about:blank homepage keeps returning

Discussion in 'adware, spyware & hijack cleaning' started by Fuse, Apr 25, 2004.

Thread Status:
Not open for further replies.
  1. Fuse

    Fuse Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    11
    Hi, I'm sure you've heard this problem countless times, but I now seem to be infected with it, and it doesn't want to go away! I've managed to get rid of it for a short period using CWShredder, but within 24 hours the problem has returned and my homepage has been reset to about:blank.

    I've followed the instructions and ran a full scan using Ad-Aware and Spybot, and removed anything that was flagged up there. Below is a copy of the Hijackthis log I've just ran.

    Any help on eliminating this problem would be greatly appreciated, as it's starting to drive me crazy!



    Logfile of HijackThis v1.97.7
    Scan saved at 17:35:29, on 25/04/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\WLAN\802.11 Wireless LAN\WWlanMonitor.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Matlab\webserver\bin\win32\matlabserver.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\UGS180\plot\ugiipqd.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\PCUSER\Desktop\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O1 - Hosts: 65.120.116.173 lite.aimster.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WLAN Monitor Utility.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.58-big/GoogleNav.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify214.cab
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Please download pv.zip.

    Unzip it to the desktop. It will not work if you run it from inside the zip.

    when its unzipped go to the desktop,and open the pv folder. Double click on the runme.bat

    A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter.

    Notepad will open with a log in it. Please copy and paste the log into this post.
     
  3. Fuse

    Fuse Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    11
    Thanks for the reply, I've pasted log below, hope it provides a few answers!


