Recurring about: blank homepage hijack is really strange

Discussion in 'adware, spyware & hijack cleaning' started by streathamp, Apr 26, 2004.

Thread Status:
Not open for further replies.
  1. streathamp

    streathamp Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    7
    Hi.
    I have also been caught by the about: blank homepage hijack despite using McAfee anti-virus, CWS and Adaware. When I use HijackThis, I delete the new lines in my log for the IE start page etc. but after a few sessions on the web, the homepage gets reset again with a reference to a new .dll file in Windows\System32. Whenever I fix it with HijackThis, the .dll file disappears before I can erase it myself in safe mode! My first System32 bogus file was hamhkna.dll and the last bogus file was: lhedeca.dll - i.e. there must be a different hidden file that HijackThis doesn't pick up.

    Like txinvestigator, who has written in, I tried to install SpyBlaster, but I couldn't, with the same error message:

    "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it."

    I assume that this is related to whatever has infected my machine.

    I have been following the threads for Fuse, Derek: Allen Williams and confused1, who have the same problem, it seems. In Fuse's thread, Pieter suggests using: http://www10.brinkster.com/expl0ite...last/PVtool.htm

    but this just gave me a blank when I ran the find.bat inside it, with no log.txt. It did have a file.txt, which read:
    C:\WINDOWS\System32\WINLMO.DLL +++ File read error

    if that is any help.

    I should also mention that I removed the MSZTCE.EXE with HijackThis also, (to remove the 1 on 1 dialler as suggested by dvk01 yesterday) and placed the 70000041.exe folder that is related to it into the recycle bin whilst in safe mode. Should I empty the recycle bin of this file?

    I have read the CWS Variants thread posted by Unzy in April 20th, but am too inexperienced to try and do what he suggested for "about:blank " even though it seems as though I have EXACTLY what he is describing. He sayS one should be guided by an expert. Can anyone help me?

    I have posted 2 HJT logs below; the second one is my latest one, after I fixed the first one:

    Logfile of HijackThis v1.97.7
    Scan saved at 15:47:51, on 26/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\DOCUME~1\Kismet\LOCALS~1\Temp\PopUpStopperISP.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lhedeca.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lhedeca.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lhedeca.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lhedeca.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lhedeca.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lhedeca.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
    O2 - BHO: (no name) - {F2B38718-CC11-4916-94D6-5FBFC9631879} - C:\WINDOWS\System32\lhedeca.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Sony\Sony Style Imaging\UploadTools\ZingSpooler.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38098.4928009259
    O17 - HKLM\System\CCS\Services\Tcpip\..\{79EE0C73-14ED-4AD1-956D-262CADF70593}: Domain = anat.ucl.ac.uk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{79EE0C73-14ED-4AD1-956D-262CADF70593}: NameServer = 144.82.100.41,144.82.100.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = anat.ucl.ac.uk,ucl.ac.uk
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = anat.ucl.ac.uk,ucl.ac.uk

    THEN AFTER FIXING:

    Logfile of HijackThis v1.97.7
    Scan saved at 16:03:30, on 26/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Sony\Sony Style Imaging\UploadTools\ZingSpooler.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38098.4928009259
    O17 - HKLM\System\CCS\Services\Tcpip\..\{79EE0C73-14ED-4AD1-956D-262CADF70593}: Domain = anat.ucl.ac.uk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{79EE0C73-14ED-4AD1-956D-262CADF70593}: NameServer = 144.82.100.41,144.82.100.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = anat.ucl.ac.uk,ucl.ac.uk
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = anat.ucl.ac.uk,ucl.ac.uk


    Panicware is my popup stopper, Nero and inCD are for my CD burner, blueyonder is my ISP and ucl.ac.uk is my university.

    I do not know if the 03 - Toolbar: &Radio... line
    or the 04 - Global Startup: Microsoft Office.lnk... line
    or the 016 - DPF: ... line
    should be there.

