Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

about:blank


  • Please log in to reply

#1
Belgjer

Belgjer

    Member

  • Member
  • PipPip
  • 12 posts
Hey,
When I try to go to my yahoo mail, hotmail mail, and windows update... i always end up at the same page, about:blank. But the page is not blank, it's a searchpage. Before i can do anything i get some popups.
It's so annoying i really get :tazz:
please help.

here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 20:26:03, on 11/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVW32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WOUTER\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0351E00E-80E3-4473-813D-DEEA0460ED34} - C:\WINDOWS\SYSTEM\BOJGFA.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {F4932CAE-BCF8-4B39-AFB5-08D16C5F56C2} - C:\WINDOWS\SYSTEM\BOJGFA.DLL
O18 - Filter: text/plain - {F4932CAE-BCF8-4B39-AFB5-08D16C5F56C2} - C:\WINDOWS\SYSTEM\BOJGFA.DLL
  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi and welcome Belgjer

Download and install Cleanup

Also
Dowload the following program
CWShredder
It should be the current version, but check for updates
“Don’t run it yet”

Please download and install Ad-aware.
Setting up Ad-aware- please make sure you update it first


Next, reboot into 'SAFE MODE'. (By tapping the F8 key on start up)
Please restart HJT put a check next to the following if they still exist, close all open windows and click “fix.checked”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0351E00E-80E3-4473-813D-DEEA0460ED34} - C:\WINDOWS\SYSTEM\BOJGFA.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O18 - Filter: text/html - {F4932CAE-BCF8-4B39-AFB5-08D16C5F56C2} - C:\WINDOWS\SYSTEM\BOJGFA.DLL
O18 - Filter: text/plain - {F4932CAE-BCF8-4B39-AFB5-08D16C5F56C2} - C:\WINDOWS\SYSTEM\BOJGFA.DLL


make sure you can view all View all Hidden Files/Folders search for and delete the following in BOLD if still present


C:\WINDOWS\SYSTEM\BOJGFA.DLL
C:\WINDOWS\TEMP\SE.DLL




Next,
Run Program cwshredder and have it fix anything it finds.
Make sure you click the “Fix” button


Next,
Open Cleanup! Click on clean up now and let it run,
When it has finished click NO to reboot now.

Next,
Scan with AdAware have it remove what it finds

Restart your computer,



Post back a fresh HJT log please
  • 0

#3
Belgjer

Belgjer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hey,

Thanks for the help Don77.

I followed your instructions but i have had some problems:
- I was not able to delete the two files (c:\windows\system\bojgfa.dll and c:\windows\temp\se.dll). I get the message that the files are possebly in use by windows.

-When i ran adaware i got the same message: "not able to remove se.dll". I was prompted to run adaware at the next startup.

-I rebooted, adaware started but Norton did stop the file c:\_restore\temp\a000782.cpy. Norton could not repare, quarantaine or delete the file. I had no choice but to pull the plug.

Here is my log again:

Logfile of HijackThis v1.99.1
Scan saved at 23:35:02, on 13/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WOUTER\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {F065FE96-C6BA-4F6E-B04A-5954DA5FC588} - C:\WINDOWS\SYSTEM\BOJGFA.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {49C56254-E961-4B48-9B29-C7A8E021548A} - C:\WINDOWS\SYSTEM\BOJGFA.DLL
O18 - Filter: text/plain - {49C56254-E961-4B48-9B29-C7A8E021548A} - C:\WINDOWS\SYSTEM\BOJGFA.DLL
  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Belgjer
Make sure the tools are updated and perform the recommended fix's while in safe mode,
if you having trouble booting to safe mode see This
  • 0

#5
Belgjer

Belgjer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Don77,
Ok, i updated all the tools and booted in safe mode.

I ran HJT several times but 1 thing always came back:
- O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

I was still not able to delete bojgfa.dll and se.dll but ad-aware SE removed it the second time (at startup). When i looked in explorer i could find them no more.

CWShredder removed CWS.HiddenDll

Something i forgot to mention. Every time i start IE, Norton reports that se.dll was repared.

