dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
681
pummer
join:2003-02-13
Hamburg, NY

pummer

Member

HJT Log - can't kill about:blank hijack

I'm trying to fix a browser hijack on my uncle's computer. Every time the browser loads, it goes to a search page called "about:blank" and popups abound.

To try and fix this, I updated and ran NAV 2004, and AAW SE 1.5. Ad-Aware removed all files it found (including some CoolWebSearch files), but the problem wasn't solved. Every time I went into MSIE, the about:blank would still be there, and a subsequent ad-aware scan would show that CoolWebSearch returned. NAV found various unremovable adware (I can run it again and get names if need be). Following the dslreports tutorial, I then ran various web-based AV scanners, to much the same result. I downloaded and installed CWShredder, which I thought would work, but to my surprise it found nothing. Spybot S&D was next on the list. It found DoubleClick, CoolWWWSearch.Feat2Installer, CoolWWWSearch.Service, DSO Exploit, and Winpup. Upon reboot, all were deleted. But again, after restarting Internet Explorer, all problems returned. Next, I downloaded TDS-3. It found nothing. Lastly, I put HJT on. Logs are below.

Logfile of HijackThis v1.99.0
Scan saved at 6:24:18 PM, on 12/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\mses32.exe
C:\WINDOWS\system32\appiu32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hhywm.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hhywm.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hhywm.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hhywm.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hhywm.dll/sp.html#11111
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hhywm.dll/sp.html#11111
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8977C2-F792-063C-E030-797E33369E31} - C:\WINDOWS\mfcyn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [sdkzx32.exe] C:\WINDOWS\system32\sdkzx32.exe
O4 - HKLM\..\Run: [appiu32.exe] C:\WINDOWS\system32\appiu32.exe
O4 - HKLM\..\RunOnce: [mses32.exe] C:\WINDOWS\mses32.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102984294593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\winkh.exe (file missing)

weatherman12
join:2001-02-23
Lake Havasu City, AZ

1 edit

weatherman12

Member

remove the following
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hhywm.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hhywm.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hhywm.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hhywm.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hhywm.dll/sp.html#11111
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hhywm.dll/sp.html#11111
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1E8977C2-F792-063C-E030-797E33369E31} - C:\WINDOWS\mfcyn.dll
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\winkh.exe (file missing)

also try running About:Buster
http://www.malwarebytes.biz/

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

1 edit

John2g to pummer

Premium Member

to pummer
Your Uncle should invest a few dollars in BOClean, which will have 2 effects.

1. It will remove the current infections (automatically)
2. It will prevent future infections of CWS trojans (and many others)
3. I have never seen an HJT log posted by ANYONE with BOClean running.
estover4
Premium Member
join:2004-03-16
Valencia, PA

estover4

Premium Member

Start in safe mode. run adaware and spybot. When done pull the plug on the PC. Pull drive and put in known virus free PC. delete any and ALL temp files and directories. Move, not copy, recycler file(s) to the desktop and delete. run nav 04 or higher, manually delete any file that was not done automatically. Should be good to go.
pummer
join:2003-02-13
Hamburg, NY

pummer

Member

Simply removing the stuff from HJT that weatherman12 said fixed the problem. Thanks weatherman12!

I think I'm going to get him to buy BOClean anyway, because I'm sick of fixing this crap.

Dr Tweak
join:2004-09-23
Chesapeake, VA

Dr Tweak

Member

You still have a few other nasties you need to take care of. Have HijackThis fix the following:

C:\WINDOWS\mses32.exe
C:\WINDOWS\system32\appiu32.exe ---suspicious
O4 - HKLM\..\Run: [sdkzx32.exe] C:\WINDOWS\system32\sdkzx32.exe
O4 - HKLM\..\Run: [appiu32.exe] C:\WINDOWS\system32\appiu32.exe
O4 - HKLM\..\RunOnce: [mses32.exe] C:\WINDOWS\mses32.exe
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

I would suggest doing the following as well:

Please download Ad-Aware SE and SpyBot Search & Destroy 1.3TX then set them up EXACTLY as I have written HERE. This will offer much deeper scanning than the default settings that will find more spyware/malware.

Install and run CWShredder 2.12.

Then do a FREE online virus scan from F-Secure.

I also HIGHLY recommend you download, update and scan with Spy Sweeper, there is a FREE 30-day trial and it is an EXCELLENT product.

Then post a new log.


weatherman12
join:2001-02-23
Lake Havasu City, AZ

weatherman12 to pummer

Member

to pummer
Good eye kavuser22. It was late and I guess I over looked those.

Tactics
Green Lantern
join:2001-03-29
Pinehurst, NC

Tactics

Member

Just a FYI »www.download.com/Adware- ··· 100.html worked for me.

CW, adware and spybot all ran in safe mode did not do the trick. I was at a customers house and didn't want them to shell out some $$ for boclean just yet.

adware away worked for those who want another proggie to throw in to the mix.
bubblesam07
join:2005-03-14
Cleveland, OH

bubblesam07 to pummer

Member

to pummer
not that i want to advertise Microsoft products...I find that their new spyware program has worked the best for removing various adware junk when Spywareguide.com can't find it.

Its a beta program and u can download it for free and uninstall it if you don't want it hanging around.

I recently had my browsers (IE and Firefox) hacked so that google would not be a viable search engine toolbar nor could i actually use any links on the google site. After reading around I saw other people experienced this problem and my solution is Microsoft Spyware Remover.. as much as I hate admitting it :P

now my laptop is all clean and google WORKS! I haven't really tried any other spyware removers but basically this hijack requires a strong battle plan to get things done.

Spread the word LOL

Bubbles