about:blank hijack keeps returning; "This program has been damaged" error

Discussion in 'adware, spyware & hijack cleaning' started by Agent Smith, Apr 28, 2004.

Thread Status:
Not open for further replies.
  1. Agent Smith

    Agent Smith Guest

    I'm having the same exact problem as other is this forum are. Seems no one has yet to come up with a solution. And unforunatley formating is not an option for me. Let me explain a little further whats happening. about:blank hijack keeps returning. I'm running windows xp. I'm already ran ad-aware, norton antivirus, the cleaner, cws shredder, hijack. All latest versions and updated following random instructions found in this forum from various threads. I thought I had been able to fix the about:blank hijack using CWShred and Hijackthis but I returned the next day somehow. Also now 2 progams I've noticed so far (Hypersnap and UltraEdit) are giving me the "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." error. When using xfind it came up with kbl.dll which i tried using killbox to delete but it is as if the file doesnt even exist. Now I know kgkhk.dll is a variant of CWS but i've removed it before and its returned so I'd like to try follow an experts instructions on the proper way of manual removal. Thanks. heres my hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:40:04 PM, on 4/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    D:\Program Files\Overnet\Overnet.exe
    D:\Program Files\The Cleaner\tca.exe
    C:\WINDOWS\System32\nvsvc32.exe
    D:\Program Files\The Cleaner\tcm.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\ORL\VNC\WinVNC.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe
    D:\Program Files\Trillian\trillian.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    D:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    D:\PROGRA~1\DAP\DAP.EXE
    D:\Program Files\NetCaptor\netcaptor.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    D:\Temp\hijackthis\HijackThis.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kgkhk.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kgkhk.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kgkhk.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kgkhk.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kgkhk.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kgkhk.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O2 - BHO: (no name) - {4F92B827-1E56-4E30-A978-A17A7861A606} - D:\Program Files\Object Desktop\WebBlinds\WebBlinds.dll
    O2 - BHO: (no name) - {6FDA18D2-81E9-4DA1-905A-FD4744934B2C} - C:\WINDOWS\System32\kgkhk.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
    O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1501.0\en-us\msntb.dll
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
    O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Overnet] D:\Program Files\Overnet\Overnet.exe -t
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [tcactive] D:\Program Files\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] D:\Program Files\The Cleaner\tcm.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Aquarius Soft PC Alarm Clock Pro.lnk = C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe
    O4 - Global Startup: Trillian.lnk = ?
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
    O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Translate - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Launch High Impact eMail 2.0 (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra 'Tools' menuitem: Launch High Impact eMail 2.0 (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=HFVHHR
    O16 - DPF: {5C8D0494-02F2-40E9-8EBF-07FED5919629} - http://www.goodcontacts.com/install/GoodContacts.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.0132407407
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mshitechsolutions.com
    O17 - HKLM\Software\..\Telephony: DomainName = mshitechsolutions.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mshitechsolutions.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mshitechsolutions.com
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Download this zip: http://tools.zerosrealm.com/pv.zip unzip it to the desktop.
    Be sure to have at least 1 Internet Explorer open, then double click on the runme.bat.

    select option 2 internet explorer dll and press return
    Notepad will open with a log in it

    copy & paste the contents of that log back here in a reply

    repeat with option 1 explorer dll & also post that log
     
  3. Agent Smith

    Agent Smith Guest

    Here ya go. Thanks for the help.


