Jump to content


Photo

removing about:blank spyware/malware


  • Please log in to reply
11 replies to this topic

#1 itsanakedrockstar

itsanakedrockstar

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 23 May 2004 - 03:36 AM

I think there is a spyware/malware that keeps hijacking my internet explorer to about:blank search page. I've run ad-aware, cwshredder, and hijack-this repeatedly for a few days now but it keeps coming back after a few hours. I dont know too much about this so if there is a way to fix this i'll need to be told step by step, but any help is greatly appreciated.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Size : 27
Value : C:\WINNT\system32\wdmc.dll

hijack-this log
note: .dll file keeps changing name everytime it comes back

Logfile of HijackThis v1.97.7
Scan saved at 1:22:36, on 2004/05/23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\WinMX\WinMX.exe
C:\WINNT\explorer.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\imejpmgr.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Registrar Lite\rl.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mejil.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mejil.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mejil.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mejil.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mejil.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mejil.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {FC45F5A1-6B6D-4A30-AF73-0732ECF1D515} - C:\WINNT\system32\mejil.dll


Find-all log
--==***@@@ 'FIND-ALL' VERSION 6.2 -5/22 @@@***==--


Sun May 23 01:34:43 2004 -- Results:
*System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "Local Disk" (84F1:B51A) - FS:NTFS clusters:4k
Total: 61 664 890 880 [57G] - Free: 2 138 841 088 [2.0G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:


*PC uptime:
1:34am up 3 days, 2:48

*Locked or 'Suspect' file(s) found...
\\?\C:\WINNT\System32\WDMC.DLL +++ File read error
\\?\C:\WINNT\System32\WDMC.DLL +++ File read error


*Tasks (services):
0 System Process
8 System
176 SMSS.EXE
200 CSRSS.EXE Title:
196 WINLOGON.EXE Title: NetDDE Agent
256 SERVICES.EXE Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M
ssenger,PlugPlay,ProtectedStorage,TrkWks,Wmi
268 LSASS.EXE Svcs: NtLmSsp,PolicyAgent,SamSs
452 svchost.exe Svcs: RpcSs
484 CCSETMGR.EXE Svcs: ccSetMgr
516 CCEVTMGR.EXE Svcs: ccEvtMgr
656 spoolsv.exe Svcs: Spooler
692 msdtc.exe Svcs: MSDTC
804 avgserv.exe Svcs: AvgServ
824 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access
844 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
876 AppServices.exe Svcs: Iomega App Services
904 NAVAPSVC.EXE Svcs: navapsvc
936 nvsvc32.exe Svcs: NVSvc
1020 regsvc.exe Svcs: RemoteRegistry
1076 SAVSCAN.EXE Svcs: SAVScan
1116 mstask.exe Svcs: Schedule
1136 tcpsvcs.exe Svcs: SimpTcp
1204 SNMP.EXE Svcs: SNMP
1256 symlcsvc.exe Svcs: Symantec Core LC
1272 WinMgmt.exe Svcs: WinMgmt
1288 svchost.exe Svcs: wuauserv
1588 jusched.exe Title: OleMainThreadWndName
1620 svchost.exe Svcs: BITS
552 aim.exe Title: orokabakabaka's Buddy List Window
1692 msnmsgr.exe Title: MSN Messenger
2680 daemon.exe Title: Virtual DAEMON Manager V3.44
7260 WinMX.exe Title: WinMX v3.31 - 1 DL @ 8,787 B/s 1 UL @ 1,949 B/s <Online 4:58:47>
12612 explorer.exe Title: Program Manager
13276 btdownloadgui.e Title: 44.1% (284.08 MiB) MIGICHOCO - BitTorrent T-0.0.1 (BitTornado)
13156 internat.exe Title:
13168 imejpmgr.exe Title: MSIME98 Manager
21880 btdownloadgui.e Title: 31.3% (54.95 MiB) [Aoi-Anime]_Ragnarok_the_Animation_-_07_[679A5B74].avi - BitTorrent T-0.0.1 (BitTornado)
21952 btdownloadgui.e Title: 40.7% (69.80 MiB) [Aoi-Anime]_Ragnarok_the_Animation_-_06_[B5586533].avi - BitTorrent T-0.0.1 (BitTornado)
22000 IEXPLORE.EXE Title: SWI Forums -> Posting New Topic - Microsoft Internet Explorer
23184 CMD.EXE Title: C:\WINNT\system32\cmd.exe
22972 NTVDM.EXE
22312 rl.exe Title: Registrar
14600 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC45F5A1-6B6D-4A30-AF73-0732ECF1D515}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{540D9333-CED2-4ED8-A2B5-C0C15901D42D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{540D9333-CED2-4ED8-A2B5-C0C15901D42D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


