1A-11D9-A377-000D0243E123} - C:\WINDOWS\SYSTEM\MCICDB.DLL

O18 - Filter: text/plain - {99F981E1-6A1A-11D9-A377-000D0243E123} - C:\WINDOWS\SYSTEM\MCICDB.DLL

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files - Pay close attention to the spelling

C:\WINDOWS\SYSTEM\SPM1316.DLL
C:\WINDOWS\SYSTEM\WER1316.DLL
C:\WINDOWS\SYSTEM\MAX8264.DLL
C:\WINDOWS\SYSTEM\MSTIU.DLL
C:\WINDOWS\SYSTEM\MCICDB.DLL
C:\WINDOWS\SYSTEM\IECUST.DLL
C:\WINDOWS\SYSTEM\MCICDB.DLL
C:\WINDOWS\SYSTEM\IPCFG.EXE
C:\WINDOWS\SYSTEM\SCANDS32.EXE

Delete this folder
C:\Program Files\WareOut

START – RUN – key in %temp% - Edit – Select all – File – Delete

Empty the recycle bin

Boot and post a new log
 

·
Registered
Joined
·
237 Posts
Discussion Starter · #3 ·
Thank you for your your help. It is much appreciated

A NEW HJT log is appended below

A am sure that all files were unhidden BUT...

Delete these files - Pay close attention to the spelling

C:\WINDOWS\SYSTEM\SPM1316.DLL
C:\WINDOWS\SYSTEM\WER1316.DLL
C:\WINDOWS\SYSTEM\MAX8264.DLL
C:\WINDOWS\SYSTEM\MSTIU.DLL
C:\WINDOWS\SYSTEM\MCICDB.DLL
C:\WINDOWS\SYSTEM\IECUST.DLL
C:\WINDOWS\SYSTEM\MCICDB.DLL
C:\WINDOWS\SYSTEM\IPCFG.EXE
C:\WINDOWS\SYSTEM\SCANDS32.EXE

MCICDB.dll was not present

and there were no .dll's for

SPM1316
WER1316
MAX8264

but there were both .ini's and *.tmp's with these three names

1) Think AboutBuster might have deleted the dll's or perhaps removed when I removed WareOut?
2) Should I also delete the .ini's and .tmp's or doesn't it matter?

So far so good... No popups at this time

>>>>Where is there a website or can you point me to some books where I can begin to read up about these sorts of malware takeovers so I can get smart about them myself?

Logfile of HijackThis v1.99.0
Scan saved at 4:14:04 PM, on 1/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ZIPCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ZIPCD\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROTEK\SCANWIZARD 5\SCANNERFINDER.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\MY DOCUMENTS\GREG\TRIALEXES\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ZIPCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ZIPCD\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\REFRESH.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,195.225.176.31
 

·
Registered
Joined
·
49,014 Posts
You assumptions are correct about them possibly being remove

The only book I know of is the school of hard knocks and I still have a ton to learn

If you feel it is solved, mark it solved via thread tools above - it looks clean
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top