about:blank HijackThis log

Hi, thanks for the great help on the boards, got yet another one for you.

My homepage is getting redirected to about:blank (search page) and I'm getting continual popups (mostly about spyware removal!)

Have had this problem for a week or so, tried to clean the system based on info found here which works temporarily but it reverts after a day or so. Previously found and deleted the R0/R1 entries and found and removed a dodgy .dll file, not sure what to do next.

I've run AdAware and CWShredder (which found CWS.Searchx but not CWS.About:Blank)

AdAware found another random .dll file which it removed on restart. Then closed all windows and ran hijack this, log below:

Logfile of HijackThis v1.97.7
Scan saved at 8:32:30 AM, on 29/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\PowerS.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Damien Brosnan\Local Settings\Temp\Temporary Directory 9 for hijackthis1977.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vaio-online.sony.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vaio-online.sony.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.50.1:3128
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRA~1\WS_FTP~1\wsbho2k0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [PowerS] "C:\WINDOWS\PowerS.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F860902C-3960-4448-9E4F-7CDEF2A07200}: NameServer = 202.141.190.2,202.141.190.3


Apart from the "R1 about:blank" entry what should I remove, and how do I prevent reinfection?

Also, do I need to run these checks for all profiles on my system or just the admin?

Thanks for your help

 

Hi damo,

Copy the contents of the bold text to Notepad.
Name the file Appinit.bat
Save as type *All Files*
Save on the Desktop.

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Post the content please.

Regards,

Pieter

 

Thanks Pieter, content below

regf




Pugf hbin  \ W I N D O W S \ s ¨ÿÿÿnk, ÀˆÝÎÐWÄ
ÿÿÿÿ ÿÿÿÿÿÿÿÿ ø x ÿÿÿÿ 0 > M i  Windows ÿÿÿsk x x
Ô
„¸ È   ¤    
  !  €
  !  ? 
    
    ? 

  

  


  

 Øÿÿÿvk >


fùAppInit_DLLsÖæG¸ÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ d 3 d m b l . d l l  h
Ðÿÿÿvk  

ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  ( ðÿÿÿ9 0  ë=tÀÐÿÿÿvk  €' 
zGDIProcessHandleQuota"þàÿÿÿvk  €

°ºSpooler2ðÿÿÿy e s
Ñ_å h
à
0 ` ¨ àÿÿÿvk  €

5swapdiskÐÿÿÿvk  

. TransmissionRetryTimeoutàÿÿÿh
à
0 ` ¨ È  Ðÿÿÿvk  €' 
r USERProcessHandleQuotaC ¸ @ ¸
þ £Àj€8H78H7 
 Ìýn t d l l . d l l L L £Àj€ (î¨õ£Àj€ £Àj€ (î¨õ` £Àj€ (î¨õ£Àj€ £Àj€ (î¨õŒ~
ÿÀ}
ÿÄ}
ÿã~â 3€¨õ
¸—±áÚ¨õJ
ÿ,~
ÿÀ|¨õ*/áநõ£Àj€ (î¨õ£Àj€ (î¨õ£Àj€£Àj€ £Àj€ £Àj€ (î¨õ£Àj€ £Àj€ (î¨õD~
ÿÀráP~
ÿ ÏÅáÀ~
ÿ£Àj€ (î¨õ£Àj€ £Àj€ (î¨õ£Àj€ £Àj€ (î¨õ ”~
ÿ˜~
ÿ 3€¨õ
¸—±áÚ¨°áXXõÀ|¨õ°átY¦õ°á Xõ¯>¦õÀ~
ÿÀ—±áÏÅá¨wÆáXõ
Àuâ@ € °á °á ²á
Àuâÿÿÿÿ J ðŽ¥Tç  R¦õ¤Xõ XõǨõpXõ<Xõ

 

Hi damo,

Use the Recovery Console to delete:
C:\WINDOWS\System32\d3dmbl.dll

Then use HijackThis or AdAware to fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

It should stay away now.

Regards,

Pieter

 

Great Pieter, I'll try that when I get home. Will I need to run the process for each profile or will just running it on the admin profile do the trick?

Will switching to Mozilla or similar help me prevent future problems?

This has been really frustrating over the last few days but I really appreciate the help that you (and others on this board) are giving, keep up the great work!

 

Deleting the file will help for every user account. The HomeOldSP setting will have to be fixed for every infected account.
But about: blank will be an empty screen so much less annoying.

Using Mozilla (or Opera) makes it easier to stay safe, but I have no idea how this spreads, so no guarantees you won't get infected again.

Regards,

Pieter

 

Pieter, the Recovery Console wouldn't let me delete the C:\WINDOWS\System32\d3dmbl.dll file (access denied). I renamed the file as a text file but it still couldn't be deleted, either in Recovery Console or through normal startup. Will the file be effectively disabled by being a .txt file, or do I still need to delete it somehow.

Thanks

 

Hi damo,

Is that XP pro or Home and is your HD NTFS or FAT32 ?

Regards,

Pieter

 

It's XP Home, NTFS drive(s).

Thanks

 

Use the security tab on the file and take ownership as described here
http://support.microsoft.com/?kbid=308421

Run CWShredder immediately afterwards.
Press the fix button to clean.
Reboot.

Then run Ad-Aware too, following the instructions here: https://www.wilderssecurity.com/showthread.php?t=15913

Regards,

Pieter

 

Pieter, took ownership of the file, CWShredder didn't find anything though. I deleted the file, rebooted and ran AdAware, which came up with 2 CWS objects (pasted below). It looks like one was in the recyle bin and the other was just the registry entry, but this is only my take on it.

What do you think, out of the woods or a bit to go?

Thanks

CoolWebSearch Object recognized!
Type : File
Data : dc2.txt
Object : C:\RECYCLER\S-1-5-21-3416480375-1550823520-3096164528-500\
FileSize : 56 KB
Created on : 21/06/2004 8:46:14 PM
Last accessed : 30/06/2004 2:48:10 PM
Last modified : 21/06/2004 8:46:20 PM

CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : ITBarLayout

 

That is hard to tell, since it could have been several CWS variants, maybe even a new one.
But with the invisible dll out of the way and nothing left in your HijackThis log I would think you can relax (for now ~evil grin~).

Please read: Why did I get infected in the first place

Regards,

Pieter

 

Cool, looks ok at the moment, fingers will be crossed for the next few days. Have adjusted internet settings and installed SpywareGuard (this hasn't worked for the past few days so I'm taking it as a good sign that the installation worked this time!).

Thanks heaps for the help with the nasty .dll and the rest of the process, good luck fighting the good fight!

Cheers