• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
johnnycrash

CWS about:blank

4 posts in this topic

I have had some version of the about:blank issue for a week or so now.

 

I can't find a working link to findfix to kill hlp.dll If i could, I think I could finally clean this crap off.

 

Symptoms I noticed:

notepad.exe renamed, copied, moved.

 

blank:about got taken over, my startpage rerouted to it. You would change it and it would be reset.

 

Adaware, spybot, etc couldn't get it off

 

I killed so many processes, temp installers, strange executables, etc, to finally get that to stop happening, but still had some weirdness.

 

Noticed goolgetoolbar2 instead of 1. Reinstalled google, and got 1

 

System would use 500 MB ram doing something.

 

non existant hlp.3d dll that has a trojan in it (nod32). It is either hidden from me by security or moved after startup, or something else. I can't find it.

 

I can't find a good link to findfix to kill hlp.dll

Share this post


Link to post
Share on other sites

I split this out as a separate topic. Please do not HiJack someone else's thread.

 

Download *Hijack This!*

http://209.133.47.12/~merijn/files/HijackThis.exe

http://downloads.net-integration.net/HijackThis.exe

http://www.computercops.biz/downloads-file-328.html

 

Unzip to a folder other than your Desktop or the Temp folder. Then, doubleclick HijackThis.exe, and hit "Scan".

 

When the scan is finished, the "Scan" button will change into a "Save Log" button.

Press that and copy & paste its contents here.

 

Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.

Share this post


Link to post
Share on other sites

I'm new to forums and I read the rules. I shouldnt have posted this into an existing thread that was talking about using those tools? Ok, I got it. Thanks for replying. I did finally get hijack this aft a day or so, and findnfix today finally.

 

Im sure I have a variety of the CWS, but not too many people are talking about it.

 

It started with about.blank and some search page that I cannot remember anymore. I tried so many things to get this off -- I didnt save to much of what was going on. Notepad was renamed to notepad.exe.bak. Media player was similarly renamed. I started noticing massive memory loss on the computer. After an hour or so, Id be using 600 MB of RAM, when I normally use 200. The memory loss was associated with svchost and whatever it was running, and explorer itself. Google toolbar was googletoolbar2.dll.

 

I ran adaware, spybot S&D, bhodemon with latest updates and got most of the problem taken care of. I installed teatimer, the resident part of S&D, and spyware guard and spyware blaster. I checked all the run, runonce, runservices, runservices once entries - nothing. I checked startup - nothing. I killed all the bho's i had no idea about and reinstalled googletoolbar. I installed zone alarm. I deleted temp dirs. I deleted all installers, and inf files and registered com objects from the time the virus showed up. I deleted the appinit_dlls entry (rename the key windows to windows2 then delete appinit_dlls and then rename windows2 back to windows). The file I had in appinit_dlls was hlp.dll. Norton antivirus let it through uncheckd. I ditched norton and got NOD32. NOD32 identifies it as a Win32/Agent.AC trojan, but NOD32 could not remove it - it was "not there (c:\windows\system32\hlp.dll" according to NOD32. Sure enough a dir scan showed nothing (i have show hidden system etc turned on). I found a post on the web about running findnfix to get rid of it, but I couldnt download it. further searching I saw the problem was related to the local security policy not showing files with certain security attributes missing. I changed the local security policy and saw the file. Tried to delete it, couldnt - of course it was in use. I changed its security attributes, and used drdelete to get rid of it. I ran about buster for the heck of it and it found nothing.

 

But hlp.dll comes back from time to time. I dont have the memory loss, and there are fewer svchost's running so I think the nasty part of the virus is under control, but the installer is still active. I got ahold of agent ransack and found all sorts of hidden temp directories on my computer and deleted all of them. I reinstalled windows media player since it seemed damaged the same time the virus attact started (based upon the .bak extension and the date of hlp.dll being nearly the same)

 

Hijack this shows hlp protocl assigned to C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll but I cant get rid of the protocol setting. I changed the name of the dll to hxds.dll.old so it wont run. However I am not sure this is a virus, since I have .net and visual studio installed and they do something with help dont they?

