• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
itsanakedrockstar

removing about:blank spyware/malware

12 posts in this topic

I think there is a spyware/malware that keeps hijacking my internet explorer to about:blank search page. I've run ad-aware, cwshredder, and hijack-this repeatedly for a few days now but it keeps coming back after a few hours. I dont know too much about this so if there is a way to fix this i'll need to be told step by step, but any help is greatly appreciated.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Size : 27

Value : C:\WINNT\system32\wdmc.dll

 

hijack-this log

note: .dll file keeps changing name everytime it comes back

 

Logfile of HijackThis v1.97.7

Scan saved at 1:22:36, on 2004/05/23

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\msdtc.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\system32\CTsvcCDA.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\tcpsvcs.exe

C:\WINNT\System32\snmp.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\WinMX\WinMX.exe

C:\WINNT\explorer.exe

C:\Program Files\BitTornado\btdownloadgui.exe

C:\WINNT\system32\internat.exe

C:\WINNT\system32\imejpmgr.exe

C:\Program Files\BitTornado\btdownloadgui.exe

C:\Program Files\BitTornado\btdownloadgui.exe

C:\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\system32\NOTEPAD.EXE

C:\Program Files\Registrar Lite\rl.exe

C:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mejil.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mejil.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mejil.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mejil.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mejil.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mejil.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {FC45F5A1-6B6D-4A30-AF73-0732ECF1D515} - C:\WINNT\system32\mejil.dll

 

 

Find-all log

--==***@@@ 'FIND-ALL' VERSION 6.2 -5/22 @@@***==--

 

 

Sun May 23 01:34:43 2004 -- Results:

*System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "Local Disk" (84F1:B51A) - FS:NTFS clusters:4k

Total: 61 664 890 880 [57G] - Free: 2 138 841 088 [2.0G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q832894;Q831167;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

*Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

 

 

*PC uptime:

1:34am up 3 days, 2:48

 

*Locked or 'Suspect' file(s) found...

\\?\C:\WINNT\System32\WDMC.DLL +++ File read error

\\?\C:\WINNT\System32\WDMC.DLL +++ File read error

 

 

*Tasks (services):

0 System Process

8 System

176 SMSS.EXE

200 CSRSS.EXE Title:

196 WINLOGON.EXE Title: NetDDE Agent

256 SERVICES.EXE Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M

ssenger,PlugPlay,ProtectedStorage,TrkWks,Wmi

268 LSASS.EXE Svcs: NtLmSsp,PolicyAgent,SamSs

452 svchost.exe Svcs: RpcSs

484 CCSETMGR.EXE Svcs: ccSetMgr

516 CCEVTMGR.EXE Svcs: ccEvtMgr

656 spoolsv.exe Svcs: Spooler

692 msdtc.exe Svcs: MSDTC

804 avgserv.exe Svcs: AvgServ

824 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access

844 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv

876 AppServices.exe Svcs: Iomega App Services

904 NAVAPSVC.EXE Svcs: navapsvc

936 nvsvc32.exe Svcs: NVSvc

1020 regsvc.exe Svcs: RemoteRegistry

1076 SAVSCAN.EXE Svcs: SAVScan

1116 mstask.exe Svcs: Schedule

1136 tcpsvcs.exe Svcs: SimpTcp

1204 SNMP.EXE Svcs: SNMP

1256 symlcsvc.exe Svcs: Symantec Core LC

1272 WinMgmt.exe Svcs: WinMgmt

1288 svchost.exe Svcs: wuauserv

1588 jusched.exe Title: OleMainThreadWndName

1620 svchost.exe Svcs: BITS

552 aim.exe Title: orokabakabaka's Buddy List Window

1692 msnmsgr.exe Title: MSN Messenger

2680 daemon.exe Title: Virtual DAEMON Manager V3.44

7260 WinMX.exe Title: WinMX v3.31 - 1 DL @ 8,787 B/s 1 UL @ 1,949 B/s <Online 4:58:47>

12612 explorer.exe Title: Program Manager

13276 btdownloadgui.e Title: 44.1% (284.08 MiB) MIGICHOCO - BitTorrent T-0.0.1 (BitTornado)

13156 internat.exe Title:

13168 imejpmgr.exe Title: MSIME98 Manager

21880 btdownloadgui.e Title: 31.3% (54.95 MiB) [Aoi-Anime]_Ragnarok_the_Animation_-_07_[679A5B74].avi - BitTorrent T-0.0.1 (BitTornado)

21952 btdownloadgui.e Title: 40.7% (69.80 MiB) [Aoi-Anime]_Ragnarok_the_Animation_-_06_[b5586533].avi - BitTorrent T-0.0.1 (BitTornado)