*ACLs list for *.* in 'junk' folder: (if exist)
*Contents of file(s) in 'junk' folder:

Sun May 23 01:34:48 2004 -- *Find-All 'Windows'.hiv list:
A C:\Find-All\Find-All\winBackup.hiv
A C:\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv


#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 May 2004 - 06:56 AM

Use the Registrar Lite program again. Copy and paste the key below into reglite's address bar and hit 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Right-click on the Windows key in the left pane and rename it to something else - for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

DoubleClick "Appinit_Dlls" value on right pane and erase the data in the 'Value' box at the the bottom of the new pane. The data to remove will be:

"C:\WINNT\System32\wdmc.dll", hit 'Apply' and 'Ok' to set.

Rename 'NotWindows' back to 'Windows' in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the wdmc.dll in C:\WINNT\System32.

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

Copy and paste this into the 'From' box: C:\WINNT\System32\wdmc.dll
Copy and paste this into the 'To' box: C:\Junk\wdmc.dll

Hit OK. Close Winfile and check in C:\Junk for that file - let me know. If it's there, re-run AAW and CWShredder - make sure you have the latest updates. Reboot when done. Run HJT and post a new log for the next steps.
Posted Image

#3 itsanakedrockstar

itsanakedrockstar

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 23 May 2004 - 05:39 PM

Thanks for the quick reply.
wdmc.dll is in the junk folder

new hijackthis log
Logfile of HijackThis v1.97.7
Scan saved at 15:39:53, on 2004/05/23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 May 2004 - 05:56 PM

Good, I need to see a full log though - looks like some got cut off.

Also, could you try to delete the C:\Junk folder - this may be difficult, let me know how you get on.
Posted Image

#5 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 May 2004 - 05:57 PM

If you can't delete it try this - boot into Safe Mode by tapping F8 after the BIOS has loaded. Right-click on the C:\Junk\wdmc.dll go to the Security tab>advanced and take ownership giving yourself 'Full control' (preferably to Administrators 'group'). Right-click the C:\Junk folder and hit properties. Click on security tab then the advanced button. Check the box that says reset permissions on all child objects. Hit apply.

You should now be able to delete the file and folder.
Posted Image

#6 itsanakedrockstar

itsanakedrockstar

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 23 May 2004 - 06:20 PM

I deleted the junk folder in safe mode and re-ran hijack this

Logfile of HijackThis v1.97.7
Scan saved at 16:19:12, on 2004/05/23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

#7 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 24 May 2004 - 02:22 AM

OK, just have HJT fix this entry:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Also, renaming the "Windows" key may have modified some security settings. Start Registrar Lite. Copy and paste the following text into the Address Bar and press 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Right Click on the purple Windows folder in the left pane.
Select 'Properties'.
Press 'Permissions'.
Press 'Advanced'.
Remove Check Mark from 'Inherit permissions...'.
Press 'Copy'.
Highlight the group 'Everyone' (note: if this group does not exist then exit Reglite)
Select 'Remove'.
Press 'Apply' and 'OK' on all dialog boxes.

Reboot and you should be good to go.
Posted Image

#8 itsanakedrockstar

itsanakedrockstar

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 24 May 2004 - 03:20 AM

I tried to uncheck inheritable permission but everytime i click apply or press okay and come back it rechecks. The same is for the everyone. I remove it but once i hit apply or ok and exit, it is there again. Is this a serious problem?

#9 TMPST

TMPST

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 12 June 2004 - 01:37 AM

Can someone help me please, I have the same issue.

Edit: Log removed. TMPST has started his own topic:
http://www.spywarein...wtopic=6350&hl=
Thanks, TMPST.
:wave:

Edited by cnm, 12 June 2004 - 04:42 PM.


#10 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 12 June 2004 - 01:57 AM

TMPST - Please read the BOLD red writing at the top of the forum - Please do not post your problems into someone else's post - Start a new thread. Thank you.

#11 TMPST

TMPST

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 12 June 2004 - 12:41 PM

oh, sorry, I was posting while in Safe Mode and that was too huge to even read... and it was quite late.

Sorry

#12 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 12 June 2004 - 01:17 PM

No problem TMPST - It just makes things very hard to follow for everyone concerned. Thank you for your cooperation.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button