    Finally, in regedit, I notice that my
    HKCU\Software\Microsoft\Internet Explorer\Main section has a line for Local Page as REG_SZ C:\Windows\System32\blank.htm
    and the corresponding line for HKLM is
    REG_EXPAND_SZ %SystemRoot%\system32\blank.htm

    but there is no file called blank.htm in System32. Is this related? I hope all this information helps and that someone can please help me.

    Streathamp
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    everything in the log now is quite legitimate and safe to leave there

    I did reply to the pm and yes empty recycle bin to make sure that dialler has been eradicated

    this cws hijacker comes back normally and we are still working on ways to kill it off permanently
    what works for some doesn't work for others, but some get rid of it fairly easily

    a workaround seems to be install a good firewall, lists here http://www.wilders.org/firewalls.htm and block these ranges of ports, both incoming and outgoing 209.66.114.0-209.66.115.255 and 81.211.105.0-81.211.105.255
    that stops the known cws servers esponding or the hidden files on your computer updating. This works sometimes but not always, but it's a help. The problem with this approach is that some good sites might also be blocked
    then
    kill it off using shreder etc and hjt as advised while disconnected from the net
     
  3. streathamp

    streathamp Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    7
    Thankyou for your reply. Sorry to keep asking questions:
    I was about to install the Kerio firewall, but noticed that you suggested sticking with Version 2.1.5 rather than the recently released Version 4 in a Security Software thread (18th April). As I am a computer novice, I just want to download whatever is easiest to use - i.e. version 2.1.5, but the Kerio website only offers Version 4.0.16.

    Also, will a firewall affect my ability to connect to my university email account from home via Eudora?

    I notice that no one has been able to clear up the problem with installing SpyBlaster, which is being attributed to a CWS malware. Shall I just wait until the next version of CWShredder before trying to reinstall it, as you guys are working on the problem?

    Finally, in my Windows\System32 folder, a new file appeared today, when I got all my hijacking problems called wpa.dbl. Is it a known problem? Shall I delete it or leave it?

    Streathamp
     
  4. streathamp

    streathamp Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    7
    Well, this morning about: blank was back as my homepage before I had a chance to install a firewall. It must use some kind of timer, as I left my computer on overnight to run Symantec's web virus check (which came up clean).

    I had to run HJT twice to clear it, but again could not find the offending file ("obhjfla.dll" this time). I then ran Ad-aware 6.0 (updated) which found 10 items!!! CWS was clear.

    I have included my 'before' and 'after' HJT logs and my Adaware log.

    Logfile of HijackThis v1.97.7
    Scan saved at 08:08:59, on 27/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\obhjfla.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\obhjfla.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\obhjfla.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\obhjfla.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\obhjfla.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\obhjfla.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
    O2 - BHO: (no name) - {EF875B4C-A59F-4D14-B654-D4336740934B} - C:\WINDOWS\System32\obhjfla.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Sony\Sony Style Imaging\UploadTools\ZingSpooler.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8098.4928009259
    O17 - HKLM\System\CCS\Services\Tcpip\..\{79EE0C73-14ED-4AD1-956D-262CADF70593}: Domain = anat.ucl.ac.uk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{79EE0C73-14ED-4AD1-956D-262CADF70593}: NameServer = 144.82.100.41,144.82.100.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = anat.ucl.ac.uk,ucl.ac.uk
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = anat.ucl.ac.uk,ucl.ac.uk


    And now:

    Logfile of HijackThis v1.97.7
    Scan saved at 08:24:13, on 27/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Sony\Sony Style Imaging\UploadTools\ZingSpooler.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8098.4928009259
    O17 - HKLM\System\CCS\Services\Tcpip\..\{79EE0C73-14ED-4AD1-956D-262CADF70593}: Domain = anat.ucl.ac.uk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{79EE0C73-14ED-4AD1-956D-262CADF70593}: NameServer = 144.82.100.41,144.82.100.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = anat.ucl.ac.uk,ucl.ac.uk
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = anat.ucl.ac.uk,ucl.ac.uk