 

but hlp.dll still comes back from time to time.

 

Another thing I noticed just now when trying to get the hijack this log. If I right click on hijack this' shortcut, I get no context menu. All other files give me one... I can run hijack this.

 

 

Here is findnfix log:

 

 

»»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»

--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder

and is the destination for the file to be moved..

-*Previous directions will no longer work...

»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q330994-Q824145-3283-Q832894-Q837009-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

Tue 20 Jul 04 15:00:09

3:00pm up 0 days, 1:21

 

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»

The list will produce a small database of files that will match certain criteria.

You must know how to ID the file based on the filters provided in

the scan, as not all the files flagged are bad.

Ex: read only files, s/h files, last modified date. size, etc.

The filters provided should help narrow down the list, and hopefully

pinpoint the culprit.

Along with that,registry scan logged at the end should match the

corresponding file(s) listed.

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Unless the file match the entire criteria, it should not be pointed to remove!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

*For *Helpers/Mods and/or users that are not familiar with any of the

items on the scan results- I recommend using an alternative, once

you know what to look for!

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/20)»»»»»»»»»»»»»»»»

 

»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»»»(*5*)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

 

»»»»»(*6*)»»»»»

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access CRASH\jfranco

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access CRASH\jfranco

 

 

»»Member of...: (Admin logon required!)

User is a member of group CRASH\None.

User is a member of group \Everyone.

User is a member of group CRASH\Debugger Users.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

 

»»»»»»Backups created...»»»»»»

3:06pm up 0 days, 1:27

Tue 20 Jul 04 15:06:32

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-20-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 268 07-20-2004 winkey.reg

*Temp backups...

.

..

keyback2.hi_

winkey2.re_

 

 

C:\FINDNFIX\

JUNKXXX Tue Jul 20 2004 3:00:04p .D... <Dir>

 

1 item found: 0 files, 1 directory.

 

»»Performing string scan....

00001150: $ ? MdI. % G

00001190: MdI. % G MdI. % G

000011D0: vk | DeviceNotSelectedTimeout 1 5

00001210: 1 5 vk ' GDIProcessHandleQuota z

00001250: 9 0 vk S Spooler_ y e s |

00001290: vk swapdisk ` vk

000012D0: P 5TransmissionRetryTimeout vk ' tr

00001310:USERProcessHandleQuota| `

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

00001590:

000015D0:

 

---------- WIN.TXT

--------------

--------------

$011F0: DeviceNotSelectedTimeout

$01238: GDIProcessHandleQuota

$012E0: TransmissionRetryTimeout

$0130E: trUSERProcessHandleQuota

--------------

--------------

No strings found.

 

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value entry was NOT found!

 

 

Here is current hijack this log:

 

Logfile of HijackThis v1.98.0

Scan saved at 3:29:07 PM, on 7/20/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\WEBCAC~1.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\BHODemon\BHODemon.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\System32\taskmgr.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Mythicsoft\Agent Ransack\AgentRansack.exe

C:\Program Files\Security Task Manager\TaskMan.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\HijackThis\HijackThis.exe

 

O1 - Hosts: ; 65.102.226.238 ospdc

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon\BHODemon.exe

O4 - Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon\BHODemon.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O4 - Global Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0D4B9606-1FEF-43B0-B76E-43150B060AEB} (JPEG2000 Decoder ActiveX) - http://www.algovision-luratech.com/download/bin/jp2x.cab

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab

O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} -

O16 - DPF: {5283742E-A26D-4B6C-81A1-3111705D4C95} -

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} -

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://openscantech.webex.com/client/lates...bex/ieatgpc.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Openscan.local

O17 - HKLM\Software\..\Telephony: DomainName = Openscan.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Openscan.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Openscan.local

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0