Jump to content


Photo

CWS about:blank


  • Please log in to reply
3 replies to this topic

#1 johnnycrash

johnnycrash

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 15 July 2004 - 03:01 PM

I have had some version of the about:blank issue for a week or so now.

I can't find a working link to findfix to kill hlp.dll If i could, I think I could finally clean this crap off.

Symptoms I noticed:
notepad.exe renamed, copied, moved.

blank:about got taken over, my startpage rerouted to it. You would change it and it would be reset.

Adaware, spybot, etc couldn't get it off

I killed so many processes, temp installers, strange executables, etc, to finally get that to stop happening, but still had some weirdness.

Noticed goolgetoolbar2 instead of 1. Reinstalled google, and got 1

System would use 500 MB ram doing something.

non existant hlp.3d dll that has a trojan in it (nod32). It is either hidden from me by security or moved after startup, or something else. I can't find it.

I can't find a good link to findfix to kill hlp.dll

#2 johnnycrash

johnnycrash

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 15 July 2004 - 03:02 PM

that would be hlp.dll, not hlp 3d.dll. Sorry

#3 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 15 July 2004 - 04:55 PM

I split this out as a separate topic. Please do not HiJack someone else's thread.

Download *Hijack This!*
http://209.133.47.12.../HijackThis.exe
http://downloads.net.../HijackThis.exe
http://www.computerc...s-file-328.html

Unzip to a folder other than your Desktop or the Temp folder. Then, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that and copy & paste its contents here.

Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#4 johnnycrash

johnnycrash

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 July 2004 - 04:34 PM

I'm new to forums and I read the rules. I shouldnt have posted this into an existing thread that was talking about using those tools? Ok, I got it. Thanks for replying. I did finally get hijack this aft a day or so, and findnfix today finally.

Im sure I have a variety of the CWS, but not too many people are talking about it.

It started with about.blank and some search page that I cannot remember anymore. I tried so many things to get this off -- I didnt save to much of what was going on. Notepad was renamed to notepad.exe.bak. Media player was similarly renamed. I started noticing massive memory loss on the computer. After an hour or so, Id be using 600 MB of RAM, when I normally use 200. The memory loss was associated with svchost and whatever it was running, and explorer itself. Google toolbar was googletoolbar2.dll.

I ran adaware, spybot S&D, bhodemon with latest updates and got most of the problem taken care of. I installed teatimer, the resident part of S&D, and spyware guard and spyware blaster. I checked all the run, runonce, runservices, runservices once entries - nothing. I checked startup - nothing. I killed all the bho's i had no idea about and reinstalled googletoolbar. I installed zone alarm. I deleted temp dirs. I deleted all installers, and inf files and registered com objects from the time the virus showed up. I deleted the appinit_dlls entry (rename the key windows to windows2 then delete appinit_dlls and then rename windows2 back to windows). The file I had in appinit_dlls was hlp.dll. Norton antivirus let it through uncheckd. I ditched norton and got NOD32. NOD32 identifies it as a Win32/Agent.AC trojan, but NOD32 could not remove it - it was "not there (c:\windows\system32\hlp.dll" according to NOD32. Sure enough a dir scan showed nothing (i have show hidden system etc turned on). I found a post on the web about running findnfix to get rid of it, but I couldnt download it. further searching I saw the problem was related to the local security policy not showing files with certain security attributes missing. I changed the local security policy and saw the file. Tried to delete it, couldnt - of course it was in use. I changed its security attributes, and used drdelete to get rid of it. I ran about buster for the heck of it and it found nothing.

But hlp.dll comes back from time to time. I dont have the memory loss, and there are fewer svchost's running so I think the nasty part of the virus is under control, but the installer is still active. I got ahold of agent ransack and found all sorts of hidden temp directories on my computer and deleted all of them. I reinstalled windows media player since it seemed damaged the same time the virus attact started (based upon the .bak extension and the date of hlp.dll being nearly the same)

Hijack this shows hlp protocl assigned to C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll but I cant get rid of the protocol setting. I changed the name of the dll to hxds.dll.old so it wont run. However I am not sure this is a virus, since I have .net and visual studio installed and they do something with help dont they?

but hlp.dll still comes back from time to time.

Another thing I noticed just now when trying to get the hijack this log. If I right click on hijack this' shortcut, I get no context menu. All other files give me one... I can run hijack this.


Here is findnfix log:


»»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
and is the destination for the file to be moved..
-*Previous directions will no longer work...
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q330994-Q824145-3283-Q832894-Q837009-Q831167-Q823353
The type of the file system is NTFS.
C: is not dirty.

Tue 20 Jul 04 15:00:09
3:00pm up 0 days, 1:21

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
*For *Helpers/Mods and/or users that are not familiar with any of the
items on the scan results- I recommend using an alternative, once
you know what to look for!
»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/20)»»»»»»»»»»»»»»»»

»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»»»(*5*)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

»»»»»(*6*)»»»»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access CRASH\jfranco
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access CRASH\jfranco


»»Member of...: (Admin logon required!)
User is a member of group CRASH\None.
User is a member of group \Everyone.
User is a member of group CRASH\Debugger Users.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


»»»»»»Backups created...»»»»»»
3:06pm up 0 days, 1:27
Tue 20 Jul 04 15:06:32

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-20-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 07-20-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_


C:\FINDNFIX\
JUNKXXX Tue Jul 20 2004 3:00:04p .D... <Dir>

1 item found: 0 files, 1 directory.

»»Performing string scan....
00001150: $ ? MdI. % G
00001190: MdI. % G MdI. % G
000011D0: vk | DeviceNotSelectedTimeout 1 5
00001210: 1 5 vk ' GDIProcessHandleQuota z
00001250: 9 0 vk S Spooler_ y e s |
00001290: vk swapdisk ` vk
000012D0: P 5TransmissionRetryTimeout vk ' tr
00001310:USERProcessHandleQuota| `
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
--------------
--------------
$011F0: DeviceNotSelectedTimeout
$01238: GDIProcessHandleQuota
$012E0: TransmissionRetryTimeout
$0130E: trUSERProcessHandleQuota
--------------
--------------
No strings found.

--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value entry was NOT found!



Here is current hijack this log:

Logfile of HijackThis v1.98.0
Scan saved at 3:29:07 PM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WEBCAC~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\BHODemon\BHODemon.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mythicsoft\Agent Ransack\AgentRansack.exe
C:\Program Files\Security Task Manager\TaskMan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O1 - Hosts: ; 65.102.226.238 ospdc
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0D4B9606-1FEF-43B0-B76E-43150B060AEB} (JPEG2000 Decoder ActiveX) - http://www.algovisio...ad/bin/jp2x.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...DjVuControl.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} -
O16 - DPF: {5283742E-A26D-4B6C-81A1-3111705D4C95} -
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://openscantech...bex/ieatgpc.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Openscan.local
O17 - HKLM\Software\..\Telephony: DomainName = Openscan.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Openscan.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Openscan.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button