    Adaware Log:

    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :27 April 2004 08:25:33
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R299 22.04.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    27-04-2004 08:25:33 - Scan started. (Custom mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 26-04-2004 21:58:05
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 26-04-2004 21:58:08
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 26-04-2004 21:58:09
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 23/08/2001 12:00:00
    Last accessed : 27/04/2004 07:25:33
    Last modified : 23/08/2001 12:00:00

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 26-04-2004 21:58:09
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 23/08/2001 12:00:00
    Last accessed : 27/04/2004 07:25:33
    Last modified : 29/08/2002 10:41:26

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 26-04-2004 21:58:11
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 23/08/2001 12:00:00
    Last accessed : 27/04/2004 07:25:33
    Last modified : 23/08/2001 12:00:00

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 26-04-2004 21:58:11
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 23/08/2001 12:00:00
    Last accessed : 27/04/2004 07:25:33
    Last modified : 23/08/2001 12:00:00

    #:7 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 26-04-2004 21:58:17
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-114
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 23/08/2001 12:00:00
    Last accessed : 27/04/2004 07:25:33
    Last modified : 23/08/2001 12:00:00

    #:8 [avsynmgr.exe]
    FilePath : C:\Program Files\Network Associates\VirusScan\
    ThreadCreationTime : 26-04-2004 21:58:42
    BasePriority : Normal
    FileSize : 152 KB
    Created on : 26/11/2001 15:51:00
    Last accessed : 27/04/2004 07:25:34
    Last modified : 26/11/2001 15:51:00

    #:9 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 26-04-2004 21:58:46
    BasePriority : Normal
    FileSize : 980 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 28/08/2003 02:15:10
    Last accessed : 27/04/2004 07:25:34
    Last modified : 29/08/2002 10:41:24

    #:10 [incd.exe]
    FilePath : C:\Program Files\Ahead\InCD\
    ThreadCreationTime : 26-04-2004 21:58:49
    BasePriority : Normal
    FileSize : 1200 KB
    Created on : 28/08/2003 19:38:09
    Last accessed : 27/04/2004 07:25:34
    Last modified : 27/01/2003 21:04:08

    #:11 [ctfmon.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 26-04-2004 21:58:49
    BasePriority : Normal
    FileSize : 13 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : CTF Loader
    InternalName : CTFMON
    OriginalFilename : CTFMON.EXE
    ProductName : Microsoft
    Created on : 28/08/2003 02:14:57
    Last accessed : 27/04/2004 07:25:34
    Last modified : 29/08/2002 10:41:22

    #:12 [vsstat.exe]
    FilePath : C:\Program Files\Network Associates\VirusScan\
    ThreadCreationTime : 26-04-2004 21:58:59
    BasePriority : Normal
    FileSize : 96 KB
    Created on : 26/11/2001 15:51:00
    Last accessed : 27/04/2004 07:25:34
    Last modified : 26/11/2001 15:51:00

    #:13 [vshwin32.exe]
    FilePath : C:\Program Files\Network Associates\VirusScan\
    ThreadCreationTime : 26-04-2004 21:59:01
    BasePriority : Normal
    FileSize : 116 KB
    Created on : 26/11/2001 15:51:00
    Last accessed : 27/04/2004 07:25:34
    Last modified : 26/11/2001 15:51:00

    #:14 [avconsol.exe]
    FilePath : C:\Program Files\Network Associates\VirusScan\
    ThreadCreationTime : 26-04-2004 21:59:05
    BasePriority : Normal
    FileSize : 160 KB
    Created on : 26/11/2001 15:51:00
    Last accessed : 27/04/2004 07:25:34
    Last modified : 26/11/2001 15:51:00

