Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

About:blank[RESOLVED]

Started by kari72 , May 10 2005 06:28 AM

  • This topic is locked This topic is locked

#1
kari72
Posted 10 May 2005 - 06:28 AM

kari72

    New Member

  • Member
  • Pip
  • 6 posts
My boss's computer is infected with the about:blank hijacker. I've run Adaware SE in safe mode and it finds the hijacker, but everytime I re-boot it re-infects itself. I'm not sure exactly which files to be looking for so I thought I'd start here. Below is my HijackThis log run from Safemode last night

Any thoughts on which keys to fix and where to look for the file that keeps re-infecting the system are much appreciated! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 7:45:05 PM, on 5/9/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\SPYWARE_TOOLS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by bright.net
O1 - Hosts: 64.91.226.21 #uto.search.msn.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {8883BEC1-B4C6-11D9-8320-4445A0AB0F55} - C:\WINDOWS\SYSTEM\JAPK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [PavProc] C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe
O4 - HKLM\..\RunServices: [PSIMSVC] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe"
O4 - Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {45231111-1111-1111-1111-111111113458} - file://C:\WINDOWS\Tempor~1\Content.IE5\01KCVEFY\epl7[1].cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O18 - Filter: text/html - {8883BEC0-B4C6-11D9-8320-4445CFE7AACE} - C:\WINDOWS\SYSTEM\JAPK.DLL
O18 - Filter: text/plain - {8883BEC0-B4C6-11D9-8320-4445CFE7AACE} - C:\WINDOWS\SYSTEM\JAPK.DLL
  • 0

Advertisements

#2
greyknight17
Posted 10 May 2005 - 10:31 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Download CWShredder http://www.greyknigh.../CWShredder.exe

Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98.

Disconnect from the net and close all programs. Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run the CWShredder and hit the Fix button.

Reboot and post a fresh HijackThis log and the log that was created by SpSeHjfix.
  • 0

#3
kari72
Posted 11 May 2005 - 08:01 AM

kari72

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I had my boss run the programs as you suggested and he received a message about the system being disinfected. Below is the new hijack log ran after all of the steps were complete. Unfortunately once he was done running the fixes he didn't stay on the computer to test to see if the problem was resolved :tazz:

**** Run Keys ****

RUN: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
RUN: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
RUN: [LexStart] Lexstart.exe
RUN: [LexmarkPrinTray] PrinTray.exe
RUN: [SystemTray] SysTray.Exe
RUN: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s


**** Browser Helper Objects ****

BHO: [Yahoo! Companion BHO] C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
BHO: [AcroIEHlprObj Class] C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX


**** IE Toolbars ****

TOOLBAR: [&Radio] C:\WINDOWS\SYSTEM\MSDXM.OCX
TOOLBAR: [Yahoo! Companion] C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL


**** IE Extensions ****



**** Hosts File Entries ****



**** IE Settings ****

Default Page: http://www.microsoft...er=6&ar=msnhome
Default Search: http://www.microsoft...=ie&ar=iesearch
Local Page: C:\WINDOWS\SYSTEM\blank.htm
Search Bar: res://c:\windows\TEMP\se.dll/spage.html


**** IE Context Menu (Right click) ****



**** Layered Service Providers ****

LSP: PAV_LAYERED over [MS.w95.spi.tcp]
LSP: PAV_LAYERED over [MS.w95.spi.udp]
LSP: MS.w95.spi.tcp
LSP: MS.w95.spi.udp
LSP: MS.w95.spi.rsvptcp
LSP: MS.w95.spi.rsvpudp


**** Blocked Control Panel Items ****

BLOCKED: []


**** Downloaded Program Files ****

{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://fpdownload.ma...sh/swflash.cab]
{90C9629E-CD32-11D3-BBFB-00105A1F0D68} [http://www.installen...ine/isetup.cab] C:\WINDOWS\Downloaded Program Files\iSetup.exe C:\WINDOWS\Downloaded Program Files\iSetup.dll
{166B1BCA-3F9C-11CF-8075-444553540000} [http://fpdownload.ma...irector/sw.cab]
{45231111-1111-1111-1111-111111113458} [file://C:\WINDOWS\Tempor~1\Content.IE5\01KCVEFY\epl7[1].cab]
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} [http://us.dl1.yimg.c...st20040510.cab]


**** Windows Services ****



**** Custom IE Search Items ****

SEARCH: [CustomizeSearch]
SEARCH: [SearchAssistant_bak] http://www.znext.com/ie/
SEARCH: [] http://www.hand-book.com/search/
SEARCH: [CustomizeSearch] http://ie.search.msn...st/srchcust.htm
SEARCH: [] http://www.hand-book.com/search/


