Jump to content


Photo

about:blank & Spyware detected popups


  • Please log in to reply
3 replies to this topic

#1 morey

morey

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 May 2004 - 12:09 AM

:blink:

I am bewildered. I never thought that this could happen. I am using several spyware killers and they all say that they clear up the problems, but when I reset my computer, IE gets all hosed up again. I went as far as trying to uninstall IE and then reload it, but the problems still exist. My home page gets redirected to a URL called about:blank, and the IE browser sets me up with a search page I have never seen before. At least it is not porn yet! :rolleyes:

My Hijack this log is :

Logfile of HijackThis v1.97.7
Scan saved at 10:58:44 PM, on 5/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\ITvpnclient-403D\cvpnd.exe
D:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\NavNT\vptray.exe
D:\Program Files\SETI@home\SETI@home.exe
C:\Documents and Settings\WindowsUser.ATHLON64\Desktop\FreeRAM XP Pro 1.40.exe
D:\Program Files\MSI\Core Center\CoreCenter.exe
D:\Program Files\Quicken\bagent.exe
D:\Program Files\One Guy Coding\Automachron\achron.exe
C:\Documents and Settings\WindowsUser.ATHLON64\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nocacea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nocacea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nocacea.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nocacea.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nocacea.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nocacea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {00B67283-22A1-43BA-979B-CDABECE1B550} - C:\WINNT\system32\nocacea.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] D:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [seticlient] D:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\WindowsUser.ATHLON64\Desktop\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Automachron.lnk = D:\Program Files\One Guy Coding\Automachron\achron.exe
O4 - Startup: MailWasher.lnk = D:\Program Files\MailWasher\MailWasher.exe
O4 - Global Startup: CoreCenter.lnk = D:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Sun Microsystems Next Gen VPN.lnk = C:\Program Files\ITvpnclient-403D\vpngui.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = D:\Program Files\Quicken\bagent.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)


I appreciate anybody's effort in helping me eliminate this before I wipe the disk and start over with all the installations.

Morey

#2 cadaverlab

cadaverlab

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 21 May 2004 - 12:29 AM

This is the CW trojan that I've had which I term "homeoldsp."

The bad news: This is one of the HARDEST buggers to get rid of.

The good news: It can be done.

Such intimidating terms as "superhidden file" are used throughout the removal process. I was able to use several links to help me eliminate the problem. There is no point for me to rewrite what they say:

http://www.spywarinf...showtopic=43492
http://www.wildersse...440&postcount=4

Both are very good. I followed the intructions word for word, and it fixed the problem completely. The real trick is finding the superhidden dll file in your system32 directory AND removing the reference in that appinit_dll registry entry. Follow directions in those posts. Use the programs they reference:

Reglite
AND
dllfix.exe

Now for the specifics:

Delete this files, in safe mode if necessary:
C:\WINNT\system32\nocacea.dll

Now, delete these entries using hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nocacea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nocacea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nocacea.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nocacea.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nocacea.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nocacea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {00B67283-22A1-43BA-979B-CDABECE1B550} - C:\WINNT\system32\nocacea.dll


This will probably be enough. Hope it goes okay.

#3 cadaverlab

cadaverlab

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 21 May 2004 - 12:31 AM

Messed up the link:
http://www.spywarein...showtopic=43492

#4 morey

morey

    Member

  • New Member
  • Pip
  • 2 posts

Posted 24 May 2004 - 08:27 PM

Thanks! Your instructions worked perfectly and I have been Trojan free for 4 days now. You guys are the best!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button