Jump to content


Photo

about:blank Hijack


  • This topic is locked This topic is locked
12 replies to this topic

#1 jakeabels1978

jakeabels1978

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 25 June 2004 - 05:49 PM

My browser has been hijacked to a search page and I get some nasty pop ups. The URL for the Hi jack is about:blank. I have used spybot and it cleans it up. When I restart though it is right back. Here is my Hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 5:45:59 PM, on 6/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Justin\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9EA10EA9-569A-4D80-8797-1809A06D6BD6} - C:\WINDOWS\System32\kcih.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\RunOnce: [Q828026] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 05:55 PM

Download and install : "FINDnFIX.exe" from any of
the links in my signature.

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results....
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 jakeabels1978

jakeabels1978

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 25 June 2004 - 05:57 PM

Thank you, Here is the log.

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

Fri 06/25/2004
5:55pm up 0 days, 10:49
»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\WDMB.DLL +++ File read error
\\?\C:\WINDOWS\System32\WDMB.DLL +++ File read error
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»Special 'locked' files scan in 'System32'........
**File C:\FINDnFIX\LIST.TXT
WDMB.DLL Can't Open!

****Filtering files in System32... (-h -s -r...) ***
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

C:\WINDOWS\SYSTEM32\
wdmb.dll Thu Jun 24 2004 5:25:44p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WDMB.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group FRN-U7HORNYEPQ\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x FRN-U7HORNYEPQ\Justin
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: FRN-U7HORNYEPQ\Justin

Primary Group: FRN-U7HORNYEPQ\None



»»»»»»Backups created...»»»»»»
5:55pm up 0 days, 10:49
Fri 06/25/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-25-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-25-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
fłAppInit_DLLsÖ?ęGĄ’’’C
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

5Z0:Z
Windows
AppInit
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
5swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota

**File C:\FINDnFIX\WIN.TXT
regf       Pugf


#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 06:13 PM

Well done!
Your bad file is positively identified on all counts!
This will take couple or more steps to fix.
Be sure to Follow the next set of steps carefully, in
the exact order specified:


-Open the FINDnFIX\Keys1 Subfolder!
- Locate the "MOVEit.bat" file,Right-Click on it,select->edit:
The file will open as text file.
-Copy and paste the entire hilited line in the following quote box
(all one line) into the 'MOVEit' file:

move %WinDir%\System32\WDMB.DLL %SystemDrive%\junkxxx\WDMB.DLL

Be sure to Replace the text in the file with the command above!

-Save the file and close.

*Get ready to restart your computer:
-In the same folder, DoubleClick on the "FIX.bat" file.
You will be prompted by popup -Alert to restart in 15 seconds.
-Allow it to restart the computer!

-On restart, Navigate to:
C:\FINDnFIX\ main folder:
-DoubleClick on the "RESTORE.bat" file.

It'll run and produce new log. (log1.txt) post it here!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 jakeabels1978

jakeabels1978

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 25 June 2004 - 06:22 PM

Thanks here is new log.

Fri 06/25/2004
6:21pm up 0 days, 0:01

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

*Locked files...
\\?\C:\junkxxx\WDMB.DLL +++ File read error

»»»Filtering files in System32.......( 'R;H;S') »»»
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

No matches found.

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

C:\JUNKXXX\
wdmb.dll Thu Jun 24 2004 5:25:44p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\WDMB.DLL


Search text: ŻSTREAMINGDEVICESETUP2Ž ®CASE Insensitive Match
Searching ==>C:\JUNKXXX\WDMB.DLL
BAD or MISSING File:

Run Time(sec) 0

move %WinDir%\System32\WDMB.DLL %SystemDrive%\junkxxx\WDMB.DLL

-ra-- - - - - - 57,344 06-24-2004 wdmb.dll
A R C:\junkxxx\WDMB.DLL
File: <C:\junkxxx\WDMB.DLL>




»»Permissions:
C:\junkxxx\WDMB.DLL
Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x FRN-U7HORNYEPQ\Justin
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: FRN-U7HORNYEPQ\Justin

Primary Group: FRN-U7HORNYEPQ\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: NT AUTHORITY\SYSTEM

File "C:\junkxxx\WDMB.DLL"

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



---------- WIN.TXT
fłAppInit_DLLsÖ?ęGĄ’’’C

---------- NEWWIN.TXT
AppInit_DLLs’’’’
**File C:\FINDnFIX\NEWWIN.TXT
Ń_åą’’’
**File C:\FINDnFIX\NEWWIN.TXT
000012F0: 01 00 00 00 01 00 76 00 . 5F 44 4C 4C 73 FF FF FF ......v. _DLLs’’’
**File C:\FINDnFIX\NEWWIN.TXT
Ń_åą’’’vk  €   5swapdisk h ° š  X Š’’’vk  ą   . TransmissionRetryTimeoutŠ’’’vk  €'   USERProcessHandleQuota ą’’’h ° š  X ˆ Ų Ų’’’vk  €   v AppInit_DLLs’’’’

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 06:33 PM

:thumbsup: Great progress! :thumbsup:

Last step(s):


-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!

When done, restart your computer,
Delete and entire 'FINDnFIX' file+folder(s)
From C:\
(*Also check that this folder: "junkxxx" is gone from C:\
It will be moved to the 'FINDnFIX' folder, but
your file is a bit pesky...)

As for the remains, run any and all
removal tools once again as they should work properly now!
In particular, CWShredder.exe and fully updated Ad-Aware!

Feel free to post follow up hijackthis log when done! :)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 jakeabels1978

jakeabels1978

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 25 June 2004 - 06:41 PM

I cannot delete the Junkxxx folder it gives error message:

Cannot delete WDMB: Access is denied.

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 06:48 PM

You need to run the ZipZap.bat file, first!
As indicated,...

It has commands to reset permissions and rename the file!
Do that first, restart your computer,
delete the entire C:\FINDnFIX<folder and it's contents.

Then check whether the C:\junkxxx folder is still there!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 jakeabels1978

jakeabels1978

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 25 June 2004 - 06:50 PM

I did run zipzap and it did rename it. it is now wdmb.111, still cannot delete

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 07:02 PM

Ok... you have a *special case there!

You need to restart in Safe mode in order to have
access to security tab on files and
folders in "XP HOME EDITION"

How to take ownership of a file or folder in Windows XP

In Safe mode:
-RightClick on WDMB.111/properties
Advanced/Security/permissions \
and take ownership giving yourself 'Full control'.

-Right click the 'junkxxx' folder itself. hit properties.

-Go to the security tab and click the advanced button.

check the box to reset permissions on all child objects.

Hit apply.

ok your way out.

-Delete 'junkxxx' folder.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 jakeabels1978

jakeabels1978

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 25 June 2004 - 07:12 PM

Wow everything looks fixed. Thank you very much for all your help!

#12 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 07:32 PM

Hooray!

Make sure to keep it that way! :p
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#13 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 27 June 2004 - 11:50 AM

Glad we could help :D



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button