    Module information for 'iexplore.exe'
    MODULE BASE SIZE PATH
    iexplore.exe 400000 102400 C\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 xpsp1.020828-1920 Internet Explorer
    ntdll.dll 77f50000 684032 C\WINDOWS\System32\ntdll.dll 5.1.2600.1106 xpsp1.020828-1920 NT Layer DLL
    kernel32.dll 77e60000 942080 C\WINDOWS\system32\kernel32.dll 5.1.2600.1106 xpsp1.020828-1920 Windows NT BASE API Client DLL
    msvcrt.dll 77c10000 339968 C\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 xpsp1.020828-1920 Windows NT CRT DLL
    USER32.dll 77d40000 573440 C\WINDOWS\system32\USER32.dll 5.1.2600.1106 xpsp1.020828-1920 Windows XP USER API Client DLL
    GDI32.dll 77c70000 262144 C\WINDOWS\system32\GDI32.dll 5.1.2600.1106 xpsp1.020828-1920 GDI Client DLL
    ADVAPI32.dll 77dd0000 577536 C\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 xpsp1.020828-1920 Advanced Windows 32 Base API
    RPCRT4.dll 78000000 548864 C\WINDOWS\system32\RPCRT4.dll 5.1.2600.1106 xpsp1.020828-1920 Remote Procedure Call Runtime
    SHLWAPI.dll 70a70000 409600 C\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1106 xpsp1.020828-1920 Shell Light-weight Utility Library
    SHDOCVW.dll 769c0000 1351680 C\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1106 xpsp1.020828-1920 Shell Doc Object and Control Library
    Secur32.dll 76f90000 65536 C\WINDOWS\System32\Secur32.dll 5.1.2600.1106 xpsp1.020828-1920 Security Support Provider Interface
    iphlpapi.dll 76d60000 94208 C\WINDOWS\System32\iphlpapi.dll 5.1.2600.2 xpsp1.020828-1920 IP Helper API
    WS2_32.dll 71ab0000 86016 C\WINDOWS\System32\WS2_32.dll 5.1.2600.0 xpclient.010817-1148 Windows Socket 2.0 32-Bit DLL
    WS2HELP.dll 71aa0000 32768 C\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 xpclient.010817-1148 Windows Socket 2.0 Helper for Windows NT
    comctl32.dll 71950000 933888 C\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 xpsp1.020828-1920 User Experience Controls Library
    SHELL32.dll 773d0000 8351744 C\WINDOWS\system32\SHELL32.dll 6.00.2800.1106 xpsp1.020828-1920 Windows Shell Common Dll
    comctl32.dll 77340000 569344 C\WINDOWS\system32\comctl32.dll 5.82 xpsp1.020828-1920 Common Controls Library
    ole32.dll 771b0000 1183744 C\WINDOWS\system32\ole32.dll 5.1.2600.1106 xpsp1.020828-1920 Microsoft OLE for Windows
    uxtheme.dll 5ad70000 212992 C\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 xpsp1.020828-1920 Microsoft UxTheme Library
    MsgPlusH.dll 10000000 1122304 C\Program Files\Messenger Plus! 2\MsgPlusH.dll 2, 54, 0, 74 Hook DLL
    comdlg32.dll 763b0000 282624 C\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 xpsp1.020828-1920 Common Dialogs DLL
    OLEAUT32.dll 77120000 569344 C\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NTTM and Windows 95TM Operating Systems
    MSCTF.dll 74720000 278528 C\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 xpsp1.020828-1920 MSCTF Server DLL
    wfx.dll 69000000 303104 D\PROGRA~1\OBJECT~1\WINDOWFX\wfx.dll 2.0 WindowFX Support DLL
    msimg32.dll 76380000 20480 C\WINDOWS\System32\msimg32.dll 5.1.2600.1106 xpsp1.020828-1920 GDIEXT Client DLL
    BROWSEUI.dll 75f80000 1032192 C\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1106 xpsp1.020828-1920 Shell Browser UI Library
    browselc.dll 72430000 73728 C\WINDOWS\System32\browselc.dll 6.00.2800.1106 xpsp1.020828-1920 Shell Browser UI Library
    appHelp.dll 75f40000 126976 C\WINDOWS\system32\appHelp.dll 5.1.2600.1106 xpsp1.020828-1920 Application Compatibility Client Library
    CLBCATQ.DLL 76fd0000 491520 C\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
    COMRes.dll 77050000 806912 C\WINDOWS\System32\COMRes.dll 2001.12.4414.42
    VERSION.dll 77c00000 28672 C\WINDOWS\system32\VERSION.dll 5.1.2600.0 xpclient.010817-1148 Version Checking and File Installation Libraries
    WININET.dll 76200000 622592 C\WINDOWS\system32\WININET.dll 6.00.2800.1106 xpsp1.020828-1920 Internet Extensions for Win32
    CRYPT32.dll 762c0000 569344 C\WINDOWS\system32\CRYPT32.dll 5.131.2600.1106 xpsp1.020828-1920 Crypto API32
    MSASN1.dll 762a0000 61440 C\WINDOWS\system32\MSASN1.dll 5.1.2600.0 XPClient.010817-1148 ASN.1 Runtime APIs
    cscui.dll 76620000 319488 C\WINDOWS\System32\cscui.dll 5.1.2600.1106 xpsp1.020828-1920 Client Side Caching UI
    CSCDLL.dll 76600000 110592 C\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 xpclient.010817-1148 Offline Network Agent
