Browser popup "Your pc has been infected with spyware", SpywareBlaster failure

Discussion in 'adware, spyware & hijack cleaning' started by faustnomad, Jul 6, 2004.

Thread Status:
Not open for further replies.
  1. faustnomad

    faustnomad Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    5
    Hello, help !!! This "about:blank" hijack keeps COMING BACK!!!

    Hello there, I've recently been malware clean, but recently... sigh.

    (1) Yesterday (5-July), my brother told me of some search thing coming up. I already had my browser's homepage at about:blank ... this one kept the "about:blank" in the address bar, but the display is the typical search crap. When connected to the Internet, it will pop up a new window, with an image and messaeg, "Your browser has been infected with spyware! Click here for spyware removal software". I have seen 2 different types of message so far.

    I ran Ad-Aware, and cleaned the following:

    <----->
    ArchiveData(auto-quarantine- 05-07-2004 18-48-13.bckp)
    =====================================

    POSSIBLE BROWSER HIJACK ATTEMPT
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[0]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[1]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[2]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[3]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[4]=RegData : Software\Microsoft\Internet Explorer\Search
    obj[5]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[6]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[7]=RegData : Software\Microsoft\Internet Explorer\Search

    COOLWEBSEARCH
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[8]=RegKey : CLSID\{F91027B1-1030-415D-8885-7AD9D4AE4799}
    obj[9]=RegKey : CLSID\{FB1DA0FA-AD69-4C95-8925-1A61F9CA0792}
    obj[10]=RegKey : PROTOCOLS\Filter\text/html
    obj[11]=RegKey : PROTOCOLS\Filter\text/plain
    obj[12]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB1DA0FA-AD69-4C95-8925-1A61F9CA0792}
    obj[13]=RegValue : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    obj[14]=File : c:\windows\system32\okap.dll
    obj[15]=File : c:\docume~1\home\locals~1\temp\sp.html

    <----->

    Then I rebooted, and everything seemed fine. Did not restart any more yesterday, used about 3-4 hours.

    Today, again the same browser hijack came, with same popups! This time, running Ad-Aware again:-

    <----->
    ArchiveData(auto-quarantine- 06-07-2004 18-08-02.bckp)
    =====================================

    POSSIBLE BROWSER HIJACK ATTEMPT
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[0]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[1]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[2]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[3]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[4]=RegData : Software\Microsoft\Internet Explorer\Search
    obj[5]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[6]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[7]=RegData : Software\Microsoft\Internet Explorer\Search

    COOLWEBSEARCH
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[8]=File : c:\windows\system32\nhnfnba.dll
    <----->


    I have restarted and ran HijackThis. It gave me some "Error#5", but continued scanning. Here's the log:-

    <----->
    Logfile of HijackThis v1.98.0
    Scan saved at 7:07:24 pm, on 2004-07-06
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\AntiSpy\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {52D795C1-8688-487D-89DC-91BA47602F77} - C:\WINDOWS\System32\nhnfnba.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O18 - Filter: text/html - {3498C2BA-77AF-42F9-809E-58F343BEBFD6} - C:\WINDOWS\System32\nhnfnba.dll
    O18 - Filter: text/plain - {3498C2BA-77AF-42F9-809E-58F343BEBFD6} - C:\WINDOWS\System32\nhnfnba.dll
    <----->

    Anothe thing, I noticed that my internet connection seems to be sending/receiving even though I'm typing this right now...


    (2) I tried to use SpywareBlaster yesterday after seeing the above problems. Oddly, it gave me:

    "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it."

    I uninstalled, and reinstalled, rebooted. Same problem.


    (3) I was going through some text files, and Windows told me it cannot find the program notepad.exe. I typed it C:\windows\notepad.exe and it worked. Possible thing? And I found a notepad.exe.bak too, which I have since renamed back.

    Please advise me on above problems. Thank you.
     
    Last edited: Jul 17, 2004
  2. faustnomad

    faustnomad Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    5
    I ran HijackThis again, and this time it ran fine:-

    <->
    Logfile of HijackThis v1.98.0
    Scan saved at 11:08:26 am, on 2004-07-07
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\AntiSpy\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Home\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Home\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Home\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Home\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Home\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Home\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1146D42E-F39E-45E8-8196-413BD5341F81} - C:\WINDOWS\System32\dhahjba.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O18 - Filter: text/html - {120AF0D2-7F04-433D-8EC6-56F1A3717E3D} - C:\WINDOWS\System32\dhahjba.dll
    O18 - Filter: text/plain - {120AF0D2-7F04-433D-8EC6-56F1A3717E3D} - C:\WINDOWS\System32\dhahjba.dll
    <->

    [Edit] I ran BHODemon, and it showed me a Browser Helper Object called "dhahjba.dll" (similar to above log). The program pointed to a registry entry, which I deleted. But it came back right after! So, I found the .dll itself, and renamed it. Tried deleting the registry entry - so far so good, the browser hijack seems to be 'off' now. But I suppose this is like a manual Ad-Aware move. Have restarted once, didn't come back yet.

    [Edit2(8-July)] SpywareBlaster is now at version 3.2 (mine was 3.1) which now works! But the bug would still be somewhere - I don't want more CWS coming in!

    [Edit3] dhahjba.dll came back...
     
    Last edited: Jul 8, 2004
  3. faustnomad

    faustnomad Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    5
    [[ bump ]]
     
  4. faustnomad

    faustnomad Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    5
    [[ Bump ]]

    Update: dhahjba.dll entries in HijackThis log have been replaced by these:

    O18 - Filter: text/html - {337CF6F4-1D09-450C-9894-280B9572CE7D} - C:\WINDOWS\System32\ijl.dll
    O18 - Filter: text/plain - {337CF6F4-1D09-450C-9894-280B9572CE7D} - C:\WINDOWS\System32\ijl.dll

    The file size (compared with dhadjba) is the SAME. Contents (in notepad) seem same too.

    (I did a search in Google, ijl.dll is also the name of some Intel USB thing which I have not installed... smart spyware eh?...)
     
    Last edited: Jul 11, 2004
  5. faustnomad

    faustnomad Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    5
    I'm sick of this spyware, it keeps coming back ... will no one help ?!? I am this close to reformatting.
     
Thread Status:
Not open for further replies.