    #:15 [webscanx.exe]
    FilePath : C:\Program Files\Network Associates\VirusScan\
    ThreadCreationTime : 26-04-2004 21:59:06
    BasePriority : Normal
    FileSize : 140 KB
    Created on : 30/04/2001 03:51:00
    Last accessed : 27/04/2004 07:25:34
    Last modified : 30/04/2001 03:51:00

    #:16 [mcshield.exe]
    FilePath : C:\Program Files\Common Files\Network Associates\McShield\
    ThreadCreationTime : 26-04-2004 21:59:10
    BasePriority : High
    FileSize : 220 KB
    Created on : 26/11/2001 15:51:00
    Last accessed : 27/04/2004 07:25:34
    Last modified : 26/11/2001 15:51:00

    #:17 [notepad.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 27-04-2004 07:24:14
    BasePriority : Normal
    FileSize : 64 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Notepad
    InternalName : Notepad
    OriginalFilename : NOTEPAD.EXE
    ProductName : Microsoft
    Created on : 23/08/2001 12:00:00
    Last accessed : 27/04/2004 07:21:20
    Last modified : 23/08/2001 12:00:00

    #:18 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 27-04-2004 07:24:36
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 07/04/2004 13:38:31
    Last accessed : 27/04/2004 07:24:36
    Last modified : 12/07/2003 21:00:20

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    Deep scanning and examining files (C
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Cydoor Object recognized!
    Type : Folder
    Object : C:\Documents and Settings\Kismet\Application Data\Qualcomm\Eudora\EudPriv\Ads\AdCache



    Tracking Cookie Object recognized!
    Type : File
    Data : kismet@dcsgcxwngpifwznfzlmv83o6w_5w4m[2].txt
    Object : C:\Documents and Settings\LocalService\Cookies\

    Created on : 26/04/2004 12:35:53
    Last accessed : 27/04/2004 07:28:03
    Last modified : 26/04/2004 12:35:53



    Tracking Cookie Object recognized!
    Type : File
    Data : kismet@s111319[1].txt
    Object : C:\Documents and Settings\LocalService\Cookies\

    Created on : 26/04/2004 12:35:52
    Last accessed : 27/04/2004 07:28:03
    Last modified : 26/04/2004 12:35:52



    CoolWebSearch Object recognized!
    Type : File
    Data : backup-20040426-132400-772.dll
    Object : C:\unzipped\hijackthis\
    FileSize : 36 KB
    Created on : 26/04/2004 10:55:27
    Last accessed : 27/04/2004 07:30:59
    Last modified : 26/04/2004 10:55:27



    CoolWebSearch Object recognized!
    Type : File
    Data : backup-20040426-154927-681.dll
    Object : C:\unzipped\hijackthis\
    FileSize : 36 KB
    Created on : 26/04/2004 14:40:06
    Last accessed : 27/04/2004 07:30:59
    Last modified : 26/04/2004 14:40:06



    CoolWebSearch Object recognized!
    Type : File
    Data : backup-20040427-080951-309.dll
    Object : C:\unzipped\hijackthis\
    FileSize : 36 KB
    Created on : 27/04/2004 01:16:06
    Last accessed : 27/04/2004 07:09:51
    Last modified : 27/04/2004 01:16:06



    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 7


    Deep scanning and examining files (D
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Disk scan result for D:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 7


    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/html


    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/plain


    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    Value : ITBarLayout


    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 3
    Objects found so far: 10


    08:36:06 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:10:32:239
    Objects scanned :78536
    Objects identified :10
    Objects ignored :0
    New objects :10


    HOWEVER, when I then went to Regedit, the IE start page was still about: blank, so I reset it from Regedit. Do you think the fact that my HKLM ... Local Page is
    C:\Windows\System32\blank.htm
    and HKCU ... Local Page is %SystemRoot%\System32\blank.htm
    is related? Do you think the problem is hidden in the HijackThis logs, where Adaware found infected files?
    I hope you guys sort out the culprit, but I've got to go to work - good luck and THANKS in advance!

    Streathamp
     
Thread Status:
Not open for further replies.