Ad:

Viruses, Spyware and other Nasties Discussion Thread
Marked Solved
Views: 3873

Jul 5th, 2004

Another about:blank hyjacking

Expand Post »

Hi Crunchie,
I tried to find the problen dll myself but I can't seem to find it. I think it's masked or cloaked as a legitimate dll such as for a google toolbar, but I just may not know what I'm looking for. Ad-aware finds the bug, but as usual it reappears. I fix the R1's with HyjackThis but again they reappear. Can you give me some guidance? I have APM all ready to go. Here is the HJT log:
(Venturi is a ISP for Verizon Wireless and it's clean - I have used it for about a year.)

Logfile of HijackThis v1.97.7
Scan saved at 9:13:58 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWX\System32\smss.exe
C:\WINDOWX\system32\winlogon.exe
C:\WINDOWX\system32\services.exe
C:\WINDOWX\system32\lsass.exe
C:\WINDOWX\system32\svchost.exe
C:\WINDOWX\System32\svchost.exe
C:\WINDOWX\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWX\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\mail.com\mcalert.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Venturi182\venturi.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Venturi182\jre\bin\jrew.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWX\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWX\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWX\system32\ZoneLabs\vsmon.exe
C:\Security\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWX\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [window.exe] C:\WINDOWX\System32\window.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Venturi.lnk = C:\Program Files\Venturi182\venturi.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O10 - Broken Internet access because of LSP provider 'vlsp.dll' missing
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

Similar Threads

Just a blank screen = ( in Monitors, Displays and Video Cards
new window in Internet Explorer is always blank in Web Browsers
HELP!! comp froze and when i restarted it was blank! in Troubleshooting Dead Machines
IE 6 start page getting changed to about:blank in Web Browsers

GaryTheK

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

3 posts
since Jun 2004

Permalink

Jul 6th, 2004

Re: Another about:blank hyjacking

Please follow the solution offered in this topic:

http://www.daniweb.com/techtalkforums/thread7507.html

Catweazle

Team Colleague

Reputation Points: 229

Solved Threads: 149

Grandad

Offline

3,826 posts
since Mar 2004

Permalink

Jul 6th, 2004

Re: Another about:blank hyjacking

Also fix this with hijackthis:

O4 - HKCU\..\Run: [window.exe] C:\WINDOWX\System32\window.exe

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWX\System32\window.exe

Reboot normally.

Post another log after following the instructions given at the link that catweazle gave.

crunchie

Moderator

Featured Poster

Reputation Points: 1142

Solved Threads: 982

Most Valuable Poster

Offline

12,163 posts
since Feb 2004

Permalink

Jul 7th, 2004

Re: Another about:blank hyjacking

Hi Crunchie,
I had a problem following Phage's procedure. However, since it looked like a quick fix, I followed your suggestion to place a couple of brackets around about:blank and it worked. I now have complete control over the IE home page. Thanks a lot for that quick "fix" or work around. That process seems to make about:blank into a hypertext format which then responds to being over written. I wonder though if the offending files might still be on my hard drive?

I also followed your procedure to fix 04, but I didn't find any window.exe file in System32 while in Safe Mode..
Here is my latest HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 10:17:09 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWX\System32\smss.exe
C:\WINDOWX\system32\winlogon.exe
C:\WINDOWX\system32\services.exe
C:\WINDOWX\system32\lsass.exe
C:\WINDOWX\system32\svchost.exe
C:\WINDOWX\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWX\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWX\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\mail.com\mcalert.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Venturi182\venturi.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Venturi182\jre\bin\jrew.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWX\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWX\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWX\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Security\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWX\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Venturi.lnk = C:\Program Files\Venturi182\venturi.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O10 - Broken Internet access because of LSP provider 'vlsp.dll' missing
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

Before I performed your suggestions, I ran Ad-aware again and it found a malware dll in a folder directly on the hard drive labeled RECYCLER. This was right under my RECYLCLED folder. In RECYCLER I found two files, they both were long numbered files and Ad-aware was able to delete the dll, but I can't remove the other one at all. It looks the same (S-1-5-21-1606980848-113...etc) but with no extension. Is there a program out there that I can run that will allow me to kill a read only file such as this?
Thanks again for your help!

GaryTheK

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

3 posts
since Jun 2004

Permalink

Jul 7th, 2004

Re: Another about:blank hyjacking

Right click on the file & go to properties & uncheck the read only box. Press apply then try deleting it. Or
Download moveonboot from here & the file(s) you choose will be deleted on reboot.

MoveOnBoot allows you to copy, move or delete files on the next system boot. This comes in very handy, if you need to replace or delete files which are locked by other applications, loaded into memory or cannot be changed until next system boot. You could manually enter a line to the wininit files, but using MoveOnBoot is much simpler, since the program can be integrated into shell - it creates the "Copy/Move/Delete on boot" context menu item.

crunchie

Moderator

Featured Poster

Reputation Points: 1142

Solved Threads: 982

Most Valuable Poster

Offline

12,163 posts
since Feb 2004

Permalink

Jul 7th, 2004

Re: Another about:blank hyjacking

Thanks Crunchie,
I tried unchecking the read only box before but it wouldn't stay, but moveonboot did the trick. I guess based upon my last HJT log you may mark my thread as solved. Thanks again for all your help!

GaryTheK

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

3 posts
since Jun 2004

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Viruses found need some information

Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Missing BRIDGE.dll on Windows startup

DaniWeb Message

Cancel Changes

User Name
Password