Jump to content


Photo

About:Blank CoolWebSearch Can't Kill It


  • Please log in to reply
1 reply to this topic

#1 lorenb

lorenb

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 28 June 2004 - 11:17 AM

Hello Everyone, and thanks in advance for the help!

Much like most other people here, I have been cursed with the about:blank trojan/virus/whatever. I have read through a ton of posts and tried a variety of ways to get rid of it with no luck. AdAware professional picks it up, but it keeps coming back. I thought I found the hidden DLL, it was named IADHIDE5.DLL, so I went into safe mode, deleted it, and it's visible counterpart, and I thought I was successful, but after about 30 minutes, my homepage was hijacked again. CWS does not detect it, and quarantining the files with norton corporate did nothing.

I ran hijack this, and destroyed the typical files, but it keeps returning. I am posting a log, after cleaning out the R1 files, I am hoping that someone will spot what I am missing and point me in the right direction.

Logfile of HijackThis v1.97.7
Scan saved at 12:01:21 PM, on 6/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\S24EvMon.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\LDCLIENT\LOCALSCH.EXE
C:\WINNT\system32\cba\pds.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\LDClient\wuser32.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\1XConfig.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\system32\WTablet\TabUserW.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Deposit\Deposit.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\bachmanl\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B44F91F6-9043-457E-AE0D-419D4C004DF4} - C:\WINNT\system32\njkgf.dll (file missing)
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
O4 - Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Inventory Scan.LNK = C:\LDClient\LDISCN32.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe
O4 - Global Startup: Task Completion.LNK = C:\LDClient\AMCLIENT.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asdns.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://stpshrapp01/c...rces/msddsc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...AB?38091.505625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


THANK YOU!!
-Loren

#2 lorenb

lorenb

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 28 June 2004 - 11:51 AM

Ok, I downloaded FindNFix and identified the trouble file, but I still can't seem to remove it, here is the findNfix log, anyone have a suggestion?


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Mon 06/28/2004
12:34am up 0 days, 0:02

Microsoft Windows 2000 [Version 5.00.2195]
The type of the file system is NTFS.
C: is not dirty.

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
Scanning for file(s)...

»»»»»»» (1) »»»»»»»
\\?\C:\WINNT\System32\WDMCDEO.DLL +++ File read error

»»»»»»» (2) »»»»»»»
**File C:\FINDnFIX\LIST.TXT
WDMCDEO.DLL Can't Open!

»»»»»»» (3) »»»»»»»

C:\WINNT\SYSTEM32\
wdmcdeo.dll Wed Jun 23 2004 10:24:16a A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\WDMCDEO.DLL

»»»*»»» Scanning for moved file... »»»*»»»

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



Search text: ŻSTREAMINGDEVICESETUP2Ž ®CASE Insensitive Match
No Files to Search

Run Time(sec) 0

move %WinDir%\System32\RESJ.DLL %SystemDrive%\junkxxx\wdmcdeo.dll


»»Permissions:
Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: BUILTIN\Administrators

Primary Group: CORP\Domain Users

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINNT\\system32\\wdmcdeo.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = C:\WINNT\system32\wdmcdeo.dll

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



---------- WIN.TXT
ogAppInit_DLLsonv

---------- NEWWIN.TXT
!AppInit_DLLsi\13Ą’’’C
**File C:\FINDnFIX\NEWWIN.TXT
       
**File C:\FINDnFIX\NEWWIN.TXT
00001330: 01 00 00 00 01 00 21 01 . 5F 44 4C 4C 73 69 5C 31 ......!. _DLLsi\1
**File C:\FINDnFIX\NEWWIN.TXT
        ą’’’Š  H x ˜ ą  Š’’’vk     0 DeviceNotSelectedTimeoutč’’’1 5  `å °å čå Š’’’vk  €'   0 GDIProcessHandleQuota 0 ą’’’vk  h   0 Spooler š’’’y e s , 0 ą’’’vk  €   r swapdiskČ’’’vk  Š   T TransmissionRetryTimeout 23š’’’9 0  `č Č’’’vk  €'   S USERProcessHandleQuotae s’’’’’’’Ų’’’vk < @   !AppInit_DLLsi\13Ą’’’C : \ W I N N T \ s y s t e m 3 2 \ w d m c d e o . d l l € ’’’’




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button