    SETUPAPI.dll 76670000 946176 C\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 xpsp1.020828-1920 Windows Setup API
    googletoolbar.dll 1b40000 757760 c\program files\google\googletoolbar.dll 2, 0, 108, 0 Google IE Client Toolbar
    urlmon.dll 760f0000 499712 C\WINDOWS\system32\urlmon.dll 6.00.2800.1106 xpsp1.020828-1920 OLE32 Extensions for Win32
    WSOCK32.dll 71ad0000 32768 C\WINDOWS\System32\WSOCK32.dll 5.1.2600.0 xpclient.010817-1148 Windows Socket 32-Bit DLL
    WINTRUST.dll 76c30000 176128 C\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 xpclient.010817-1148 Microsoft Trust Verification APIs
    IMAGEHLP.dll 76c90000 139264 C\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 xpsp1.020828-1920 Windows NT Image Helper
    WINMM.dll 76b40000 180224 C\WINDOWS\System32\WINMM.dll 5.1.2600.1106 xpsp1.020828-1920 MCI API DLL
    serwvdrv.dll 5cd70000 28672 C\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 xpclient.010817-1148 Unimodem Serial Wave driver
    umdmxfrm.dll 5b0a0000 28672 C\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 xpclient.010817-1148 Unimodem Tranform Module
    rsaenh.dll ffd0000 143360 C\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 xpsp1.020426-1800 Microsoft Base Cryptographic Provider
    RASAPI32.DLL 76ee0000 225280 C\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 xpsp1.020828-1920 Remote Access API
    rasman.dll 76e90000 69632 C\WINDOWS\System32\rasman.dll 5.1.2600.1106 xpsp1.020828-1920 Remote Access Connection Manager
    NETAPI32.dll 71c20000 319488 C\WINDOWS\System32\NETAPI32.dll 5.1.2600.1106 xpsp1.020828-1920 Net Win32 API DLL
    TAPI32.dll 76eb0000 176128 C\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 xpsp1.020828-1920 Microsoft® WindowsTM Telephony API Client DLL
    rtutils.dll 76e80000 53248 C\WINDOWS\System32\rtutils.dll 5.1.2600.0 xpclient.010817-1148 Routing Utilities
    sensapi.dll 722b0000 20480 C\WINDOWS\System32\sensapi.dll 5.1.2600.1106 xpsp1.020828-1920 SENS Connectivity API DLL
    USERENV.dll 75a70000 675840 C\WINDOWS\system32\USERENV.dll 5.1.2600.1106 xpsp1.020828-1920 Userenv
    AcroIEHelper.dll 1f90000 36864 D\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll 6.0.0.2003040700 Adobe Acrobat IE Helper Version 6.0 for ActivieX
    SXS.DLL 75e90000 684032 C\WINDOWS\System32\SXS.DLL 5.1.2600.1106 xpsp1.020828-1920 Fusion 2.5
    FpLaunch.dll 2180000 65536 D\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll 1, 0, 0, 1 FlpLaunch Module
    ALTAVI~1.DLL 21a0000 811008 C\WINDOWS\DOWNLO~1\ALTAVI~1.DLL 1.1.1.26
    imm32.dll 76390000 114688 C\WINDOWS\System32\imm32.dll 5.1.2600.1106 xpsp1.020828-1920 Windows XP IMM32 API Client DLL
    olepro32.dll 5edd0000 106496 C\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft R OLE Property Support DLL
    WebBlinds.dll 64000000 585728 D\Program Files\Object Desktop\WebBlinds\WebBlinds.dll 0, 1, 0, 5 WebBlinds
    odcommon.dll 2870000 774144 C\Program Files\Common Files\Stardock\odcommon.dll 1.2.76 ODCommon Module
    kgkhk.dll 29a0000 53248 C\WINDOWS\System32\kgkhk.dll
    AcroIEFavClient.dll 29b0000 143360 D\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    ATL.DLL 5f3e0000 73728 D\Program Files\Adobe\Acrobat 6.0\Acrobat\ATL.DLL 3.00.8449 ATL Module for Windows NT Unicode
    MSVCP60.dll 55900000 397312 C\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft R C++ Runtime Library
    shdoclc.dll 76170000 557056 C\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 xpclient.010817-1148 Shell Doc Object and Control Library
    DAPIE.DLL 2af40000 65536 D\PROGRA~1\DAP\DAPIE.DLL 7, 0, 0, 1 DAP MSIE Integration DLL
    MFC42.DLL 6c370000 991232 D\PROGRA~1\DAP\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version
    mlang.dll 74770000 585728 C\WINDOWS\System32\mlang.dll 6.00.2600.0000 xpclient.010817-1148 Multi Language Support DLL
    mswsock.dll 71a50000 241664 C\WINDOWS\system32\mswsock.dll 5.1.2600.0 xpclient.010817-1148 Microsoft Windows Sockets 2.0 Service Provider
    mslbui.dll 605d0000 32768 C\WINDOWS\System32\mslbui.dll 5.1.2600.1106 xpsp1.020828-1920 LangageBar Add In
    events.dll 2fe0000 155648 D\Program Files\Trillian\events.dll 2.0.1.112 Trillian Event Control
    MSVCR71.dll 7c340000 352256 D\Program Files\Trillian\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
    wshtcpip.dll 71a90000 32768 C\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 xpclient.010817-1148 Windows Sockets Helper DLL
