Jump to content


Photo

About blank: Please help


  • Please log in to reply
6 replies to this topic

#1 Sailor

Sailor

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 June 2004 - 03:36 AM

Hi, I am looking for help removing the About Blank startpage, I originally got this a while ago, I formatted my HDD & reinstalled WP Pro SP1a, but now its back again, AVG detected Trojan Backdoor.agent BA in Windows\ System32\D3Di.dll, notepad stopped working,
AVG could not remove it, so I downloaded and ran Registrar lite, delted the key: HKLM\software\microsoft\windowsNT\currentversion\Windows\Appinit_dlls

I used Kill box to delete the d3di.dll file

I ran hijack this and removed all of the offending IE entries, rescan to confirm they are gone, the next time I run HJT the are all back again, IE still comes up with the about blank startpage no matter how many times it is reset to google

CWS Shredder detects CWS SearchX, but it fails to remove it I have checked the registry and the AppInit_dll key has not come back,
I have downloaded and installed all the windows updates, I have installed and run spybot S&D, Trojan hunter,A Squared Trojan remover, Spysweeper etc, to no avail,
Spysweeper keeps telling me that my home page has been reset and asking if I agree to the change, I click No, but when I open IE about Blank is back again,
I would be grateful for any advice or help in removing this thing without going for a reformat of the disk again,
Thanks in advance





************
Logfile of HijackThis v1.95.0
Scan saved at 14:42:09, on 28/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Anti-Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\system32\blank.htm
O2 - BHO: (no name) - {049A7A8F-DF3C-4CD3-A940-3A180F0CCB63} - C:\WINDOWS\System32\dmj.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

*********

The Trojan is found by AVG Free as;
C:\windows\System32\d3di.dll

#2 Sailor

Sailor

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 04 July 2004 - 12:45 PM

Bump

#3 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 July 2004 - 01:13 PM

You need to update hijackthis to it's current version: 1.97.7 (or 1.98.0)
Your version is outdated for many months!

When done-
Download and install : "FINDnFIX.exe" from any of
the links in my signature.

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results....
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#4 Sailor

Sailor

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 05 July 2004 - 09:11 AM

Thanks for your help,
this is my log:


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

05/07/2004
2:49pm up 0 days, 0:04

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...



»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access HOME\Austin
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access HOME\Austin


»»Member of...: (Admin logon required!)
User is a member of group HOME\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x HOME\Austin
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: HOME\Austin

Primary Group: HOME\None



»»»»»»Backups created...»»»»»»
2:51pm up 0 days, 0:06
05/07/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-05-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 07-05-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
DeviceNotSelectedTimeout
GDIProcessHandleQuota
imeout
Spooler
swapdisk
TransmissionRetryTimeout
USERProcessHandleQuotace

**File C:\FINDnFIX\WIN.TXT


#5 Sailor

Sailor

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 05 July 2004 - 09:21 AM

I downloaded HJT Version 1.95,
I also tried "About Buster" by Rubber Ducky, this seemed to work but a few moments later the startpage changed back to about Blank

Thanks for taking time to help me out



Logfile of HijackThis v1.95.0
Scan saved at 15:18:49, on 05/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\Anti-Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\system32\blank.htm
O2 - BHO: (no name) - {C52C7D75-91F0-440E-BF71-EAA8971A7175} - C:\WINDOWS\System32\dmj.dll
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 July 2004 - 11:49 AM

Let me explain:

Your log indicates that you renamed the windows key before.
Your security settings on that key are lost... :scratchhead:

]so I downloaded and ran Registrar lite, delted the key: HKLM\software\microsoft\windowsNT\currentversion\Windows\Appinit_dlls


FINDnFIX can no longer help since it backs up your current settings.

If you look at this section on your log...
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

And compare with defaults key for XP(pro)...

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER
As seen here...
http://www.spywarein...opic=12588&st=0

Yours have the -
(ID-NI)
(ID-IO)
Which means InheriteD so that key is now
shared among all as non-secured key.
You can repair this by running secedit commands.
Since it's a bit techie and involves individual settings, I won't get into
this at this point.
Anyone who renamed the Windows key w/o backing up the
hiv and restoring will have these side effects.
Win2k-WinXPPro. (This won't affect XP'home' as much)
In most cases it won't matter but random 'permissions'
errors may pop up in the future.
-----------------------------------------------------------------------------------
Next, the leftovers you have are the bho +search pages only.
The actual file is gone.
Open the FINDnFIX\Files2\Subfolder and click on this file:
-un.exe (that's uninstaller for the bho)
Next click on this file:
-last.reg , answer 'yes' to the prompt.
Restart your computer and delete the FINDnFIX
folder and empty junkxxx folder in C:\

Search for this file and delete if found:
-dmj.dll
In hijackthis fix all R1/R0/02/06- lines if left.
Clean your temp folder from start/run/type:
%temp%
Reset your home page and IE settings to defaults-
And you should be all set.

P.S:
1.) 'AboutBuster ' doesn't tarhet this variant, but another.
2.) hijackthis is now at version 1.98.0 as previously explained... :scratchhead:

Edited by freeatlast, 05 July 2004 - 11:57 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 Sailor

Sailor

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 06 July 2004 - 09:09 AM

Right on the money Freeatlast,

it took about 5 minutes to fix, this contrasts with the hours I spent crashing around in the dark, I am a Sysadmin on a small network were issues like this are dealt with by re-imaging with Ghost, but I find that lots of my friends are having problems with Spyware and its getting worse- so I would like to learn more and have signed up for Boot camp

many thanks to you and your colleagues who give up their time to help people like me




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button