• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
cyberlady

About:Blank has struck

4 posts in this topic

:wtf: My significant other's machine has been struck by a browser hijacker. I've gone to Spywareinfo.com and completed every step/download shown there. This has not helped and every time he opens IE or AOL About:blank tries to take over. He even purchased and ran SpyKiller and cleaned the machine but that didn't help either. I sure hope you can help. I'm out of options here...

 

Here is the HijackThis log for his machine:

 

Logfile of HijackThis v1.97.7

Scan saved at 12:12:19 PM, on 7/3/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINNT\system32\dla\tfswctrl.exe

C:\Program Files\ahead\InCD\InCD.exe

C:\WINNT\system32\ICO.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINNT\system32\Pelmiced.exe

C:\WINNT\system32\NILaunch.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\SpyKiller\spykiller.exe

C:\MSOffice\Office\1033\OLFSNT40.EXE

C:\Palm\HOTSYNC.EXE

C:\Palm\AlarmApp.exe

C:\lotus\organize\easyclip.exe

C:\MSOffice\Office\1033\msoffice.exe

C:\Browser Hijack Blaster\bhblaster.exe

C:\Download\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINNT\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINNT\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINNT\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINNT\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SDHelper.dll

O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {CB790D7D-986F-43C1-957C-52F920A221DC} - C:\WINNT\system32\cccdbfa.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [uC_Start] C:\IBMTools\Updater\ucstartup.exe

O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Net-It Launcher] C:\WINNT\system32\NILaunch.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe

O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe

O4 - Startup: Browser Hijack Blaster (no splash).lnk = C:\Browser Hijack Blaster\bhblaster.exe

O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\MSOffice\Office\1033\OLFSNT40.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Quicken\bagent.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp.com/awebui/jsp/answerw...SWebManager.CAB

O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce/accoun...bles/ie/IDA.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7912.6083912037

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312

Share this post


Link to post
Share on other sites

Thanks for taking the time to look at my problem. I downloaded a fresh copy of CWShredder and ran it from it's own directory. Here is the HijackThis Log following that run:

 

Logfile of HijackThis v1.97.7

Scan saved at 7:22:19 PM, on 7/13/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINNT\system32\dla\tfswctrl.exe

C:\Program Files\ahead\InCD\InCD.exe

C:\WINNT\system32\ICO.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINNT\system32\Pelmiced.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINNT\system32\NILaunch.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\SpyKiller\spykiller.exe

C:\MSOffice\Office\1033\OLFSNT40.EXE

C:\Palm\HOTSYNC.EXE

C:\Palm\AlarmApp.exe

C:\lotus\organize\easyclip.exe

C:\Browser Hijack Blaster\bhblaster.exe

C:\MSOffice\Office\1033\msoffice.exe

C:\Download\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINNT\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SDHelper.dll

O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [uC_Start] C:\IBMTools\Updater\ucstartup.exe

O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Net-It Launcher] C:\WINNT\system32\NILaunch.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe

O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe

O4 - Startup: Browser Hijack Blaster (no splash).lnk = C:\Browser Hijack Blaster\bhblaster.exe

O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\MSOffice\Office\1033\OLFSNT40.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Quicken\bagent.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp.com/awebui/jsp/answerw...SWebManager.CAB

O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce/accoun...bles/ie/IDA.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7912.6083912037

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312

Share this post


Link to post
Share on other sites

It looks better but there's still some lingering signs of infection.

 

Boot your computer into Safe Mode How do I boot into Safe Mode? and run a new HijackThis scan. Mark these items for removal:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINNT\TEMP\sp.html

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

 

R3 - Default URLSearchHook is missing

 

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

 

Now, while still in Safe Mode, run CWShredder again.

 

Reboot normally, run another HJT scan, and post it here for further review.

 

 

One note about Spykiller - it is considered a Bogus anti-spyware program - see: http://www.spywarewarrior.com/rogue_anti-spyware.htm

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0