    rasadhlp.dll 76fc0000 20480 C\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 xpclient.010817-1148 Remote Access AutoDial Helper
    DNSAPI.dll 76f20000 151552 C\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 xpsp1.020828-1920 DNS Client API DLL
    winrnr.dll 76fb0000 28672 C\WINDOWS\System32\winrnr.dll 5.1.2600.0 xpclient.010817-1148 LDAP RnR Provider DLL
    WLDAP32.dll 76f60000 180224 C\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 xpsp1.020828-1920 Win32 LDAP API DLL
    mshtml.dll 74810000 2846720 C\WINDOWS\System32\mshtml.dll 6.00.2800.1106 xpsp1.020828-1920 Microsoft R HTML Viewer
    msimtf.dll 746f0000 155648 C\WINDOWS\System32\msimtf.dll 5.1.2600.1106 xpsp1.020828-1920 Active IMM Server DLL
    sptip.dll 5c2c0000 245760 C\WINDOWS\ime\sptip.dll 5.1.2600.1106 xpsp1.020828-1920 SAPI5.0/CTF layer DLL
    OLEACC.dll 74c80000 180224 C\WINDOWS\System32\OLEACC.dll 4.2.5406.0 xpclient.010817-1148 Active Accessibility Core Component
    SPGRMR.DLL 3ea0000 69632 C\WINDOWS\IME\SPGRMR.DLL 5.1.2600.1106 xpsp1.020828-1920 SPTIP Grammar DLL
    msi.dll 3ec0000 2101248 C\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
    SKCHUI.DLL 4150000 372736 C\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL 1.0.1038.0 Draw Pen Tip
    msohev.dll 325c0000 73728 D\Program Files\Microsoft Office\OFFICE11\msohev.dll 11.0.5510 Microsoft Office 2003 component
    jscript.dll 75c50000 593920 C\WINDOWS\System32\jscript.dll 5.6.0.6626 Microsoft r JScript
    iepeers.dll 66e50000 241664 C\WINDOWS\System32\iepeers.dll 6.00.2800.1106 xpsp1.020828-1920 Internet Explorer Peer Objects
    WINSPOOL.DRV 73000000 143360 C\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 xpsp1.020828-1920 Windows Spooler Driver
    MSLS31.DLL 746c0000 159744 C\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
    mshtmled.dll 74cb0000 454656 C\WINDOWS\System32\mshtmled.dll 6.00.2800.1106 xpsp1.020828-1920 Microsoft R HTML Editing Component
    actxprxy.dll 71d40000 110592 C\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 XPClient.010817-1148 ActiveX Interface Marshaling Library
    MSRATING.DLL 5ff20000 143360 C\WINDOWS\System32\MSRATING.DLL 6.00.2800.1106 xpsp1.020828-1920 Internet Ratings and Local User Management DLL
    msratelc.dll 5ff50000 69632 C\WINDOWS\System32\msratelc.dll 6.00.2600.0000 xpclient.010817-1148 Internet Ratings and Local User Management DLL
    vbscript.dll 73300000 479232 C\WINDOWS\System32\vbscript.dll 5.6.0.7426 Microsoft r VBScript
    MPR.dll 71b20000 69632 C\WINDOWS\system32\MPR.dll 5.1.2600.0 xpclient.010817-1148 Multiple Provider Router DLL
    drprov.dll 75f60000 24576 C\WINDOWS\System32\drprov.dll 5.1.2600.0 xpclient.010817-1148 Microsoft Terminal Server Network Provider
    ntlanman.dll 71c10000 53248 C\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 xpsp1.020828-1920 Microsoft® Lan Manager
    NETUI0.dll 71cd0000 90112 C\WINDOWS\System32\NETUI0.dll 5.1.2600.0 xpclient.010817-1148 NT LM UI Common Code - GUI Classes
    NETUI1.dll 71c90000 245760 C\WINDOWS\System32\NETUI1.dll 5.1.2600.0 xpclient.010817-1148 NT LM UI Common Code - Networking classes
    NETRAP.dll 71c80000 24576 C\WINDOWS\System32\NETRAP.dll 5.1.2600.0 xpclient.010817-1148 Net Remote Admin Protocol DLL
    SAMLIB.dll 71bf0000 69632 C\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 xpsp1.020828-1920 SAM Library DLL
    davclnt.dll 75f70000 36864 C\WINDOWS\System32\davclnt.dll 5.1.2600.0 xpclient.010817-1148 Web DAV Client DLL
    mswmdm.dll 5360000 262144 C\WINDOWS\System32\mswmdm.dll 9.0.1.56 Windows Media Device Manager Core
    WMVCore.DLL 8530000 2084864 C\WINDOWS\System32\WMVCore.DLL 9.00.00.2980 built by lab03_devbld4act Windows Media Playback/Authoring DLL
    WMASF.DLL 7260000 233472 C\WINDOWS\System32\WMASF.DLL 9.00.00.2980 built by lab03_devbld4act Windows Media ASF DLL
    wmdmlog.dll 5320000 40960 C\WINDOWS\System32\wmdmlog.dll 9.0.1.56 Windows Media Device Manager Logger
    wmdmps.dll 5330000 36864 C\WINDOWS\System32\wmdmps.dll 9.0.1.56 Windows Media Device Manager Proxy Stub
    sti.dll 73ba0000 73728 C\WINDOWS\System32\sti.dll 5.1.2600.1106 xpsp1.020828-1920 Still Image Devices client DLL
    CFGMGR32.dll 74ae0000 28672 C\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 xpclient.010817-1148 Configuration Manager Forwarder DLL
    webcheck.dll 74b30000 266240 C\WINDOWS\System32\webcheck.dll 6.00.2800.1106 xpsp1.020828-1920 Web Site Monitor
     
