• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Sailor

About blank: Please help

7 posts in this topic

Hi, I am looking for help removing the About Blank startpage, I originally got this a while ago, I formatted my HDD & reinstalled WP Pro SP1a, but now its back again, AVG detected Trojan Backdoor.agent BA in Windows\ System32\D3Di.dll, notepad stopped working,

AVG could not remove it, so I downloaded and ran Registrar lite, delted the key: HKLM\software\microsoft\windowsNT\currentversion\Windows\Appinit_dlls

 

I used Kill box to delete the d3di.dll file

 

I ran hijack this and removed all of the offending IE entries, rescan to confirm they are gone, the next time I run HJT the are all back again, IE still comes up with the about blank startpage no matter how many times it is reset to google

 

CWS Shredder detects CWS SearchX, but it fails to remove it I have checked the registry and the AppInit_dll key has not come back,

I have downloaded and installed all the windows updates, I have installed and run spybot S&D, Trojan hunter,A Squared Trojan remover, Spysweeper etc, to no avail,

Spysweeper keeps telling me that my home page has been reset and asking if I agree to the change, I click No, but when I open IE about Blank is back again,

I would be grateful for any advice or help in removing this thing without going for a reformat of the disk again,

Thanks in advance

 

 

 

 

 

************

Logfile of HijackThis v1.95.0

Scan saved at 14:42:09, on 28/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Anti-Spyware\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\system32\blank.htm

O2 - BHO: (no name) - {049A7A8F-DF3C-4CD3-A940-3A180F0CCB63} - C:\WINDOWS\System32\dmj.dll

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

 

*********

 

The Trojan is found by AVG Free as;

C:\windows\System32\d3di.dll

Share this post


Link to post
Share on other sites

You need to update hijackthis to it's current version: 1.97.7 (or 1.98.0)

Your version is outdated for many months!

 

When done-

Download and install : "FINDnFIX.exe" from any of

the links in my signature.

 

Run the "!LOG!.bat" file, wait for the final output (log.txt)

post the results....

Share this post


Link to post
Share on other sites

Thanks for your help,

this is my log:

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

05/07/2004

2:49pm up 0 days, 0:04

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access HOME\Austin

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access HOME\Austin

 

 

»»Member of...: (Admin logon required!)

User is a member of group HOME\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x HOME\Austin

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: HOME\Austin

 

Primary Group: HOME\None

 

 

 

»»»»»»Backups created...»»»»»»

2:51pm up 0 days, 0:06

05/07/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 07-05-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 268 07-05-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

Windows

DeviceNotSelectedTimeout

GDIProcessHandleQuota

imeout

Spooler

swapdisk

TransmissionRetryTimeout

USERProcessHandleQuotace

 

**File C:\FINDnFIX\WIN.TXT

Share this post


Link to post
Share on other sites

I downloaded HJT Version 1.95,

I also tried "About Buster" by Rubber Ducky, this seemed to work but a few moments later the startpage changed back to about Blank

 

Thanks for taking time to help me out

 

 

 

Logfile of HijackThis v1.95.0

Scan saved at 15:18:49, on 05/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\NOTEPAD.EXE

C:\Anti-Spyware\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=file://C:\DOCUME~1\Austin\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\system32\blank.htm

O2 - BHO: (no name) - {C52C7D75-91F0-440E-BF71-EAA8971A7175} - C:\WINDOWS\System32\dmj.dll

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Let me explain:

 

Your log indicates that you renamed the windows key before.

Your security settings on that key are lost... :scratchhead:

]so I downloaded and ran Registrar lite, delted the key: HKLM\software\microsoft\windowsNT\currentversion\Windows\Appinit_dlls

 

 

FINDnFIX can no longer help since it backs up your current settings.

 

If you look at this section on your log...

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

And compare with defaults key for XP(pro)...

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

As seen here...

http://www.spywareinfoforum.com/index.php?showtopic=12588&st=0

Yours have the -

(ID-NI)

(ID-IO)

Which means InheriteD so that key is now

shared among all as non-secured key.

You can repair this by running secedit commands.

Since it's a bit techie and involves individual settings, I won't get into

this at this point.

Anyone who renamed the Windows key w/o backing up the

hiv and restoring will have these side effects.

Win2k-WinXPPro. (This won't affect XP'home' as much)

In most cases it won't matter but random 'permissions'

errors may pop up in the future.

-----------------------------------------------------------------------------------

Next, the leftovers you have are the bho +search pages only.

The actual file is gone.

Open the FINDnFIX\Files2\Subfolder and click on this file:

-un.exe (that's uninstaller for the bho)

Next click on this file:

-last.reg , answer 'yes' to the prompt.

Restart your computer and delete the FINDnFIX

folder and empty junkxxx folder in C:\

 

Search for this file and delete if found:

-dmj.dll

In hijackthis fix all R1/R0/02/06- lines if left.

Clean your temp folder from start/run/type:

%temp%

Reset your home page and IE settings to defaults-

And you should be all set.

 

P.S:

1.) 'AboutBuster ' doesn't tarhet this variant, but another.

2.) hijackthis is now at version 1.98.0 as previously explained... :scratchhead:

Edited by freeatlast

Share this post


Link to post
Share on other sites

Right on the money Freeatlast,

 

it took about 5 minutes to fix, this contrasts with the hours I spent crashing around in the dark, I am a Sysadmin on a small network were issues like this are dealt with by re-imaging with Ghost, but I find that lots of my friends are having problems with Spyware and its getting worse- so I would like to learn more and have signed up for Boot camp

 

many thanks to you and your colleagues who give up their time to help people like me

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0