After rebooting in normal mode i got this log:

Logfile of HijackThis v1.99.1
Scan saved at 12:03:21, on 14/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WOUTER\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {DB0CEBA1-3208-499D-A7F6-F9571A0FA334} - C:\WINDOWS\SYSTEM\BOJGFA.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {AA514F4A-DB3C-4DCE-B04D-2A4E4999ACC5} - C:\WINDOWS\SYSTEM\BOJGFA.DLL
O18 - Filter: text/plain - {AA514F4A-DB3C-4DCE-B04D-2A4E4999ACC5} - C:\WINDOWS\SYSTEM\BOJGFA.DLL
  • 0

#6
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Follow the instructions Here

Run CWShredder again please,

Next,
Please run these two online scans. Make sure they are set to clean automatically:

TrendMicro's HouseCall
ActiveScan

You should try to delete any files that these scanners are unable to clean. Then let us know if its working better and what the scans found.

Then scan again with HijackThis and post another log.

Edited by don77, 14 March 2005 - 06:42 AM.

  • 0

#7
Belgjer

Belgjer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Don77,
The link 'follow the instructions HERE' went straight to the searchpage and the popups.
CWShredder removed CWS.HiddenDll and prompted me to reboot but the system hung time after time. I started in safe mode and CWShredder removed CWS.HiddelDll again. Next was a clean startup in normal mode, CWShredder found nothing.
I started to run the housecall scan but in the middle of the scan my pc blocked again. I rebooted and saw that there was no mousepointer and it looked like safe mode, but it was not!!! I could connect to the internet.
I could not reach the housecall scan without my mouse.

Activescan found the following:

Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\hmbgfaa.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\nkha.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\aedeh.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\oolhb.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\xmltok.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\SYSTEM\eerre.exe
Adware:Adware/BTGrab No disinfected C:\WINDOWS\INF\BTGRAB.INF
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\xmlparse_.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\xmltok_.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\eerre.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\preotect.exe
Adware:Adware/CWS.Searchmeup No disinfected
C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\preotect.exe
Adware:Adware/CWS.Searchmeup No disinfected
C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\eerre.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\Wouter\HijackThis\backups\backup-20050223-210810-221.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\Wouter\HijackThis\backups\backup-20050224-204045-769.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\Wouter\HijackThis\backups\backup-20050313-222929-308.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\Wouter\HijackThis\backups\backup-20050314-111920-464.dll
Adware:Adware/ISearch No disinfected
C:\htt.exe
  • 0

#8
Belgjer

Belgjer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here is my HJT log again:

Logfile of HijackThis v1.99.1
Scan saved at 19:49:18, on 16/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WOUTER\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {EBDB21DC-D15B-4793-970C-7BF08DFA183B} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O18 - Filter: text/html - {52F707F4-86F5-43FD-96AC-1C96E26EC88B} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O18 - Filter: text/plain - {52F707F4-86F5-43FD-96AC-1C96E26EC88B} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
  • 0

#9
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Need you to reboot tosafe mode, Make sure CWS and Ad-aware are updated prior.
Need you to search for and delete the following if found, Check the items in red in Add/Remove programs and remove if found,

Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\hmbgfaa.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\nkha.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\aedeh.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\oolhb.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\xmltok.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\SYSTEM\eerre.exe
Adware:Adware/BTGrab No disinfected C:\WINDOWS\INF\BTGRAB.INF
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\xmlparse_.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\xmltok_.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\eerre.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\preotect.exe
Adware:Adware/CWS.Searchmeup No disinfected
C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\preotect.exe
Adware:Adware/CWS.Searchmeup No disinfected
C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\eerre.exe
C:\WINDOWS\TEMP\se.dll
C:\WINDOWS\SYSTEM\MHKHJ.DLL


Please restart HJT put a check next to the following if they still exist, close all open windows and click “fix.checked”
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {EBDB21DC-D15B-4793-970C-7BF08DFA183B} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O18 - Filter: text/html - {52F707F4-86F5-43FD-96AC-1C96E26EC88B} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O18 - Filter: text/plain - {52F707F4-86F5-43FD-96AC-1C96E26EC88B} - C:\WINDOWS\SYSTEM\MHKHJ.DLL


