Help: About:Blank Hijacked

Discussion in 'adware, spyware & hijack cleaning' started by UnsungHero70, Jun 12, 2004.

Thread Status:
Not open for further replies.
  1. UnsungHero70

    UnsungHero70 Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    5
    Hello and thank you in advance for reading my post. I have been recently having problems with spyware and popups. I have downloaded Spybot S&D 1.3, updated it fully. There are STILL! Problems and popups and i can't figure out what to do.

    Here is my Hijack This Log

    Logfile of HijackThis v1.97.7
    Scan saved at 7:18:42 PM, on 6/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS.000\System32\smss.exe
    C:\WINDOWS.000\system32\winlogon.exe
    C:\WINDOWS.000\system32\services.exe
    C:\WINDOWS.000\system32\lsass.exe
    C:\WINDOWS.000\system32\svchost.exe
    C:\WINDOWS.000\System32\svchost.exe
    C:\WINDOWS.000\system32\spoolsv.exe
    C:\WINDOWS.000\explorer.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS.000\System32\netdc.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS.000\System32\nvsvc32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS.000\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Wolinski\Desktop\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\System32\neambg.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.000\System32\neambg.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS.000\System32\neambg.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\System32\neambg.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.000\System32\neambg.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS.000\System32\neambg.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS.000\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F0 - system.ini: Shell=explorer.exe C:\WINDOWS.000\System32\netdc.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS.000\System32\netdc.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {85F74A07-539E-4BFA-82D3-8FB17F42DEF3} - C:\WINDOWS.000\System32\neambg.dll
    O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS.000\System32\msmk.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.000\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [load32] C:\WINDOWS.000\System32\netda.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: netdb.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E015A272-D206-4371-BB87-ACF8687069F0}: NameServer = 205.152.144.23 205.152.37.23


    Once again thank you for your any time spent reading/helping me :) greatly appreciated.
     
    Last edited: Jun 12, 2004
  2. UnsungHero70

    UnsungHero70 Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    5
    with some further investiation i have determined that netdc netdb netda are worms so i have removed them
     
  3. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    Now that you have removed them, would you like to post another log to see if anything else needs fixing. Also for us to see what you fixed is actually gone.
     
  4. UnsungHero70

    UnsungHero70 Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    5
    Here is the updated Hijack This log
    Popups still happening :(


    Logfile of HijackThis v1.97.7
    Scan saved at 7:45:32 PM, on 6/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS.000\System32\smss.exe
    C:\WINDOWS.000\system32\winlogon.exe
    C:\WINDOWS.000\system32\services.exe
    C:\WINDOWS.000\system32\lsass.exe
    C:\WINDOWS.000\system32\svchost.exe
    C:\WINDOWS.000\System32\svchost.exe
    C:\WINDOWS.000\system32\spoolsv.exe
    C:\WINDOWS.000\explorer.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS.000\System32\netdc.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS.000\System32\nvsvc32.exe
    C:\WINDOWS.000\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Wolinski\Desktop\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\System32\neambg.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.000\System32\neambg.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS.000\System32\neambg.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\System32\neambg.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.000\System32\neambg.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS.000\System32\neambg.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS.000\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {85F74A07-539E-4BFA-82D3-8FB17F42DEF3} - C:\WINDOWS.000\System32\neambg.dll
    O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS.000\System32\msmk.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.000\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E015A272-D206-4371-BB87-ACF8687069F0}: NameServer = 205.152.144.23 205.152.37.23
     
  5. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Download this file from http://downloads.subratam.org/dllfix.exe .

    Preferably to Desktop. Double click on it and it being a self -extractor, will create its own folder. Run Start.Bat from there. Run Option 1. which is "Run Find-All... ". Let it complete and there will be a pop-up window with a log.
    Post that log here.

    [ Tutorial - http://forums.subratam.org/index.php?showtopic=583 with screenshots for better understanding. Follow upto step 5 ]

    Regards
     
  6. UnsungHero70

    UnsungHero70 Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    5
    Here is the log!

    --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Sun 06/13/2004
    05:18 PM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "" (1563:1CE1) - FS:FAT clusters:4k
    Total: 8 430 829 568 [7.9G] - Free: 651 681 792 [621M]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.1.2600.0 C:\WINDOWS.000\system32\notepad.exe
    5.1.2600.0 C:\WINDOWS.000\notepad.exe
    *Media Player version :
    9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q330994;Q824145;



    Locked or 'Suspect' file(s) found...
    These may be other files that Dllfix doesnt target.
    * result\\?\C:\WINDOWS.000\System32\COMH.DLL
    * result: not locked...C:\WINDOWS.000\System32\COMH.DLL


    Scanning for main Hijacker:
    File found was C:\WINDOWS.000\System32\NEAMBG.DLL
    Md5 tested As F3175FEA00D08F5E991B3E237C62D912

    known baddies are:
    0758CF635DF08AC381962F74832B6484
    C87354D67A8B9828F483C6F90C496972
    4E24A18F3A557AF479219E47E27B8B59


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85F74A07-539E-4BFA-82D3-8FB17F42DEF3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98DBBF16-CA43-4c33-BE80-99E6694468A4}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{4C7FD555-07AA-4BDA-8662-0832EB35FB12}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{4C7FD555-07AA-4BDA-8662-0832EB35FB12}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls REG_SZ

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
    (ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-NI) ALLOW Full access WOLINSKI\Wolinski
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    QWCEN-DS-- BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM
    Full access WOLINSKI\Wolinski


    


    Thanks again!
     
  7. UnsungHero70

    UnsungHero70 Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    5
    Hello, thank you for your time, I have already solved my own problem. The culprit was neambg.dll. I rebooted into safe mode and deleted it...the problem seems solved.

    Thanks again!
     
  8. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    I don't believe that file was your problem. You may want to continue with this fix. If not, let me know.
     
  9. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Well,

    we are not finished yet, That way, the dll may not be removed. Do NOT do things on your own please.

    Run the start.bat again after the "dll" is found or if you have not found it..Run option 2 and choose correct option in submenu.
    Option 1 -- > is if you found the dllname that is locked or in the appinit key.
    Option 2 -- > is for if you can't find the dllname.

    It will then perform some routines, then the Computer will reboot with a 15 second countdown. After the reboot there will be the scan for the " dll " on-boot screen, which will search and fix it.There will just be a md5 scan if the filename was entered manually. (option 2,1 in start.bat)


    Reboot. Run HijackThis and save the fresh log.

    Post a new Output.txt (option 1 in start.bat ), the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder) and a fresh HijackThis Log.

    Regards
     
Thread Status:
Not open for further replies.