about:blank HijackThis log

Discussion in 'adware, spyware & hijack cleaning' started by damo, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. damo

    damo Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    7
    Hi, thanks for the great help on the boards, got yet another one for you.

    My homepage is getting redirected to about:blank (search page) and I'm getting continual popups (mostly about spyware removal!)

    Have had this problem for a week or so, tried to clean the system based on info found here which works temporarily but it reverts after a day or so. Previously found and deleted the R0/R1 entries and found and removed a dodgy .dll file, not sure what to do next.

    I've run AdAware and CWShredder (which found CWS.Searchx but not CWS.About:Blank)

    AdAware found another random .dll file which it removed on restart. Then closed all windows and ran hijack this, log below:

    Logfile of HijackThis v1.97.7
    Scan saved at 8:32:30 AM, on 29/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\WS_FTP Pro\ftpsched.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ICO.EXE
    C:\WINDOWS\PowerS.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\D-Link AirPlus\AirPlus.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Damien Brosnan\Local Settings\Temp\Temporary Directory 9 for hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vaio-online.sony.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vaio-online.sony.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.50.1:3128
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRA~1\WS_FTP~1\wsbho2k0.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [PowerS] "C:\WINDOWS\PowerS.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - Global Startup: D-Link AirPlus.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F860902C-3960-4448-9E4F-7CDEF2A07200}: NameServer = 202.141.190.2,202.141.190.3


    Apart from the "R1 about:blank" entry what should I remove, and how do I prevent reinfection?

    Also, do I need to run these checks for all profiles on my system or just the admin?

    Thanks for your help
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi damo,

    Copy the contents of the bold text to Notepad.
    Name the file Appinit.bat
    Save as type *All Files*
    Save on the Desktop.

    Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
    ren windows1.hiv windows.txt


    Double click on Appinit.bat
    This will create a file on the desktop named windows.txt
    Post the content please.

    Regards,

    Pieter
     
  3. damo

    damo Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    7
    Thanks Pieter, content below

    regf       Pugf hbin  \ W I N D O W S \ s ¨ÿÿÿnk, ÀˆÝÎÐWÄ ÿÿÿÿ ÿÿÿÿÿÿÿÿ ø x ÿÿÿÿ 0 > M i  Windows ÿÿÿsk x x  Ô  „¸ È   ¤       !  €  !  ?          ?               Øÿÿÿvk >    fùAppInit_DLLsÖæG¸ÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ d 3 d m b l . d l l  h Ðÿÿÿvk     ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  ( ðÿÿÿ9 0  ë=tÀÐÿÿÿvk  €'   zGDIProcessHandleQuota"þàÿÿÿvk  €   °ºSpooler2ðÿÿÿy e s
    Ñ_å h à 0 ` ¨ àÿÿÿvk  €   5swapdiskÐÿÿÿvk     . TransmissionRetryTimeoutàÿÿÿh à 0 ` ¨ È  Ðÿÿÿvk  €'   r USERProcessHandleQuotaC ¸ @ ¸
    þ £Àj€8H78H7 
     Ìýn t d l l . d l l L L £Àj€ (î¨õ£Àj€ £Àj€ (î¨õ` £Àj€ (î¨õ£Àj€ £Àj€ (î¨õŒ~
    ÿÀ}
    ÿÄ}
    ÿã~â 3€¨õ ¸—±áÚ¨õJ
    ÿ,~
    ÿÀ|¨õ*/áநõ£Àj€ (î¨õ£Àj€ (î¨õ£Àj€£Àj€ £Àj€ £Àj€ (î¨õ£Àj€ £Àj€ (î¨õD~
    ÿÀráP~
    ÿ ÏÅáÀ~
    ÿ£Àj€ (î¨õ£Àj€ £Àj€ (î¨õ£Àj€ £Àj€ (î¨õ ”~
    ÿ˜~
    ÿ 3€¨õ ¸—±áÚ¨°áXXõÀ|¨õ°átY¦õ°á Xõ¯>¦õÀ~
    ÿÀ—±áÏÅá¨wÆáXõ Àuâ@ € °á °á ²á  Àuâÿÿÿÿ J ðŽ¥Tç  R¦õ¤Xõ XõǨõpXõ<Xõ
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi damo,

    Use the Recovery Console to delete:
    C:\WINDOWS\System32\d3dmbl.dll

    Then use HijackThis or AdAware to fix:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    It should stay away now.

    Regards,

    Pieter
     
  5. damo

    damo Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    7
    Great Pieter, I'll try that when I get home. Will I need to run the process for each profile or will just running it on the admin profile do the trick?

    Will switching to Mozilla or similar help me prevent future problems?

    This has been really frustrating over the last few days but I really appreciate the help that you (and others on this board) are giving, keep up the great work!
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Deleting the file will help for every user account. The HomeOldSP setting will have to be fixed for every infected account.
    But about: blank will be an empty screen so much less annoying. ;)

    Using Mozilla (or Opera) makes it easier to stay safe, but I have no idea how this spreads, so no guarantees you won't get infected again.

    Regards,

    Pieter
     
  7. damo

    damo Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    7
    Pieter, the Recovery Console wouldn't let me delete the C:\WINDOWS\System32\d3dmbl.dll file (access denied). I renamed the file as a text file but it still couldn't be deleted, either in Recovery Console or through normal startup. Will the file be effectively disabled by being a .txt file, or do I still need to delete it somehow.

    Thanks
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi damo,

    Is that XP pro or Home and is your HD NTFS or FAT32 ?

    Regards,

    Pieter
     
  9. damo

    damo Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    7
    It's XP Home, NTFS drive(s).

    Thanks
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  11. damo

    damo Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    7
    Pieter, took ownership of the file, CWShredder didn't find anything though. I deleted the file, rebooted and ran AdAware, which came up with 2 CWS objects (pasted below). It looks like one was in the recyle bin and the other was just the registry entry, but this is only my take on it.

    What do you think, out of the woods or a bit to go?

    Thanks

    CoolWebSearch Object recognized!
    Type : File
    Data : dc2.txt
    Object : C:\RECYCLER\S-1-5-21-3416480375-1550823520-3096164528-500\
    FileSize : 56 KB
    Created on : 21/06/2004 8:46:14 PM
    Last accessed : 30/06/2004 2:48:10 PM
    Last modified : 21/06/2004 8:46:20 PM

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    Value : ITBarLayout
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    That is hard to tell, since it could have been several CWS variants, maybe even a new one.
    But with the invisible dll out of the way and nothing left in your HijackThis log I would think you can relax (for now ~evil grin~).

    Please read: Why did I get infected in the first place

    Regards,

    Pieter
     
  13. damo

    damo Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    7
    Cool, looks ok at the moment, fingers will be crossed for the next few days. Have adjusted internet settings and installed SpywareGuard (this hasn't worked for the past few days so I'm taking it as a good sign that the installation worked this time!).

    Thanks heaps for the help with the nasty .dll and the rest of the process, good luck fighting the good fight!

    Cheers
     
Thread Status:
Not open for further replies.