  4. Agent Smith

    Agent Smith Guest

  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    No sign of the usual hidden dll's that reinstall it
    See if this helps
    to see if we can prevent the cws hijackers reinfecting you try this
    a workaround seems to be install a good firewall, lists here http://www.wilders.org/firewalls.htm if you haven't already got one and block these ranges of ports, both incoming and outgoing 209.66.114.0-209.66.115.255 and 81.211.105.0-81.211.105.255
    that stops the known cws servers responding or the hidden files on your computer updating. This works sometimes but not always, but it's a help. The problem with this approach is that some good sites might also be blocked
    then when we have a guaranteed working cure for it we can advise how to fully remove it.


    First download CWshredder from https://www.wilderssecurity.com/showthread.php?t=14086

    boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kgkhk.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kgkhk.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kgkhk.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kgkhk.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kgkhk.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kgkhk.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {6FDA18D2-81E9-4DA1-905A-FD4744934B2C} - C:\WINDOWS\System32\kgkhk.dll
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {5C8D0494-02F2-40E9-8EBF-07FED5919629} - http://www.goodcontacts.com/install/GoodContacts.cab

    Now Run Cwshreddder
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    Reboot After running cwshredder and as soon as possible follow this advice:
    Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then
    Reboot normally

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R300 28.04.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
Thread Status:
Not open for further replies.