Jump to content


Photo

Need help with about:blank


  • Please log in to reply
4 replies to this topic

#1 PPPP

PPPP

    Member

  • New Member
  • Pip
  • 3 posts

Posted 21 June 2004 - 11:39 PM

Following is the log of HijackThis. I'm using Windows 2000 Pro.

Logfile of HijackThis v1.97.7
Scan saved at 12:40:50 PM, on 6/22/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\Q2\Pad32.exe
C:\Q2\Fahid.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {43149458-4CB9-42A8-A6EB-B6575C82A69B} - C:\WINNT\system32\ifilmja.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~3\npscheck.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Pad32] C:\Q2\Pad32.exe
O4 - HKLM\..\Run: [FAhid] C:\Q2\Fahid.exe
O4 - HKLM\..\Run: [tapisys] C:\WINNT\System32\tss.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [tapisys] C:\WINNT\System32\tss.exe
O4 - Startup: QuickStart (2).lnk = C:\Q2\quick2.exe
O4 - Startup: QuickStart.lnk = C:\Q2\quick2.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37628.231712963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab

I've tried fixing the R1 lines but it'll always come back. How do I get rid of this permanently?

#2 PPPP

PPPP

    Member

  • New Member
  • Pip
  • 3 posts

Posted 22 June 2004 - 06:28 AM

bump

#3 nando

nando

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 22 June 2004 - 08:51 AM

Attempt to delete nkdm.dll in the system 32 folder, and after clean your register with jv16 Power tools

#4 PPPP

PPPP

    Member

  • New Member
  • Pip
  • 3 posts

Posted 22 June 2004 - 11:55 AM

I couldn't find that file. I did a search on the whole HD but I couldn't find it...

#5 nando

nando

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 22 June 2004 - 02:04 PM

The explanation at : http://www.spywarein...greatsearch.biz

Thankfully, I knew what time my system was compromised, and with everyone here and a few other places telling me where to look, I was able to delete all the right files after almost two days of searching. Here are the instructions that worked to find and delete the files:

If you haven't already identified the malicious DLL file that keeps generating these search pages, do so now:
1) Go to C:\WINDOWS\system32\
2) Go to View > Choose Details > and checked the box that says "Created". This will allow you to arrange your icons by the date CREATED. The DLL file that infected my computer was created on May 13, 2004.
3) Now right-click and choose Arrange Icons > Created
4) Depending on whether your files are listed in reverse chronological order or not, the most recently created DLL files should either be at the top or bottom. If you remember when your problem started, then look for a file that was created on that day. Another hint is that when you hover over the malicious file, it usually has no company name or additional info and looks generally suspicious.
5) Once you've located this file, you'll need a program called KillBox to kill it, because it can't be deleted the regular way. If you have KillBox, type in the address of your malicious file (C:\WINDOWS\system32\nameofyourfile.dll) into the address bar, and then go to Action > Delete On Reboot.
6) A window will pop up. Go to File > Add File and your file should be added into the blank space. Then go to Action > Process and Reboot. A message prompt you to reboot your PC. Reboot your PC as told and once that's over, your malicious file should be deleted.

7) BUT that's only the visible file. And the trick is that there is one remaining malicious file which is HIDDEN. It'll be somewhere in your System32 folder but you won't be able to see it, let alone know its name. To get round this, you'll need a program called Registrar Lite (see links below).
8) Download RegLite, then type this into the address bar at the top:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Once you've done that, a list of register keys will come up. Double click on AppInit_DLLs and in the "value" field, you should see the name of your hidden malicious file like this - C:\WINDOWS\system32\nameofyourfile.dll
9) The next step is kinda tricky because I don't think what worked for me will necessarily work for you but anyway, give it a try. Note down the name of your malicious file, and look for it in C:\WINDOWS\system32. IF your hidden file is now visible, do what I did....

10) Right-click on your file and rename it from "nameofyourfile.dll" to "nameofyourfile.doc" (ie. keep the filename so you can find it but change the DLL). you won't be able to change the attributes because your file is in read-only mode.
11) Once you've done that, go to your C drive, right-click and go to New > Folder. Give your folder a name, and I suggest you use the filename of your malicious file. So if your malicious file is called "ijmbwp.dll", call your folder "ijmbwp".
12) Go back to C:\WINDOWS\System32. Locate your file again, right-click then COPY and PASTE it into the new folder you've just created in step 11. Then press the "back" button, highlight that folder and move the whole thing into the recycle bin. Now empty your recycle bin. Your second malicious file should now be removed. But just to double check, go to Start > Search and type in the name of your file. If you find any files left with that name, delete them all.
13) Finally, run Spybot, Ad-Aware and HijackThis just to make sure you've deleted all the components associated with your trojan.
14) Your homepage should now be back to your own default, and the trojan should be gone. Some additional DLL files may have been created along with the two files you previously deleted but these can easily be removed from your System32 folder, but I'd recommend scanning your PC with a free virus scan from TrendMicro.

If none of that works, then maybe my solution doesn't apply to you but there are some helpful tips here anyway and I hardly think this problem is uniquely yours. In the meantime, get yourself an antivirus software (if you haven't already got one) and run Ad-Aware, Spybot, etc. at LEAST once a week.

BTW, keep in mind that anti-spyware programs and CWShredder will NOT remove the trojan from your computer. You really need to seek out those malicious DLL files and destroy them or else the problem will persist, one way or another.

Ad-Aware - http://www.lavasoftu...pport/download/
SpyBot - http://www.safer-networking.org/
Registrar Lite - http://www.resplendence.com/reglite
KillBox - http://download.broadbandmedic.com/
TrendMicro virus scan - http://housecall.trendmicro.com/


I didn't end up getting anything from the reglite scan, but Killboxing the last two malicious files appears to have done the trick. Just try to find out what time the services.exe file in SYSTEM32\CONFIG was created, and get rid of everything created in SYSTEM32 and SYSTEM32\CONFIG within a few minutes of that. All the Hijack This and Spybot and Adaware-ing got rid of remnants and stuff, but it just kept coming back before I got those last few files.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button