    Module information for 'Explorer.EXE'
    MODULE BASE SIZE PATH
    Explorer.EXE 1000000 1011712 C:\WINDOWS\Explorer.EXE 6.00.2600.0000 (xpclient.010817-114:cool: Windows Explorer
    ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-114:cool: NT Layer DLL
    kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows NT BASE API Client DLL
    msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-114:cool: Windows NT CRT DLL
    ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-114:cool: Advanced Windows 32 Base API
    RPCRT4.dll 77cc0000 479232 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.0 (XPClient.010817-114:cool: Remote Procedure Call Runtime
    GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.0 (xpclient.010817-114:cool: GDI Client DLL
    USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows XP USER API Client DLL
    SHLWAPI.dll 772d0000 405504 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2600.0000 (xpclient.010817-114:cool: Shell Light-weight Utility Library
    SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-114:cool: Windows Shell Common Dll
    ole32.dll 771b0000 1155072 C:\WINDOWS\system32\ole32.dll 5.1.2600.0 (XPClient.010817-114:cool: Microsoft OLE for Windows
    OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
    BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2600.0000 (xpclient.010817-114:cool: Shell Browser UI Library
    SHDOCVW.dll 769c0000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2600.0000 (xpclient.010817-114:cool: Shell Doc Object and Control Library
    UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2600.0000 (xpclient.010817-114:cool: Microsoft UxTheme Library
    Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-114:cool: Security Support Provider Interface
    iphlpapi.dll 76d60000 86016 C:\WINDOWS\System32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-114:cool: IP Helper API
    netman.dll 76de0000 155648 C:\WINDOWS\System32\netman.dll 5.1.2600.0 (xpclient.010817-114:cool: Network Connections Manager
    MPRAPI.dll 76d40000 90112 C:\WINDOWS\System32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows NT MP Router Administration DLL
    ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-114:cool: ADs Router Layer DLL
    adsldpc.dll 76e10000 147456 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.0 (xpclient.010817-114:cool: ADs LDAP Provider C DLL
    NETAPI32.dll 71c20000 323584 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.0 (xpclient.010817-114:cool: Net Win32 API DLL
    WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-114:cool: Win32 LDAP API DLL
    ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
    rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-114:cool: Routing Utilities
    SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-114:cool: SAM Library DLL
    SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Setup API
    RASAPI32.dll 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.dll 5.1.2600.0 (xpclient.010817-114:cool: Remote Access API
    rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.0 (xpclient.010817-114:cool: Remote Access Connection Manager
    WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Socket 2.0 32-Bit DLL
    WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Socket 2.0 Helper for Windows NT
    TAPI32.dll 76eb0000 172032 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.0 (xpclient.010817-114:cool: Microsoft® Windows(TM) Telephony API Client DLL
    WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.0 (xpclient.010817-114:cool: MCI API DLL
    WZCSvc.DLL 76da0000 196608 C:\WINDOWS\System32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-114:cool: Wireless Zero Configuration Service
    WMI.dll 76d30000 16384 C:\WINDOWS\System32\WMI.dll 5.1.2600.0 (XPClient.010817-114:cool: WMI DC and DP functionality
    DHCPCSVC.DLL 76d80000 106496 C:\WINDOWS\System32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-114:cool: DHCP Client Service
    DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-114:cool: DNS Client API DLL
    CRYPT32.dll 762c0000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-114:cool: Crypto API32
    MSASN1.dll 762a0000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-114:cool: ASN.1 Runtime APIs
    WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Terminal Server SDK APIs
    WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.0 (xpclient.010817-114:cool: Winstation Library
    comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-114:cool: User Experience Controls Library
    comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-114:cool: Common Controls Library
    appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-114:cool: Application Compatibility Client Library
    CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
    COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
    VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-114:cool: Version Checking and File Installation Libraries
    cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-114:cool: Client Side Caching UI
    CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-114:cool: Offline Network Agent
    themeui.dll 5b630000 458752 C:\WINDOWS\System32\themeui.dll 6.00.2600.0000 (xpclient.010817-114:cool: Windows Theme API
    MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.0 (xpclient.010817-114:cool: GDIEXT Client DLL
    wininet.dll 76200000 618496 C:\WINDOWS\system32\wininet.dll 6.00.2600.0000 (xpclient.010817-114:cool: Internet Extensions for Win32
    USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-114:cool: Userenv
    ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-114:cool: Shell extensions for sharing
    msi.dll 76400000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer
    LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Volume Tracking
    NETSHELL.dll 75cf0000 1638400 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.0 (xpclient.010817-114:cool: Network Connections Shell
    credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.0 (xpclient.010817-114:cool: Credential Manager User Interface
    webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2600.0000 (xpclient.010817-114:cool: Web Site Monitor
    stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.0 (xpclient.010817-114:cool: Systray shell service object
    BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-114:cool: Battery Meter Helper DLL
    POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-114:cool: Power Profile Helper DLL
    MSH_ZWF.dll 61220000 73728 C:\Program Files\Microsoft Hardware\Mouse\MSH_ZWF.dll 4.10.0851.0 Microsoft IntelliPoint
    POINT32.dll 61210000 61440 C:\Program Files\Microsoft Hardware\Mouse\POINT32.dll 4.10.0851.0 Microsoft IntelliPoint
    urlmon.dll 760f0000 491520 C:\WINDOWS\system32\urlmon.dll 6.00.2600.0000 (xpclient.010817-114:cool: OLE32 Extensions for Win32
    MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-114:cool: Multiple Provider Router DLL
    drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-114:cool: Microsoft Terminal Server Network Provider
    ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.0 (xpclient.010817-114:cool: Microsoft® Lan Manager
    NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-114:cool: NT LM UI Common Code - GUI Classes
    NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-114:cool: NT LM UI Common Code - Networking classes
    NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-114:cool: Net Remote Admin Protocol DLL
    davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-114:cool: Web DAV Client DLL
    printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.0 (XPClient.010817-114:cool: Print UI DLL
    WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-114:cool: Windows Spooler Driver
    CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-114:cool: Configuration Manager Forwarder DLL
    SXS.DLL 75e90000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-114:cool: Fusion 2.5
    browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-114:cool: Shell Browser UI Library
    nzdd.dll 11000000 1159168 C:\WINDOWS\System32\nzdd.dll 4.0.0.42 RealDownload
    comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-114:cool: Common Dialogs DLL
    WSOCK32.dll 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Socket 32-Bit DLL
    DUSER.dll 6c1b0000 274432 C:\WINDOWS\System32\DUSER.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows DirectUser Engine
    shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-114:cool: Shell Doc Object and Control Library
    wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-114:cool: WDM Audio driver mapper
    msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-114:cool: Microsoft Sound Mapper
    MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-114:cool: Microsoft ACM Audio Filter
    midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-114:cool: Microsoft MIDI Mapper
    zipfldr.dll 73380000 331776 C:\WINDOWS\System32\zipfldr.dll 6.00.2600.0000 (xpclient.010817-114:cool: Compressed (zipped) Folders
    rarext.dll 3c90000 167936 C:\Program Files\WinRAR\rarext.dll
    NavShExt.dll 10000000 106496 C:\Program Files\Norton AntiVirus\NavShExt.dll 8.07.17 Norton AntiVirusNAVShellExt Module
    MSVCP60.dll 76080000 397312 C:\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library
    AcroIEHelper.ocx ee0000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
    msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
    WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-114:cool: Microsoft Trust Verification APIs
    IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-114:cool: Windows NT Image Helper
    rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
    asfsipc.dll 70eb0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
    MSISIP.DLL 605f0000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
    wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft (r) Shell Extension for Windows Script Host
    ScrTrust.dll 4370000 53248 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrTrust.dll 1, 1, 0, 126 ScriptBlocking Trust Verifier
    MCPS.DLL 365a0000 86016 C:\PROGRA~1\MICROS~2\Office10\MCPS.DLL 10.0.2625 Media Catalog Proxy/Stub
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Fuse,

