Help: Yahoo toolbar update hijacked IE (about:blank)

[thanatos_theos]

My hompage is www.google.com. It changed to about:blank after I updated the yahoo toolbar. I can still change my homepage back to Google. However, after cleaning the pc with CCleaner and restarting it, the hompage reverts to about:blank again. This does not happen in the past. Any form of help will be greatly appreciated! Thanks.

According to the net about:blank hijacker is a variant of cw. However, Trend's cwshredder did not find anything. According to this site http://www.securiteam.com/securityre...RP0L0UD5U.html, I should fix these entries using reglite,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank

I was not able to find such entries in the pc. Instead these entries showed up (I used hijackthis),

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

Adware Away 3.1.2 Trial found these 5 objects. I cannot fix them because the product is not registered.

Auto Run: HKLM\Session\PendingFileRenameOperations=\??\C:\DOCUME~1\LOCALS~1\Temp\_iu14D2N.tmp
IE UrlSearchHook(HKCU): {EF99BD32-C1FB-11D2-892F-0090271D4F88}=C:\Program Files\Yahoo\Companion\Installs\cpn01\yt.dll
IE UrlSearchHook(HKLM): DefaultUrlSearchHook Missing=
File Association: regfile=regedit.exe%1
File Association: scrfile="%1" %*

PS: My Trend Micro IS 2006 did not detect anything.

thanatos

[OldMX]

Install and update SUPERAntispyware and give a full computer scan, hope that helps

oldmx

[thanatos_theos]

@OldMX
I scanned the PC using SAS like what you said. But Adware Away still shows 4 problems. Auto Run: HKLM\Session\PendingFileRenameOperations=\??\C:\DOCUME~1\LOCALS~1\Temp\_iu14D2N.tmp is gone now. Here is the log of SuperAntiSpyware,

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/03/2007 at 02:21 PM

Application Version : 3.8.1002

Core Rules Database Version : 3248
Trace Rules Database Version: 1259

Scan type : Complete Scan
Total Scan Time : 00:25:20

Memory items scanned : 460
Memory threats detected : 0
Registry items scanned : 5762
Registry threats detected : 6
File items scanned : 27270
File threats detected : 8

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{598F4775-6FB6-477B-9842-E0426824E077}
HKCR\CLSID\{598F4775-6FB6-477B-9842-E0426824E077}
HKCR\CLSID\{598F4775-6FB6-477B-9842-E0426824E077}
HKCR\CLSID\{598F4775-6FB6-477B-9842-E0426824E077}\InprocServer32
HKCR\CLSID\{598F4775-6FB6-477B-9842-E0426824E077}\InprocServer32#ThreadingModel
C:\DOCUME~1\COMMIS~1\LOCALS~1\TEMP\~DP7.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{598F4775-6FB6-477B-9842-E0426824E077}

Adware.Tracking Cookie
C:\Documents and Settings\Commission on Audit\Cookies\commission on audit@adinterax[1].txt
C:\Documents and Settings\Commission on Audit\Cookies\commission on audit@doubleclick[1].txt
C:\Documents and Settings\Commission on Audit\Cookies\commission on audit@ad.yieldmanager[2].txt
C:\Documents and Settings\Commission on Audit\Cookies\commission on audit@realmedia[1].txt
C:\Documents and Settings\Commission on Audit\Cookies\commission on audit@clicksor[2].txt
C:\Documents and Settings\Commission on Audit\Cookies\commission on audit@atdmt[1].txt
C:\Documents and Settings\Commission on Audit\Cookies\commission on audit@yadro[1].txt

DP7.dll according to Trend was ADW AGENT.MIE. SAS said it was Unknown Origin.Unclassified.BHO (not sure). They both blocked it. The SAS Complete Scan seems to have deleted it completely. For now there are no real time notifications from Trend and SAS.

I used the following repair utilities of SAS. Not sure if they were able to fix the problem.

Home Page Reset
Internet Zone Security Reset
Local Page Reset

Is Adware Away's detection of the Yahoo Toolbar a false postive? Help please.

thanatos

[thanatos_theos]

I scanned using Adware Away 2.2.8.9. This version allows you to fix the problems even in trial. Unfortunately, its definition is not updated; 1/16/2006. The version 2.2.8.9 fixed these things,

IE UrlSearchHook(HKCU): {EF99BD32-C1FB-11D2-892F-0090271D4F88}=C:\Program Files\Yahoo\Companion\Installs\cpn01\yt.dll
File Association: regfile=regedit.exe%1
File Association: scrfile="%1" %*

I scanned using version 3.1.2 and now only 2 problems were found,

Auto Run: HKLM\Session\PendingFileRenameOperations=\??\C:\DOCUME~1\LOCALS~1\Temp\_iu14D2N.tmp
IE UrlSearchHook(HKLM): DefaultUrlSearchHook Missing=

That is 3/5. The Auto Run: HKLM\Session\PendingFileRenameOperations=\??\C:\DOCUME~1\LOCALS~1\Temp\_iu14D2N.tmp is back again. Whenever IE is open, Adware Away always detects it. Help please... Has anyone encountered this problem also?

PS: Are there any Adware Away or Yahoo people here in the forum? Please help me.

Hoping,
thanatos

[snowbound]

U should have a HijackThis log read and analysed by experts for potential malware.

A very good site for that over here,

http://forum.gladiator-antivirus.com...howtopic=10517




snowbound

[thanatos_theos]

@snowbound
Thanks snowbound. I posted a new thread in GSF regarding my problem.

thanatos

[snowbound]

You're welcome and good luck.



snowbound

[thanatos_theos]

LoPhatPhuud of GSF verified that the PC is clean. Thank you LoPhatPhuud .

Thanks a lot,
thanatos

[snowbound]

Quote:

Originally Posted by thanatos_theos

LoPhatPhuud of GSF verified that the PC is clean. Thank you LoPhatPhuud .

Thanks a lot,
thanatos

Good to see everything is as it should be.



snowbound