about:blank, assistance required.

Discussion in 'adware, spyware & hijack cleaning' started by Thunktank, May 1, 2004.

Thread Status:
Not open for further replies.
  1. Thunktank

    Thunktank Registered Member

    Joined:
    May 1, 2004
    Posts:
    3
    It would appear I have been infected by a CWS variant, my previous attempts at removal had not allowed for a re-infection mechanism.
    I have followed the posting https://www.wilderssecurity.com/showthread.php?t=28658 regarding CWS variants and manual removal. Below is the information requested by this post, in paticular I am not familiar with identifiying CLSID's. Any assistance would be gratefully received.

    HIJACKTHIS LOG:
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Wintab32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\netdde.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\DiskeeperLite\DKService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\ZPOINT32.exe
    C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
    C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Auction Sentry\AuctionSentry.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\paul\Data\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kolaog.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kolaog.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kolaog.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kolaog.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kolaog.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kolaog.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [ZPOINT32] C:\WINDOWS\System32\ZPOINT32.exe
    O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
    O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: Auction Sentry.lnk = C:\Program Files\Auction Sentry\AuctionSentry.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O15 - Trusted Zone: http://listings.ebay.co.uk
    O15 - Trusted Zone: http://signin.ebay.co.uk
    O15 - Trusted Zone: http://www.mandp.co.uk
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



    WINDOWS KEY:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "AppInit_DLLs1"=""
    "AppInit_DLLs"=""


    BROWSER HELPER:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F5A0DBA0-8A9C-4B6F-A6A3-0417E7BEF4E1}]

    FILTER KEY:
    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{2201DDA4-1C15-48B3-84CF-D50D62213CF0}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{2201DDA4-1C15-48B3-84CF-D50D62213CF0}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    FIND.BAT:
    C:\WINDOWS\System32\HLPBDFN.DLL +++ File read error

    On a different note, has anyone named or located the individuals responsible for this hijack. I should not say this, but if I could find a name and address for the individuals responsible I would gladly go round there and kick a 100 kinds of s**t out of them. (at the very least).
    Thankyou for your assistance.
     
    Last edited: May 1, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Download: "CopyLock" and unzip:
    http://www10.brinkster.com/expl0iter/freeatlast/CopyLock.zip

    set up these options:
    -Check- 'Show Source paths'
    -Check: 'Allow Downgrade'

    Click the 'Add' tab->'Files to rename'
    In the 'Look in..' Dialogue box navigate to your
    C:\WINDOWS\System32 directory and stop there!
    (*you will not see the file!)
    Copy and paste into the 'File name' field:
    HLPBDFN.DLL
    Hit ->Add.
    In the result (destination) erase entire output (copy of...) and
    paste this, instead:
    HLPBDFN.DLX
    Hit 'ok' (On warning of different extension as well)
    and on the main box hit the->'Apply' tab
    **You will be asked to restart computer!
    Do so right away, next--
    navigate to System32 and delete the "XXXXXXX.DLX"
    file, as it'll be visible!

    ***ATTENTION***
    If you get "file not found" error during the process, that
    means it will not work.

    Post back when ready.

    Regards,

    Pieter
     
  3. Thunktank

    Thunktank Registered Member

    Joined:
    May 1, 2004
    Posts:
    3
    Re: about:blank, assistance required. (resolved)

    Many thanks for your response Pieter.
    I managed to fix things late last night and had not had a chance to post back to the forum. Neither Copy lock or moveex worked for me. in the end I had to boot from my XP CD, command prompt only, remove the h and r attributes from the offending DLL, then delete it.

    Once again thanks for your help.

    Do you think I should start a fund to raise money for a hit man :ninja: to take out the the individuals who run lop.com. I am sure lots of peole would be willing to help ;)
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Thunktank,

    Not sure if you are after the right people since this was CWS, but being the wonderful characters who they are, if you offer them enough money they will eliminate themselves. :D

    Good job by the way,

    Pieter
     
  5. Thunktank

    Thunktank Registered Member

    Joined:
    May 1, 2004
    Posts:
    3
    I thought CWS was a product of Lop.com. Judging by the number of forums and posts I have encountered while trying to solve my problem, there are a huge number of very pissed off victims of this kind of hijack. So I'm sure we can raise enough cash to have all of those responsable deleted.
    Do you think fundraising for this kind of activity could be classed as a charity? If so donations could be tax exempt.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    I am a firm believer in education rather then retaliation.

    Killing one off won't make the internet a much safer place, it just makes room for the next vulture.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.