    Start with the following:
    Go here:
    http://www10.brinkster.com/expl0iter/freeatlast/PVtool.htm
    And download "Xfind.zip" from there.
    Unzip, run the 'find.bat' inside.
    Wait till it terminates and find 'log.txt' inside which
    you'd need to copy&paste into your next reply.

    Regards,

    Pieter
     
  5. Fuse

    Fuse Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    11
    Hi, I did as you asked and ran the program. All the log showed was the following line, hope it helps.

    C:\WINDOWS\SYSTEM32\WINIJC.DLL +++ File read error


    Thanks for your help in solving my problem.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    OK this is where it gets complicated.
    Next, do this:
    open the registry from Start > Run > type regedit > OK
    And navigate to this key:
    HKEY_CLASSES_ROOT\PROTOCOLS\Filter
    RightClick the 'filter' key, choose 'export' name it and save in location of choice

    Lastly, navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Explorer\
    Browser Helper Objects
    Export that Subfolder the same way.
    And proceed to do the following:

    RightClick Security/permissions on 'Browser Helper Objects'
    in 'advanced, de-select (uncheck) the
    "inherit from parent...permissions" lower box.
    Hit ok' and 'remove' on next prompts.

    That will prevent it from spreading further.

    Into your next reply, navigate to the .reg files
    you saved, RightClick each -> open them in notepad and copy the
    contents and post here.

    Regards,

    Pieter
     
  7. streathamp

    streathamp Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    7
    Hi,
    I also have the same problem with about: blank returning. I have left HJT logs in a different thread called 'Recurring about: blank homepage is really strange'. Should I do what you have asked Fuse to do in Regedit (in which case, I don't know how to 'navigate to the .reg files that were saved')? Or should I just leave this thread and wait until I get a reply in my own thread?

    Sorry, I don't know what the etiquette is for these forums and I want to get rid of about: blank ASAP. Thanks

    Streathamp
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Streathamp,

    Please stick to your own thread as not to confuse the person whose thread you are posting in, the helpers and yourself.
    Not every CWS infection is the same, no matter how much alike they may look.

    Regards,

    Pieter
     
  9. Fuse

    Fuse Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    11
    I've copied the registry sections you mentioned below:

    Filter

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"



    Help Objects

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    @="NAV Helper"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBCDDA60-2A68-11D3-8A43-0060083CFB9C}]
     
  10. Fuse

    Fuse Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    11
    By the way, I don't know if this is a symptom of the trojan or not, but in the last couple of days my system seems to be dying a death! Programs started refusing to load, stating a lack of memory (I have 1gb of RAM incidentally). When viewing the system performance it seemed the PF file was a whopping 1.61gb in size, despite there apparently being no programs running at the time!

