Browser popup "Your pc has been infected with spyware", SpywareBlaster failure

Hello, help !!! This "about:blank" hijack keeps COMING BACK!!!

Hello there, I've recently been malware clean, but recently... sigh.

(1) Yesterday (5-July), my brother told me of some search thing coming up. I already had my browser's homepage at about:blank ... this one kept the "about:blank" in the address bar, but the display is the typical search crap. When connected to the Internet, it will pop up a new window, with an image and messaeg, "Your browser has been infected with spyware! Click here for spyware removal software". I have seen 2 different types of message so far.

I ran Ad-Aware, and cleaned the following:

<----->
ArchiveData(auto-quarantine- 05-07-2004 18-48-13.bckp)
=====================================

POSSIBLE BROWSER HIJACK ATTEMPT
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=RegData : Software\Microsoft\Internet Explorer\Main
obj[1]=RegData : Software\Microsoft\Internet Explorer\Main
obj[2]=RegData : Software\Microsoft\Internet Explorer\Main
obj[3]=RegData : Software\Microsoft\Internet Explorer\Main
obj[4]=RegData : Software\Microsoft\Internet Explorer\Search
obj[5]=RegData : Software\Microsoft\Internet Explorer\Main
obj[6]=RegData : Software\Microsoft\Internet Explorer\Main
obj[7]=RegData : Software\Microsoft\Internet Explorer\Search

COOLWEBSEARCH
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[8]=RegKey : CLSID\{F91027B1-1030-415D-8885-7AD9D4AE4799}
obj[9]=RegKey : CLSID\{FB1DA0FA-AD69-4C95-8925-1A61F9CA0792}
obj[10]=RegKey : PROTOCOLS\Filter\text/html
obj[11]=RegKey : PROTOCOLS\Filter\text/plain
obj[12]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB1DA0FA-AD69-4C95-8925-1A61F9CA0792}
obj[13]=RegValue : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
obj[14]=File : c:\windows\system32\okap.dll
obj[15]=File : c:\docume~1\home\locals~1\temp\sp.html

<----->

Then I rebooted, and everything seemed fine. Did not restart any more yesterday, used about 3-4 hours.

Today, again the same browser hijack came, with same popups! This time, running Ad-Aware again:-

<----->
ArchiveData(auto-quarantine- 06-07-2004 18-08-02.bckp)
=====================================

POSSIBLE BROWSER HIJACK ATTEMPT
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=RegData : Software\Microsoft\Internet Explorer\Main
obj[1]=RegData : Software\Microsoft\Internet Explorer\Main
obj[2]=RegData : Software\Microsoft\Internet Explorer\Main
obj[3]=RegData : Software\Microsoft\Internet Explorer\Main
obj[4]=RegData : Software\Microsoft\Internet Explorer\Search
obj[5]=RegData : Software\Microsoft\Internet Explorer\Main
obj[6]=RegData : Software\Microsoft\Internet Explorer\Main
obj[7]=RegData : Software\Microsoft\Internet Explorer\Search

COOLWEBSEARCH
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[8]=File : c:\windows\system32\nhnfnba.dll
<----->


I have restarted and ran HijackThis. It gave me some "Error#5", but continued scanning. Here's the log:-

<----->
Logfile of HijackThis v1.98.0
Scan saved at 7:07:24 pm, on 2004-07-06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\AntiSpy\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {52D795C1-8688-487D-89DC-91BA47602F77} - C:\WINDOWS\System32\nhnfnba.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O18 - Filter: text/html - {3498C2BA-77AF-42F9-809E-58F343BEBFD6} - C:\WINDOWS\System32\nhnfnba.dll
O18 - Filter: text/plain - {3498C2BA-77AF-42F9-809E-58F343BEBFD6} - C:\WINDOWS\System32\nhnfnba.dll
<----->

Anothe thing, I noticed that my internet connection seems to be sending/receiving even though I'm typing this right now...


(2) I tried to use SpywareBlaster yesterday after seeing the above problems. Oddly, it gave me:

"This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it."

I uninstalled, and reinstalled, rebooted. Same problem.


(3) I was going through some text files, and Windows told me it cannot find the program notepad.exe. I typed it C:\windows\notepad.exe and it worked. Possible thing? And I found a notepad.exe.bak too, which I have since renamed back.

Please advise me on above problems. Thank you.

 

I ran HijackThis again, and this time it ran fine:-

<->
Logfile of HijackThis v1.98.0
Scan saved at 11:08:26 am, on 2004-07-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\AntiSpy\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Home\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Home\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Home\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Home\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Home\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Home\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1146D42E-F39E-45E8-8196-413BD5341F81} - C:\WINDOWS\System32\dhahjba.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O18 - Filter: text/html - {120AF0D2-7F04-433D-8EC6-56F1A3717E3D} - C:\WINDOWS\System32\dhahjba.dll
O18 - Filter: text/plain - {120AF0D2-7F04-433D-8EC6-56F1A3717E3D} - C:\WINDOWS\System32\dhahjba.dll
<->

[Edit] I ran BHODemon, and it showed me a Browser Helper Object called "dhahjba.dll" (similar to above log). The program pointed to a registry entry, which I deleted. But it came back right after! So, I found the .dll itself, and renamed it. Tried deleting the registry entry - so far so good, the browser hijack seems to be 'off' now. But I suppose this is like a manual Ad-Aware move. Have restarted once, didn't come back yet.

[Edit2(8-July)] SpywareBlaster is now at version 3.2 (mine was 3.1) which now works! But the bug would still be somewhere - I don't want more CWS coming in!

[Edit3] dhahjba.dll came back...

 

[[ bump ]]

 

[[ Bump ]]

Update: dhahjba.dll entries in HijackThis log have been replaced by these:

O18 - Filter: text/html - {337CF6F4-1D09-450C-9894-280B9572CE7D} - C:\WINDOWS\System32\ijl.dll
O18 - Filter: text/plain - {337CF6F4-1D09-450C-9894-280B9572CE7D} - C:\WINDOWS\System32\ijl.dll

The file size (compared with dhadjba) is the SAME. Contents (in notepad) seem same too.

(I did a search in Google, ijl.dll is also the name of some Intel USB thing which I have not installed... smart spyware eh?...)

 

I'm sick of this spyware, it keeps coming back ... will no one help ?!? I am this close to reformatting.