Now run a scan with CWShredder and Ad-aware,

Reboot to normal mode and run another scan with Active scan,
Let us know whaat it finds please

Post back a fresh log please
  • 0

#10
Belgjer

Belgjer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
CWShredder removed CWS.HiddenDll and ad-aware removed se.dll again at the second scan (startup) .
Active scan seems to be infected as well. After the link 'scan my pc' i end up at the searchpage with popups.

Here is my HJT log again:

Logfile of HijackThis v1.99.1
Scan saved at 20:02:25, on 17/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WOUTER\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {521FF3B9-DC51-4CD2-B39F-89F8EFC8DEF2} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O18 - Filter: text/html - {D9B79A4F-9C9B-40F3-9002-F2D6846C44DD} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O18 - Filter: text/plain - {D9B79A4F-9C9B-40F3-9002-F2D6846C44DD} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
  • 0

Advertisements


#11
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
For some reason this is proving to be a real pest, this bug hides deep on us,Please do the following,

Download: "StartDreck",
Here
Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select hte location to save the log file
(default is the same folder as the application)

Post the log in this thread.

Edited by don77, 17 March 2005 - 09:42 PM.

  • 0

#12
Belgjer

Belgjer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here is my StartDreck log:

StartDreck (build 2.1.7 public stable) - 2005-03-18 @ 17:59:40 (GMT +01:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 5.50.4134.0100
Logged in as Sioen at WOUTER

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMON.EXE
*C-Media Mixer=Mixer.exe /startup
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
»RunServicesOnce
**hdo=rundll32 C:\WINDOWS\SCANRGG.INI,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+FF0F663D=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF2095=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF8F91=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE47E5=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFFAF3D=C:\WINDOWS\RUNDLL32.EXE
+FFFE11B1=C:\WINDOWS\EXPLORER.EXE
+FFFE565D=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFD58E5=C:\WINDOWS\TASKMON.EXE
+FFFD722D=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD81D9=C:\WINDOWS\MIXER.EXE
+FFFDFE31=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFCB891=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFE971D=C:\WOUTER\STARTDRECK.EXE
»Application specific
  • 0

#13
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Win98.fix
Unzip Win98fix.zip to your desktop.

DoubleClick on: Win98fix.reg file, hit 'yes'
on the prompt!
-Restart computer!
-File should be visible!
-Do 'find files' for and delete. C:\WINDOWS\SYSTEM\SCANRGG.INI


Dowload the latest version of Spybot 1.3. Please check it for updates, Run the program and have it fix anything it finds in Red.
Restart your computer.

Run another scan with CWShredder, Be sure and click the " Fix " button.
restart again,

and post back a fresh log please
  • 0

#14
Belgjer

Belgjer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
The win98fix.zip was a dead link so i downloaded it elsewhere.

c:\windows\system\scanrgg.ini was not present. I did find c:\windows\scanreg.ini. Should i delete that file?

I could not reach the update button for Spybot S&D (no mouse, this is starting to get on my nerves). The same for the button to remove the red items. not reacheble without mouse.

Please help me.
  • 0

#15
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
No leave scanreg.ini it is legit,


Download Pocket Killbox from. Here Paste the full file path (C:\WINDOWS\SCANRGG.INI ) in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes"


Next,

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {521FF3B9-DC51-4CD2-B39F-89F8EFC8DEF2} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O18 - Filter: text/html - {D9B79A4F-9C9B-40F3-9002-F2D6846C44DD} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O18 - Filter: text/plain - {D9B79A4F-9C9B-40F3-9002-F2D6846C44DD} - C:\WINDOWS\SYSTEM\MHKHJ.DLL


Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD

C:\WINDOWS\TEMP\se.dll
C:\WINDOWS\SYSTEM\MHKHJ.DLL


Restart your computer, Post back a fresh log please
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP