Jump to content


Photo

Help! I've been hijacked by about:blank


  • Please log in to reply
1 reply to this topic

#1 WOliver73

WOliver73

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 June 2004 - 04:56 PM

I've been hijacked by about:blank. I've done the virus scan, Ad Aware and Spybot but it keeps on returning. My only guess is that the problem is embedded in another file somewhere. There's this file called ifETCOMM.dll that I can't seem to delete.

Logfile of HijackThis v1.97.7
Scan saved at 2:40:25 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TrojanHunter 3.9\THGuard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {67B66DC1-FD58-4736-9952-C58B716AAA25} - C:\WINDOWS\System32\dig.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.c...lient/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8151.5051388889
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 dgosling

dgosling

    Member

  • Ambassador
  • Pip
  • 71 posts

Posted 26 June 2004 - 07:55 PM

You have a new CoolWebSearch infection. These infections are new and sometimes very difficult to get rid of. Please follow all the instructions in order to see if we can successfully remove it. Having all windows closed when running each program is very important and rebooting after each program is also vital to removing this pest.

First of all I need you to make sure all hidden files are showing. Please do the following:

Go to start>control panel>folder options>view (tab) and choose to "show hidden files and folders," uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. Close the window with ok



1. Download and install APM from: http://www.diamondcs...ex.php?page=apm

2.Next you need to use HijackThis to fix the entries in your log file.
Close all windows except HijackThis and scan with HJT. Put a check mark beside each of the following entries


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


R3 - Default URLSearchHook is missing


O2 - BHO: (no name) - {67B66DC1-FD58-4736-9952-C58B716AAA25} - C:\WINDOWS\System32\dig.dll


O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)


O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.c...lient/setup.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab



3. Click 'fix checked'

4. REBOOT to finish removing the entries

5. Close HijackThis and Open APM

6. With all other windows closed, in the upper window select explorer.exe

7. In the lower window find and rightclick the BHO from the HijackThis log

O2 - BHO: (no name) - {67B66DC1-FD58-4736-9952-C58B716AAA25} - [b]C:\WINDOWS\System32\dig.dll


8. Select 'Unload DLL' and click OK on the prompts that follow.

9. REBOOT to finish removal

10. Please download CWShredder from the following site:http://www.spywarein.../CWShredder.exe

11. Check for Updates to CWShredder

12. CLOSE ALL WINDOWS except CWShredder

13. Run the program by clicking 'fix' and letting it fix all CWS remnants.

14. REBOOT to finish the removal and clear memory.

15. Download Ad-Aware from the link at the bottom of this post and set it up according to the directions at 'How To Setup Spybot SD and Ad-Aware' from the link at the bottom of this post

16. After updating the reference file in Ad-Aware [b]scan and let it fix
everything it finds. This step is very important to remove the association between the pest and your internet protocols.

17. Please go to Panda Online AV scan and scan your entire computer for viruses/trojans and let it fix what it finds. Panda has recently added definitions which will help get rid of this pest.

18. Once the online AV scan is complete, SCAN again with HijackThis and POST a new log file here in this thread to find out what is left to clean.

If you have any questions about any part of this fix please post in this thread using Add Reply and I will give you answers.
<!--coloro:green--><span style="color:green"><!--/coloro-->Microsoft MVP Windows Security 2005-2007<!--colorc--></span><!--/colorc-->
<!--coloro:blue--><span style="color:blue"><!--/coloro-->Proud Member of <a href="http://www.asap.maddoktor2.com" target="_blank">ASAP Since 2004</a> <!--colorc--></span><!--/colorc-->




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button