22000 IEXPLORE.EXE Title: SWI Forums -> Posting New Topic - Microsoft Internet Explorer

23184 CMD.EXE Title: C:\WINNT\system32\cmd.exe

22972 NTVDM.EXE

22312 rl.exe Title: Registrar

14600 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC45F5A1-6B6D-4A30-AF73-0732ECF1D515}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{540D9333-CED2-4ED8-A2B5-C0C15901D42D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{540D9333-CED2-4ED8-A2B5-C0C15901D42D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

*ACLs list for *.* in 'junk' folder: (if exist)

*Contents of file(s) in 'junk' folder:

 

Sun May 23 01:34:48 2004 -- *Find-All 'Windows'.hiv list:

A C:\Find-All\Find-All\winBackup.hiv

A C:\Find-All\Find-All\windows.txt

A C:\FindallwinBackup.hiv

Share this post


Link to post
Share on other sites

Use the Registrar Lite program again. Copy and paste the key below into reglite's address bar and hit 'Go':

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Right-click on the Windows key in the left pane and rename it to something else - for example:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

 

DoubleClick "Appinit_Dlls" value on right pane and erase the data in the 'Value' box at the the bottom of the new pane. The data to remove will be:

 

"C:\WINNT\System32\wdmc.dll", hit 'Apply' and 'Ok' to set.

 

Rename 'NotWindows' back to 'Windows' in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the wdmc.dll in C:\WINNT\System32.

 

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

 

Copy and paste this into the 'From' box: C:\WINNT\System32\wdmc.dll

Copy and paste this into the 'To' box: C:\Junk\wdmc.dll

 

Hit OK. Close Winfile and check in C:\Junk for that file - let me know. If it's there, re-run AAW and CWShredder - make sure you have the latest updates. Reboot when done. Run HJT and post a new log for the next steps.

Share this post


Link to post
Share on other sites

Thanks for the quick reply.

wdmc.dll is in the junk folder

 

new hijackthis log

Logfile of HijackThis v1.97.7

Scan saved at 15:39:53, on 2004/05/23

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\msdtc.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\system32\CTsvcCDA.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\tcpsvcs.exe

C:\WINNT\System32\snmp.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\HijackThis.exe

C:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

Share this post


Link to post
Share on other sites

Good, I need to see a full log though - looks like some got cut off.

 

Also, could you try to delete the C:\Junk folder - this may be difficult, let me know how you get on.

Share this post


Link to post
Share on other sites

If you can't delete it try this - boot into Safe Mode by tapping F8 after the BIOS has loaded. Right-click on the C:\Junk\wdmc.dll go to the Security tab>advanced and take ownership giving yourself 'Full control' (preferably to Administrators 'group'). Right-click the C:\Junk folder and hit properties. Click on security tab then the advanced button. Check the box that says reset permissions on all child objects. Hit apply.

 

You should now be able to delete the file and folder.

Share this post


Link to post
Share on other sites

I deleted the junk folder in safe mode and re-ran hijack this

 

Logfile of HijackThis v1.97.7

Scan saved at 16:19:12, on 2004/05/23

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\msdtc.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\system32\CTsvcCDA.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\tcpsvcs.exe

C:\WINNT\System32\snmp.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

Share this post


Link to post
Share on other sites

OK, just have HJT fix this entry:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

Also, renaming the "Windows" key may have modified some security settings. Start Registrar Lite. Copy and paste the following text into the Address Bar and press 'Go':

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

Right Click on the purple Windows folder in the left pane.

Select 'Properties'.

Press 'Permissions'.

Press 'Advanced'.

Remove Check Mark from 'Inherit permissions...'.

Press 'Copy'.

Highlight the group 'Everyone' (note: if this group does not exist then exit Reglite)

Select 'Remove'.

Press 'Apply' and 'OK' on all dialog boxes.

 

Reboot and you should be good to go.

Share this post


Link to post
Share on other sites

I tried to uncheck inheritable permission but everytime i click apply or press okay and come back it rechecks. The same is for the everyone. I remove it but once i hit apply or ok and exit, it is there again. Is this a serious problem?

Share this post


Link to post
Share on other sites

TMPST - Please read the BOLD red writing at the top of the forum - Please do not post your problems into someone else's post - Start a new thread. Thank you.

Share this post


Link to post
Share on other sites

oh, sorry, I was posting while in Safe Mode and that was too huge to even read... and it was quite late.

 

Sorry

Share this post


Link to post
Share on other sites

No problem TMPST - It just makes things very hard to follow for everyone concerned. Thank you for your cooperation.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0