• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
lorenb

About:Blank CoolWebSearch Can't Kill It

2 posts in this topic

Hello Everyone, and thanks in advance for the help!

 

Much like most other people here, I have been cursed with the about:blank trojan/virus/whatever. I have read through a ton of posts and tried a variety of ways to get rid of it with no luck. AdAware professional picks it up, but it keeps coming back. I thought I found the hidden DLL, it was named IADHIDE5.DLL, so I went into safe mode, deleted it, and it's visible counterpart, and I thought I was successful, but after about 30 minutes, my homepage was hijacked again. CWS does not detect it, and quarantining the files with norton corporate did nothing.

 

I ran hijack this, and destroyed the typical files, but it keeps returning. I am posting a log, after cleaning out the R1 files, I am hoping that someone will spot what I am missing and point me in the right direction.

 

Logfile of HijackThis v1.97.7

Scan saved at 12:01:21 PM, on 6/28/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\S24EvMon.exe

C:\Program Files\Aventail\Connect\as32svc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Connected\AgentSrv.EXE

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\LDCLIENT\LOCALSCH.EXE

C:\WINNT\system32\cba\pds.exe

C:\WINNT\system32\drivers\KodakCCS.exe

C:\Program Files\NavNT\rtvscan.exe

E:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe

C:\WINNT\system32\RegSrvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ScsiAccess.EXE

C:\WINNT\system32\ZCfgSvc.exe

C:\WINNT\system32\Tablet.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\LDClient\wuser32.exe

C:\WINNT\system32\cba\xfr.exe

C:\WINNT\system32\MsgSys.EXE

C:\WINNT\system32\1XConfig.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\NavNT\vptray.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\WINNT\system32\WTablet\TabUserW.exe

C:\Program Files\Connected\CBSysTray.exe

C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\Program Files\Deposit\Deposit.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Documents and Settings\bachmanl\Desktop\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {B44F91F6-9043-457E-AE0D-419D4C004DF4} - C:\WINNT\system32\njkgf.dll (file missing)

O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe

O4 - Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Inventory Scan.LNK = C:\LDClient\LDISCN32.EXE

O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe

O4 - Global Startup: Task Completion.LNK = C:\LDClient\AMCLIENT.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open Client to monitor &1 - C:\WINNT\web\AOpenClient.htm

O8 - Extra context menu item: Open Client to monitor &2 - C:\WINNT\web\AOpenClient.htm

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)

O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asdns.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://stpshrapp01/corporate/Portal/resources/msddsc.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...AB?38091.505625

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

THANK YOU!!

-Loren

Share this post


Link to post
Share on other sites

Ok, I downloaded FindNFix and identified the trouble file, but I still can't seem to remove it, here is the findNfix log, anyone have a suggestion?

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Mon 06/28/2004

12:34am up 0 days, 0:02

 

Microsoft Windows 2000 [Version 5.00.2195]

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»

Scanning for file(s)...

 

»»»»»»» (1) »»»»»»»

\\?\C:\WINNT\System32\WDMCDEO.DLL +++ File read error

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

WDMCDEO.DLL Can't Open!

 

»»»»»»» (3) »»»»»»»

 

C:\WINNT\SYSTEM32\

wdmcdeo.dll Wed Jun 23 2004 10:24:16a A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINNT\SYSTEM32\WDMCDEO.DLL

 

»»»*»»» Scanning for moved file... »»»*»»»

 

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

 

Search text: ÝSTREAMINGDEVICESETUP2Þ ®CASE Insensitive Match

No Files to Search

 

Run Time(sec) 0

 

move %WinDir%\System32\RESJ.DLL %SystemDrive%\junkxxx\wdmcdeo.dll

 

 

»»Permissions:

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

 

Owner: BUILTIN\Administrators

 

Primary Group: CORP\Domain Users

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: BUILTIN\Administrators

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINNT\\system32\\wdmcdeo.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs = C:\WINNT\system32\wdmcdeo.dll

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

---------- WIN.TXT

ogAppInit_DLLsonv

 

---------- NEWWIN.TXT

!AppInit_DLLsi\13ÀÿÿÿC

**File C:\FINDnFIX\NEWWIN.TXT

**File C:\FINDnFIX\NEWWIN.TXT

00001330: 01 00 00 00 01 00 21 01 . 5F 44 4C 4C 73 69 5C 31 ......!. _DLLsi\1

**File C:\FINDnFIX\NEWWIN.TXT

àÿÿÿÐ H x ˜ à Ðÿÿÿvk 0 DeviceNotSelectedTimeoutèÿÿÿ1 5 `å °å èå Ðÿÿÿvk €' 0 GDIProcessHandleQuota 0 àÿÿÿvk h 0 Spooler ðÿÿÿy e s , 0 àÿÿÿvk € r swapdiskÈÿÿÿvk Ð T TransmissionRetryTimeout 23ðÿÿÿ9 0 `è Èÿÿÿvk €' S USERProcessHandleQuotae sÿÿÿÿÿÿÿØÿÿÿvk < @ !AppInit_DLLsi\13ÀÿÿÿC : \ W I N N T \ s y s t e m 3 2 \ w d m c d e o . d l l € ÿÿÿÿ

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0