pummer join:2003-02-13 Hamburg, NY |
pummer
Member
2004-Dec-19 12:59 am
HJT Log - can't kill about:blank hijackI'm trying to fix a browser hijack on my uncle's computer. Every time the browser loads, it goes to a search page called "about:blank" and popups abound.
To try and fix this, I updated and ran NAV 2004, and AAW SE 1.5. Ad-Aware removed all files it found (including some CoolWebSearch files), but the problem wasn't solved. Every time I went into MSIE, the about:blank would still be there, and a subsequent ad-aware scan would show that CoolWebSearch returned. NAV found various unremovable adware (I can run it again and get names if need be). Following the dslreports tutorial, I then ran various web-based AV scanners, to much the same result. I downloaded and installed CWShredder, which I thought would work, but to my surprise it found nothing. Spybot S&D was next on the list. It found DoubleClick, CoolWWWSearch.Feat2Installer, CoolWWWSearch.Service, DSO Exploit, and Winpup. Upon reboot, all were deleted. But again, after restarting Internet Explorer, all problems returned. Next, I downloaded TDS-3. It found nothing. Lastly, I put HJT on. Logs are below.
Logfile of HijackThis v1.99.0 Scan saved at 6:24:18 PM, on 12/18/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\mses32.exe C:\WINDOWS\system32\appiu32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hhywm.dll/sp.html#11111 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hhywm.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hhywm.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hhywm.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hhywm.dll/sp.html#11111 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hhywm.dll/sp.html#11111 R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8977C2-F792-063C-E030-797E33369E31} - C:\WINDOWS\mfcyn.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [sdkzx32.exe] C:\WINDOWS\system32\sdkzx32.exe O4 - HKLM\..\Run: [appiu32.exe] C:\WINDOWS\system32\appiu32.exe O4 - HKLM\..\RunOnce: [mses32.exe] C:\WINDOWS\mses32.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted IP range: 206.161.125.149 O15 - Trusted IP range: (HKLM) O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102984294593 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\winkh.exe (file missing) |
|
1 edit |
remove the following R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hhywm.dll/sp.html#11111 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hhywm.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hhywm.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hhywm.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hhywm.dll/sp.html#11111 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hhywm.dll/sp.html#11111 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {1E8977C2-F792-063C-E030-797E33369E31} - C:\WINDOWS\mfcyn.dll O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\winkh.exe (file missing)
also try running About:Buster http://www.malwarebytes.biz/ |
|
John2gQui Tacet Consentit Premium Member join:2001-08-10 England 1 edit |
to pummer
Your Uncle should invest a few dollars in BOClean, which will have 2 effects.
1. It will remove the current infections (automatically) 2. It will prevent future infections of CWS trojans (and many others) 3. I have never seen an HJT log posted by ANYONE with BOClean running. |
|
estover4 Premium Member join:2004-03-16 Valencia, PA |
estover4
Premium Member
2004-Dec-19 11:33 am
Start in safe mode. run adaware and spybot. When done pull the plug on the PC. Pull drive and put in known virus free PC. delete any and ALL temp files and directories. Move, not copy, recycler file(s) to the desktop and delete. run nav 04 or higher, manually delete any file that was not done automatically. Should be good to go. |
|
pummer join:2003-02-13 Hamburg, NY |
pummer
Member
2004-Dec-19 5:48 pm
Simply removing the stuff from HJT that weatherman12 said fixed the problem. Thanks weatherman12!
I think I'm going to get him to buy BOClean anyway, because I'm sick of fixing this crap. |
|
|
You still have a few other nasties you need to take care of. Have HijackThis fix the following: C:\WINDOWS\mses32.exe C:\WINDOWS\system32\appiu32.exe ---suspiciousO4 - HKLM\..\Run: [sdkzx32.exe] C:\WINDOWS\system32\sdkzx32.exe O4 - HKLM\..\Run: [appiu32.exe] C:\WINDOWS\system32\appiu32.exe O4 - HKLM\..\RunOnce: [mses32.exe] C:\WINDOWS\mses32.exe O15 - Trusted IP range: 206.161.125.149 O15 - Trusted IP range: (HKLM) I would suggest doing the following as well: Please download Ad-Aware SE and SpyBot Search & Destroy 1.3TX then set them up EXACTLY as I have written HERE. This will offer much deeper scanning than the default settings that will find more spyware/malware. Install and run CWShredder 2.12. Then do a FREE online virus scan from F-Secure. I also HIGHLY recommend you download, update and scan with Spy Sweeper, there is a FREE 30-day trial and it is an EXCELLENT product.Then post a new log. |
|
|
to pummer
Good eye kavuser22. It was late and I guess I over looked those. |
|
TacticsGreen Lantern join:2001-03-29 Pinehurst, NC |
Just a FYI » www.download.com/Adware- ··· 100.html worked for me. CW, adware and spybot all ran in safe mode did not do the trick. I was at a customers house and didn't want them to shell out some $$ for boclean just yet. adware away worked for those who want another proggie to throw in to the mix. |
|
|
to pummer
not that i want to advertise Microsoft products...I find that their new spyware program has worked the best for removing various adware junk when Spywareguide.com can't find it.
Its a beta program and u can download it for free and uninstall it if you don't want it hanging around.
I recently had my browsers (IE and Firefox) hacked so that google would not be a viable search engine toolbar nor could i actually use any links on the google site. After reading around I saw other people experienced this problem and my solution is Microsoft Spyware Remover.. as much as I hate admitting it :P
now my laptop is all clean and google WORKS! I haven't really tried any other spyware removers but basically this hijack requires a strong battle plan to get things done.
Spread the word LOL
Bubbles |
|