Jump to content


Photo

Another furious about:blank victim ...


  • Please log in to reply
3 replies to this topic

#1 eatsmaineime

eatsmaineime

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 June 2004 - 10:37 AM

Hi... I got my homepage hijaked a month or two ago; the homepage adress turned into a "about:blank" and the page was a sort of search engine called "Search for...". I installed "spybot searchanddestroy" "CWShredder" "XoftSpy" "X-Cleaner" ... they found a "searchx" and the problem was solved for 2 days, now the homepage returns to "about:blank" everyday i get some popups saying that i'm infected ... i run CWShredder" and it goes well for the day... BUT the system is veryvery slow... looks like im working on a 486.
I just want to get rid of this "searchx" for good!

I use "spybot searchanddestroy" "CWShredder" "XoftSpy" "X-Cleaner" "Norton antivirus" and "zonealarm pro"

System is XP pro, IE6, outlook express.

Please help.

here's my Hijackthis log :

Logfile of HijackThis v1.97.7
Scan saved at 15:54:59, on 11-06-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WT32EXE.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\htpatch.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\Grxp4exe.exe
C:\PROGRA~1\MULTIM~1\MMKBD.exe
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\tblmouse.exe
C:\Programas\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Programas\ScannerU\Kyescan.exe
C:\Programas\QLink 1.0\devmonit.exe
C:\Programas\WallpaperToy\Wallpapertoy.Exe
C:\Programas\HijackTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.vivissimo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Programas\NewDotNet\newdotnet6_30.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programas\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Multimedir KBD] C:\PROGRA~1\MULTIM~1\MMKBD.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TBLFUNC] tblmouse.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Programas\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Corel Painter 8f] C:\Programas\Ficheiros comuns\Corel\Registration\EN\Registration.exe /title="Corel Painter 8" /date=062504 serial=PF08CTD-9999999-KHN
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - Startup: Start Maven Updater.lnk = C:\Programas\Maven\mavenUpdater.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Programas\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: KYESCAN.lnk = C:\Programas\ScannerU\Kyescan.exe
O4 - Global Startup: Monitor.lnk = C:\Programas\QLink 1.0\devmonit.exe
O4 - Global Startup: Start Maven Client.lnk = C:\Programas\Maven\mavenAgent.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Hijacked Internet access by New.Net
O10 - Unknown file in Winsock LSP: c:\programas\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\programas\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\programas\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\programas\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\programas\spamfighter\proxy\proxy.dll
O12 - Plugin for .spop: C:\Programas\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {11F8D6A0-01C6-4A23-A40F-1C3A560B99EA} (MavenInstallerAXControl Class) - http://client.maven....enInstaller.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7900.4424652778
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft...ols/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#2 eatsmaineime

eatsmaineime

    Member

  • New Member
  • Pip
  • 3 posts

Posted 13 June 2004 - 11:34 AM

Please help..... can't make it go away!!... :alarm:

#3 eatsmaineime

eatsmaineime

    Member

  • New Member
  • Pip
  • 3 posts

Posted 19 July 2004 - 11:38 AM

Please help, i've tried al i could find, and still infected
I tried CWShredder, Spybot, X-cleaner, Ad-aware6, AboutBuster, and many other.

This all started with my homepage turning to a "about:blank" named "Search for:" it was irritating (and still apears from time to time) and never found which was the main bastard; then i was infected by "Casino pallazo" placing an icon with an X on the desktop, soon i found that it also installs a lot of links in my IE favorites, next i found (by reading this forums messages) that it also installs in "c:\windows\system32" the "taskmgn.exe; telnetxp.exe, and others" by my self i found "mfplay.exe; mflplay.dll" and i think "vsconfig.xml" is in it too. Is it? Now i have "hot online games" also with an X on the desktop and installs the same as Casino with an extra file, the "auch(something).exe". Norton found today a "comkfm.dll" that i remember to be a part of the "about:blank" . Is it?

Also the explorer goes down many times, mostly when i turn on the net, imediatly i go to the system folder and there they are again.... :ugh:


Please help
:(
Here is my Hyjack this log:

Logfile of HijackThis v1.97.7
Scan saved at 17:34:15, on 19-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WT32EXE.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\htpatch.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\Grxp4exe.exe
C:\PROGRA~1\MULTIM~1\MMKBD.exe
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\tblmouse.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programas\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programas\Messenger Plus! 3\MsgPlus.exe
C:\Programas\ScannerU\Kyescan.exe
C:\Programas\QLink 1.0\devmonit.exe
C:\Programas\Maven\mavenAgent.exe
C:\Programas\Maven\mavenUpdater.exe
C:\Programas\WallpaperToy\Wallpapertoy.Exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\HijackTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINDOWS\System32\winnet.dll
O2 - BHO: (no name) - {BC089CD1-A3B5-4AFE-A26B-DEE72BE624E8} - c:\windows\system32\pmbb.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programas\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Multimedir KBD] C:\PROGRA~1\MULTIM~1\MMKBD.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TBLFUNC] tblmouse.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Corel Painter 8f] C:\Programas\Ficheiros comuns\Corel\Registration\EN\Registration.exe /title="Corel Painter 8" /date=072504 serial=PF08CTD-9999999-KHN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\Messenger Plus! 3\MsgPlus.exe"
O4 - Startup: Start Maven Updater.lnk = C:\Programas\Maven\mavenUpdater.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Programas\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: KYESCAN.lnk = C:\Programas\ScannerU\Kyescan.exe
O4 - Global Startup: Monitor.lnk = C:\Programas\QLink 1.0\devmonit.exe
O4 - Global Startup: Start Maven Client.lnk = C:\Programas\Maven\mavenAgent.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Unknown file in Winsock LSP: c:\programas\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\programas\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\programas\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\programas\spamfighter\proxy\proxy.dll
O10 - Unknown file in Winsock LSP: c:\programas\spamfighter\proxy\proxy.dll
O12 - Plugin for .spop: C:\Programas\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {11F8D6A0-01C6-4A23-A40F-1C3A560B99EA} (MavenInstallerAXControl Class) - http://client.maven....enInstaller.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7900.4424652778
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft...ols/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{331114FB-1045-4F23-B8FC-AF25622E27CC}: NameServer = 195.23.129.126 194.79.69.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{331114FB-1045-4F23-B8FC-AF25622E27CC}: NameServer = 195.23.129.126 194.79.69.222


Please help!
It's my second post in 3 month... and still ain't got an answer

#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 25 July 2004 - 06:56 PM

Tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked". Then Reboot.

O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINDOWS\System32\winnet.dll
O2 - BHO: (no name) - {BC089CD1-A3B5-4AFE-A26B-DEE72BE624E8} - c:\windows\system32\pmbb.dll (file missing)

After fix and reboot delete C:\WINDOWS\System32\winnet.dll

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button