Outpostupdate/ Kernel32.dll and about:blank [HJT Log]

I'm pretty sure these two are some how linked. I've had about:blank before and I've removed it safety on my other computer. However, repeating the same method doesn't remove it on this computer. Here's my hijackthis log..

Logfile of HijackThis v1.99.1
Scan saved at 12:28:48, on 03/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\OUTPOSTUPDATE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWEBCAP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETGEAR\MA111 CONFIGURATION UTILITY\WLANCFG4.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\MY DOCUMENTS\ADAWARE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btinternet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE "
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTinternet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C32E5D1-BCAE-4FE6-A12B-503632A27589} - C:\WINDOWS\SYSTEM\NHLM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\WINDOWS\SYSTEM\CRAZYTALK.DLL,DllServeMediaFile
O4 - HKLM\..\Run: [ASRInst] C:\WINDOWS\SYSTEM\regsvr32.exe "C:\Program Files\Panasonic\SD-JukeboxV4\Filters\ASRFilter.ax" /s
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWebCap.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKCU\..\RunServices: [PPWebCap] C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWebCap.exe
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\nsched32.exe
O4 - Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\MYDOCU~1\123456~1\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\MYDOCU~1\123456~1\bin\npjpi142_03.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {156731E1-D652-11D1-BE03-00A0C9111212} (ATLSBNCheck Class) - http://msdn.microsoft.com/downloads/samples/internet/sbncheck.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btopenworld.com/templates/btwebcontrol012.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O18 - Filter: text/html - {851B7F7B-FEA9-41F7-90AD-A7D990FA6C43} - C:\WINDOWS\SYSTEM\NHLM.DLL
O18 - Filter: text/plain - {851B7F7B-FEA9-41F7-90AD-A7D990FA6C43} - C:\WINDOWS\SYSTEM\NHLM.DLL

 

You have an SCBar/SearchExe variant.

Please follow the removal instructions here at doxdesk
http://www.doxdesk.com/parasite/NetworkEssentials.html

Note that "%WinDir%\System" means in your case C:\Windows\System

You have Troj/Cosiam-C proxy Trojan.
http://www.sophos.com/virusinfo/analyses/trojcosiamc.html
We will delete this with Hijackthis and manually delete it.
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe


Please restart your computer in safe mode
How to boot to safe mode

Next, please run hijackthis with all other windows closed and select the following and choose fix

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
O2 - BHO: (no name) - {5C32E5D1-BCAE-4FE6-A12B-503632A27589} - C:\WINDOWS\SYSTEM\NHLM.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKCU\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
Note there are four entries, get them all
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btopenworld.com/tem...bcontrol012.cab
O18 - Filter: text/html - {851B7F7B-FEA9-41F7-90AD-A7D990FA6C43} - C:\WINDOWS\SYSTEM\NHLM.DLL
O18 - Filter: text/plain - {851B7F7B-FEA9-41F7-90AD-A7D990FA6C43} - C:\WINDOWS\SYSTEM\NHLM.DLLAgain get both entries these are the other half of the trojan.

The following should be fixed if you do not recognize them
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.i...llInstaller.exe

How to show hidden files
Make sure to check show hidden and system files, uncheck hide known extensions, and uncheck hide protected files.
Please locate and delete these files.
C:\WINDOWS\TEMP\se.dll
C:\WINDOWS\SYSTEM\NHLM.DLL
C:\WINDOWS\SYSTEM\outpostupdate.exe


Empty recycle bin.
Disable system restore
How to disable system restore
Goto Start>Run>type in %temp% and select and delete EVERTHING that comes up.

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Search all Favorites folders (see above will be under local settings for each profile) and delete any **** sites you find.
[*]Empty your "Recycle Bin "
It is normal to have a few files in the temp folders that will not delete; this is normal and expected.

Reboot to normal mode and reenable system restore.
Run Hijackthis to confirm you are clean.


Use the immunize feature in spybot search and destroy and spyware blaster to protect your system.
Get a trojan scanner (A squared) and use it.
Keep your antivirus up to date and use it.


Ad-aware

Spybot

Spyware blaster

A squared

 

thanks!

hey thanks alot!

I've removed all the about:blank and outpostupdate stuff...
thanks for your help.

but im still failing to detect the SCBar/SearchExe variant in my comp....