    Is this a symptom of the trojan I have, or is it just an unfortunate coincidence that it has appeared at the same time?
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Fuse,

    Not sure if your memory problem is related. I did not run this malware very long on my computer, but it did slow it down notably.

    Now, first run AdAware as described in this post:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Then

    Download and unzip: "CopyLock"
    http://www10.brinkster.com/expl0iter/freeatlast/CopyLock.zip

    set up these options:
    -Check- 'Show Source paths'
    -Check: 'Allow Downgrade'

    Click the 'Add' tab->'Files to rename'
    In the 'Look in..' Dialogue box navigate to your
    C:\WINDOWS\System32 directory and stop there!
    (*you will not see the file!)
    Copy and paste into the 'File name' field:
    WINIJC.DLL
    Hit ->Add.
    In the result (destination) erase entire output (copy of...) and
    paste this, instead:
    WINIJC.DLX
    Hit 'ok' (On warning of different extension as well)
    and on the main box hit the->'Apply' tab
    **You will be asked to restart computer!
    Do so right away, next--
    navigate to System32 and delete the "WINIJC.DLX"
    file, as it'll be visible!

    ***ATTENTION***
    If you get "file not found" error during the process, that
    means it will not work. Report back if that happens.

    Post a new HijackThis log when you are done please.

    Regards,

    Pieter
     
  12. Fuse

    Fuse Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    11
    I'm afraid I got the "File not found" message when I tried to add the file. Where should I go from here?
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    The about: blank you are getting is that a empty page or is it hijacked?

    Regards,

    Pieter
     
  14. Fuse

    Fuse Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    11
    The page that appears is some sort of search engine site. There's an index of about 30 categories down the side, and the bulk of the page is a directory of sites arranged under category headings.
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That calls for a different approach then.

    In the pv folder run runme.bat agian.
    This time use option 7

    Then download, unzip and run:
    http://download.broadbandmedic.com/VbStuff/KillBox.zip

    In the "Paste Full Path of File to Delete" box, copy and paste the following:

    c:\windows\system32\WINIJC.DLL

    Note: One will not find the malicious core .dll if one searches for it using
    windows explorer or the file search engine. It is hidden, so that is why the copy and paste part is important.

    IMPORTANT: Click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". Then it should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

    Run CWShredder again and AdAware as described here https://www.wilderssecurity.com/showthread.php?t=15913

    Post back with a new HijackThis log.

    Regards,

    Pieter
     
  16. Fuse

    Fuse Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    11
    Thanks once again for the reply. I'm currently away from my appartment for a few days, but when I get back on Wednesday I'll try what you've suggested and let you know how it goes.
     
  17. Fuse

    Fuse Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    11
    I've done as you suggested, and my new Hijackthis log now looks like this:

    Logfile of HijackThis v1.97.7
    Scan saved at 18:02:50, on 05/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Matlab\webserver\bin\win32\matlabserver.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\UGS180\plot\ugiipqd.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\WLAN\802.11 Wireless LAN\WWlanMonitor.exe
    C:\Documents and Settings\PCUSER\Desktop\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O1 - Hosts: 65.120.116.173 lite.aimster.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WLAN Monitor Utility.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.58-big/GoogleNav.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify214.cab
     
  18. Fuse

    Fuse Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    11
    It seems this hasn't cured the problem. The homepage was reset again when I loaded my computer up last night. Any more suggestions on things I could try to eliminate it from my system?
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Only one more thing you can try, but you will have to boot to DOS or to the Recovery Console (using your Windows CD) if you are not on a multi-boot system. Then delete the (normally invisible) dll from there and use AdAware to clean up the rest.
    Next get a firewall and make sure your computer can never connect to any CWS sites ever again.

    Regards,

    Pieter
     
  20. Fuse

    Fuse Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    11
    I tried going to the recovery console to remove the offending .dll file, but I was greeted with the Access Is Denied message when I tried to delete it. Though I'm loathe to do it, I guess my only option is a complete system format....?
     
Thread Status:
Not open for further replies.