• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
turk182

about:blank

8 posts in this topic

Help! My browser has been hijacked by the browser (about:blank). I get a popup everytime I open IE warning that I am infected with spyware/adaware. An internet dialer also appears at different times when I'm using my PC. I've tried to reset my home page numerous times. I've also downloaded and run spybot and adaware to no avail. I've read the article on browser hijacking by Mike Healan and downloaded and run Hijack This. I've tried to follow as many of the instructions as poss, the problem is I'm not too sure what to delete. If anyone can help me I would be much obliged. Here's the log.....

 

Logfile of HijackThis v1.97.7

Scan saved at 21:59:55, on 08/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton Personal Firewall\NISUM.EXE

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\system32\deinst_qfe002.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Norton Personal Firewall\ccPxySvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\wuauclt.exe

C:\HJT.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\USER~1.HOM\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\USER~1.HOM\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\USER~1.HOM\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\USER~1.HOM\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\USER~1.HOM\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\USER~1.HOM\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FB69E437-AC0F-4A51-9306-9384B52D7B4F} - C:\WINDOWS\System32\glof.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [spyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\system32\deinst_qfe002.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/

Share this post


Link to post
Share on other sites

In hijackthis fix checked:

 

*O4 - HKLM\..\Run: [spyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe

*O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\system32\deinst_qfe002.exe

 

Reboot, uninstall *SpyBlocs ,listed in: *Bogus Spyware Removal Tools that will do you more harm than good

and delete it's folder from program files.

Delete the C:\WINDOWS\system32\deinst_qfe002.exe< trojan as well.

 

When done,

Download and install : "FINDnFIX.exe" from any of

the links in my signature.

 

Run the "!LOG!.bat" file, wait for the final output (log.txt)

post the results....

Share this post


Link to post
Share on other sites

Many thanks for your response. Done as you asked. Here's the results of FINDnFIX....

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»*** Read this first! ***»»»»»»»»»»»»»»»»

Due to errors on various message boards I made some changes.

You must know how to ID the file based on the filters provided in

the scan, as not all the files flagged are bad.

If you make a mistake or use the wrong guidance, it is completely

your responsibility and the helper that assists you.

If you are not sure about the nature of the file or how

to proceed, I suggest you research it first before attempting

to remove any *unknown file on your own.

*For Helpers and/or users that are not familiar with any of the

items on the scan results- I recommend using an alternative, once

you know what to look for!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder

and is the destination for the file to be moved..

-*Previous directions will no longer work...

»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q832894-Q837009-Q831167

The type of the file system is NTFS.

C: is not dirty.

 

10/07/2004

10:05pm up 0 days, 0:46

 

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/8)»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»»»(*5*)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs =

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group HOME-IX0MEFLBPO\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Notepad check....

 

C:\WINDOWS\

notepad.exe Thu 23 Aug 2001 13:00:00 A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

 

C:\WINDOWS\SYSTEM32\

notepad.exe Thu 23 Aug 2001 13:00:00 A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

 

C:\WINDOWS\SYSTEM32\DLLCACHE\

notepad.exe Thu 23 Aug 2001 13:00:00 A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

Language 0x0409 (English (United States))

CharSet 0x04b0 Unicode

OleSelfRegister Disabled

CompanyName Microsoft Corporation

FileDescription Notepad

InternalName Notepad

OriginalFilenam NOTEPAD.EXE

ProductName Microsoft® Windows® Operating System

ProductVersion 5.1.2600.0

FileVersion 5.1.2600.0 (xpclient.010817-1148)

LegalCopyright © Microsoft Corporation. All rights reserved.

 

VS_FIXEDFILEINFO:

Signature: feef04bd

Struc Ver: 00010000

FileVer: 00050001:0a280000 (5.1:2600.0)

ProdVer: 00050001:0a280000 (5.1:2600.0)

FlagMask: 0000003f

Flags: 00000000

OS: 00040004 NT Win32

FileType: 00000001 App

SubType: 00000000

FileDate: 00000000:00000000

 

 

»»»»»»Backups created...»»»»»»

10:06pm up 0 days, 0:47

10/07/2004

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-10-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-10-2004 winkey.reg

 

C:\FINDNFIX\

JUNKXXX Sat 10 Jul 2004 21:58:34 .D... <Dir>

 

1 item found: 0 files, 1 directory.

 

»»Performing string scan....

00001150: ?

00001190: vk f AppInit_

000011D0:DLLs G vk UDeviceNotSelectedTimeout

00001210: 1 5 ( W 9 0 ! vk ' zGDIProce

00001250:ssHandleQuota" vk Spooler2 y e s

00001290: 0 ` vk =pswapdisk vk

000012D0: R TransmissionRetryTimeout 0 `

00001310: vk ' USERProcessHandleQuota

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

00001590:

000015D0:

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æG

--------------

--------------

No strings found.

 

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

 

[AppInitDLLs]

Ansi string : ""

0000 00 00 | ..

Share this post


Link to post
Share on other sites

Your log has no indication to the hidden reinstaller, but you do have left overs.

 

You can clean them with some of the tools in the FINDnFIX.

 

Open the C:\FINDnFIX\Files2\ Subfolder:

DoubleClick on this file: "un.exe"<

(it will just run and quit quickly)

Next, on this file: "last.reg" < Answer 'yes' to the merge prompt.

 

Restart you computer when done, search for and delete this file if exists:

WINDOWS\System32\glof.dll< (Should be gone)

 

Go to start/run/type: (or copy and paste)

%temp%

hit 'ok'

Empty entire contents of temp folder.

 

Re-run hijackthis and fix check any of the following-- if still exist:

 

*In the-R1/R0- Section:

lines that end with... "Temp\sp.html" And "about:blank"

*In O2 - BHO-Section: line, with refs to... "glof.dll" (or file missing)

 

Delete the entire FINDnFIX folder/Subfolders from C:\

 

 

Post fresh hijackthis log when done!

Share this post


Link to post
Share on other sites

Followed your instructions. Everything seems to be ok. Browser home page is back, no pop-ups and no dialer. Here's hopefully the last hijack this log. Again many thanks.

 

Logfile of HijackThis v1.97.7

Scan saved at 21:52:00, on 11/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton Personal Firewall\NISUM.EXE

C:\Program Files\Norton Personal Firewall\ccPxySvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\wuauclt.exe

C:\HJT.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/

Share this post


Link to post
Share on other sites

Glad we could help :D

 

To help keep you clean follow the recommendations in Tony's article here:

 

So how did I get infected in the first place?

 

 

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0