**** Complete IE Options ****

IEOPT: [ChannelsURL] http://www.iechannel...de/en/en_us.asp
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\SYSTEM\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Show_ChannelBand] no
IEOPT: [Use FormSuggest] no
IEOPT: [FormSuggest Passwords] yes
IEOPT: [FormSuggest PW Ask] yes
IEOPT: [Search Bar] res://c:\windows\TEMP\se.dll/spage.html
IEOPT: [Use Custom Search URL]
IEOPT: [NotifyDownloadComplete] no
IEOPT: [FullScreen] no
IEOPT: [LastCheckedHi]
IEOPT: [Window_Placement] ,
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [AddToFavoritesExpanded]
IEOPT: [HistoryViewType]
IEOPT: [Default Font Size]
IEOPT: [Display Inline Videos] yes
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Default_Search_URL]
IEOPT: [HomeSet] ya
IEOPT: [BandRest] Never
IEOPT: [Start Page_bak] http://www.yahoo.com/
IEOPT: [Search Bar_bak] http://www.xupiter.com/search2.html
IEOPT: [Search Page_bak] http://www.znext.com/ie/
IEOPT: [Use Search Assistant] no
IEOPT: [Disable Script Debugger] yes
IEOPT: [Window Title] Microsoft Internet Explorer provided by bright.net
IEOPT: [AutoSearch]
IEOPT: [Toolbars_Placement] AÚB•§E· ‚éXH 7Î3xplorer provided by bright.net
IEOPT: [Use Search Asst] no
IEOPT: [Default_Page_URL] http://www.microsoft...er=6&ar=msnhome
IEOPT: [Default_Search_URL] http://www.microsoft...=ie&ar=iesearch
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] c:\windows\SYSTEM\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Search Bar] res://c:\windows\TEMP\se.dll/spage.html
IEOPT: [Wizard_Version] 6.00.2800.1106
IEOPT: [Update_Check_Page] http://www.microsoft....0&Ar=ie5update
IEOPT: [Update_Check_Interval]
IEOPT: [Custom_Key] MICROSO
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [BigBitmap] C:\PROGRA~1\INTERN~1\Signup\38x38static.bmp
IEOPT: [SmallBitmap] C:\PROGRA~1\INTERN~1\Signup\22x22static.bmp
IEOPT: [Window Title] Microsoft Internet Explorer provided by bright.net
IEOPT: [FullScreen] no
IEOPT: [BandRest] Never
IEOPT: [Use Search Asst] no
IEOPT: [Use Custom Search URL]
  • 0

#4
greyknight17
Posted 11 May 2005 - 06:30 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
That is NOT the HijackThis log. The HijackThis log should look similar to what you posted originally.
  • 0

#5
kari72
Posted 13 May 2005 - 08:13 AM

kari72

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Sorry about that. I'll have him run a new HijackThis log and I'll post that information.
  • 0

#6
kari72
Posted 17 May 2005 - 06:18 AM

kari72

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I ran another HiJackThis log last night. I also ran the CWShredder and SPFix per your original instructions. The SPFix came back *System not infected*, but the CWShredder program said it removed CWS.SVCHOST32. If I log off and log back on and run CWShredder again, it finds the CWS.SVCHOST32 file each time. Is there another file I need to be looking for?

Thanks again! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 5:29:36 PM, on 5/16/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2004\PSIMSVC.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\LEXMARKX73\ACMONITOR_X73.EXE
C:\PROGRAM FILES\LEXMARKX73\ACBTNMGR_X73.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2004\APVXDWIN.EXE
C:\PROGRAM FILES\CITRIX\ICA CLIENT\PNAGENT.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\TOOLS_95\IMGICON.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2004\WEBPROXY.EXE
C:\SPYWARE_TOOLS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by bright.net
O1 - Hosts: 64.91.226.21 #uto.search.msn.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [PavProc] C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe
O4 - HKLM\..\RunServices: [PSIMSVC] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe"
O4 - Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {45231111-1111-1111-1111-111111113458} - file://C:\WINDOWS\Tempor~1\Content.IE5\01KCVEFY\epl7[1].cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
  • 0

#7
greyknight17
Posted 17 May 2005 - 07:25 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Could be. Let's see if it's still finding that after doing the below fix.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Don't run it yet.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hand-book.com/search/
O1 - Hosts: 64.91.226.21 #uto.search.msn.com
O16 - DPF: {45231111-1111-1111-1111-111111113458} - file://C:\WINDOWS\Tempor~1\Content.IE5\01KCVEFY\epl7[1].cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab

Run SpSeHjFix again and post the log here if it finds anything.

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.
  • 0

#8
kari72
Posted 19 May 2005 - 06:54 AM

kari72

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ran through your instructions. Here is the resulting HijackThis log. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 9:26:36 PM, on 5/18/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2004\PSIMSVC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\LEXMARKX73\ACMONITOR_X73.EXE
C:\PROGRAM FILES\LEXMARKX73\ACBTNMGR_X73.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2004\APVXDWIN.EXE
C:\PROGRAM FILES\CITRIX\ICA CLIENT\PNAGENT.EXE
C:\TOOLS_95\IMGICON.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2004\WEBPROXY.EXE
C:\SPYWARE_TOOLS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by bright.net
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [PavProc] C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe
O4 - HKLM\..\RunServices: [PSIMSVC] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe"
O4 - Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
  • 0

#9
greyknight17
Posted 19 May 2005 - 07:25 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I think we got it :tazz:

Your log is clean.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#10
kari72
Posted 19 May 2005 - 12:30 PM

kari72

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
No problems that I can detect. Thanks for all your help!
  • 0

#11
greyknight17
Posted 19 May 2005 - 12:42 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP