Browser Hijack, about:blank Search, sp.html, and friends
A little history on my problem of the last few days. Basically my IE homepage has been changed to a search page. Even though it's still shown as my regular start page of about:blank, it still shows the search page.
A little history on my problem of the last few days. Basically my IE homepage has been changed to a search page. Even though it's still shown as my regular start page of about:blank, it still shows the search page. I get bombarded with ad popups if I'm not using a blocker.
I've tried the following (all updated versions of each):
1) Ran AVG numerous times, been clean all but twice: BackDoor.Agent.BA and Downloader.Swizzor.AH. Noticed Swizzor was coming from C:\ProgramFiles\C2Media. Manually deleted that directory.
2) Ran Adaware, Spybot, NoAdware: All found nothing
3) Cleared with Tracks Eraser Pro, which had cleared off lop.com awhile ago. Nothing.
4) Re-ran Spyware Blaster. Nothing.
5) Noticed Class3SoftwarePublishers keeps re-adding itself into TempIntFiles.
6) Tried System Restore from an earlier safe point, all 3 safe points failed to restore.
7) Checked Startup via MSconfig, running processes, Add/Remove Programs, and saw nothing unusual.
8) Ran CWS Shredder. Nothing.
9) Stopped using IE, which I should have done awhile ago
Anyways, here is my log:
Logfile of HijackThis v1.97.7
Scan saved at 10:07:34 PM, on 7/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\RUNSERVICE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {9C4B1A91-BE9B-48E5-8E33-EC6205F0A2B1} - C:\WINDOWS\SYSTEM\PHKNA.DLL
O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [systemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c...ymmapi.dll
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...5301388889
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Shared.../cabsa.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Thanks for any help.
I've tried the following (all updated versions of each):
1) Ran AVG numerous times, been clean all but twice: BackDoor.Agent.BA and Downloader.Swizzor.AH. Noticed Swizzor was coming from C:\ProgramFiles\C2Media. Manually deleted that directory.
2) Ran Adaware, Spybot, NoAdware: All found nothing
3) Cleared with Tracks Eraser Pro, which had cleared off lop.com awhile ago. Nothing.
4) Re-ran Spyware Blaster. Nothing.
5) Noticed Class3SoftwarePublishers keeps re-adding itself into TempIntFiles.
6) Tried System Restore from an earlier safe point, all 3 safe points failed to restore.
7) Checked Startup via MSconfig, running processes, Add/Remove Programs, and saw nothing unusual.
8) Ran CWS Shredder. Nothing.
9) Stopped using IE, which I should have done awhile ago
Anyways, here is my log:
Logfile of HijackThis v1.97.7
Scan saved at 10:07:34 PM, on 7/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\RUNSERVICE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {9C4B1A91-BE9B-48E5-8E33-EC6205F0A2B1} - C:\WINDOWS\SYSTEM\PHKNA.DLL
O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [systemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c...ymmapi.dll
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...5301388889
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Shared.../cabsa.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Thanks for any help.
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
Hey, I think I narrowed it down now 
again..lol
I just thought of something, these exe files I found, well, I found more of them, only in another name, but same file size, I think that these exe files are replicating 11 exe files
alphabetically.
ajkl.exe
bstsl.exe
cfe32.exe
and so on.
Instead of creating them when we delete the dll as I said before, its creating them as we speak from the previous exe's left behind, so if we delete them as well, then they will load the others.
I think I have it, all the files are already on the system recreating themselves all the way to "z"
So I think we have to find all of them and delete them all at the same time.
Maybe I'm wrong, but I'll check. Be Back
again..lolI just thought of something, these exe files I found, well, I found more of them, only in another name, but same file size, I think that these exe files are replicating 11 exe files
alphabetically.
ajkl.exe
bstsl.exe
cfe32.exe
and so on.
Instead of creating them when we delete the dll as I said before, its creating them as we speak from the previous exe's left behind, so if we delete them as well, then they will load the others.
I think I have it, all the files are already on the system recreating themselves all the way to "z"
So I think we have to find all of them and delete them all at the same time.
Maybe I'm wrong, but I'll check. Be Back
OKAY guys, I think this is it....for real this time
okay, the new dll found by bho was "javatm.dll", and the new exe fies created were.
javacm.exe
javadp32.exe
javalb.exe
javaqp32.exe
javatn32.exe
javaug32.exe
javaut32.exe
javavd32.exe
javawe32.exe
javaww.exe
javayr.exe
all are 19 kB in size, even all the others with different names to the dll's previous to this new one I got are this size, so we have got the bastards.
You see, it makes exes of the dll, or, the previous dll deleted made these first, then the dll, either way, we gotta delete these.
OH, and if you delete the exe's and not the dll, the dll will make a new set of exe's for itself, incase you delete the dll(sneaky), and if you delete the dll first without deleting the corresponding exe's, then those exe's will make a new dll(sneaky) with a random name, and then that dll will create another set of exe's to match. So you have to delete the dll and the exe's together, otherwise it will just go on and on.
If you have been deleting the dll's and not these exe's, then then you will either have to remember those dll's names you dleleted so we can find them, or just use the 19kB file size to judge, then just see if there's 11 of them, and you need to get all of them together, dll's and exe's.
Hope this helps. I'm in the process now of testing this, I'll post back soon on the results.
PS: This is why BHO doesn't work for some of you, because BHO only picks up one file at a time,(the active one)and not the rest, because the rest are turned off and BHO thinks that their harmless. So again, as soon as you delete the actve one(whatever BHO picks up), it will then turn on the others, and they will start all over again. So again, we need to dlelete them all together.
[Edited by iq454 on 2004-09-08 08:07:12]
okay, the new dll found by bho was "javatm.dll", and the new exe fies created were.
javacm.exe
javadp32.exe
javalb.exe
javaqp32.exe
javatn32.exe
javaug32.exe
javaut32.exe
javavd32.exe
javawe32.exe
javaww.exe
javayr.exe
all are 19 kB in size, even all the others with different names to the dll's previous to this new one I got are this size, so we have got the bastards.
You see, it makes exes of the dll, or, the previous dll deleted made these first, then the dll, either way, we gotta delete these.
OH, and if you delete the exe's and not the dll, the dll will make a new set of exe's for itself, incase you delete the dll(sneaky), and if you delete the dll first without deleting the corresponding exe's, then those exe's will make a new dll(sneaky) with a random name, and then that dll will create another set of exe's to match. So you have to delete the dll and the exe's together, otherwise it will just go on and on.
If you have been deleting the dll's and not these exe's, then then you will either have to remember those dll's names you dleleted so we can find them, or just use the 19kB file size to judge, then just see if there's 11 of them, and you need to get all of them together, dll's and exe's.
Hope this helps. I'm in the process now of testing this, I'll post back soon on the results.
PS: This is why BHO doesn't work for some of you, because BHO only picks up one file at a time,(the active one)and not the rest, because the rest are turned off and BHO thinks that their harmless. So again, as soon as you delete the actve one(whatever BHO picks up), it will then turn on the others, and they will start all over again. So again, we need to dlelete them all together.
[Edited by iq454 on 2004-09-08 08:07:12]
Yes, IT WORKED.
I'll run you through the procedure exactly. I'll try to explain as best I can.
Open your Windows folder and your Windows\system32 folder at the same time and order them both by size.
Now, because the files name might be different for all of us(or even the size for that matter), we have to work off the files size...If yours is different, you can see what to do anyways.
These are the sizes to look for(In my case anyway).
19, 56 and 91 and 96 kB in your windows folder AND
32, 64 and 96 kB in your system32 folder.
The way to find these files is it to check by hovering your mouse over each and every one. If it's part of this hijack, it will not display its type, description or who made it(microsoft or whoever).
So, start in your system32 folder and find all the files that are 96kB, hold the "ctrl" key and hover the mouse over it, if no type, description or who made it is displayed, then highlight it, while still holding the "ctrl" key, go up to the next file and check it also, if it has a type, description, and who made it, then DON'T highlight it and move on like this until you get all files 96kB in size. DONT DELETE THEM YET. Keep going up until you find all files that are 64kB also, and do exactly the same thing, then do the same for the files that are 32kB.
Once you have them all highlighted, go to your windows folder that should already be opened and find the file that BHOdemon reported,(it will take 30 seconds to create a new dll) so this is enough time, because all the files we need to delete are already highlighted.
The only one we have to take a few seconds to get to is the file in windows folder that BHO reported.
Now delete all them files you highlighted in your system 32 folder, it will then say "this is a system file, if you delete it, blahblahblah" just delete it as this might be the main program that started it all, if it really is a system file we need, then it will say who made it(microsft or whoever) when we hover the mouse over it, but if it didn't, then it belongs to this hijack(Because all legit files have a description and who made it). Then quickly go into your windows folder and delete that file BHO reported.
That's it. Hijack defeated.
You see the pattern this hijack made? The person who made it was so smart, that if someone like me found the files to delete, then the main program (in system32 folder) would make the same hijack, only in another type of file and maybe location too, but it only goes between windows folder and system32 folder(like exe's, dll or txt), and if we found those exe's or whetever and deleted them, it would then make a main dll of 64kB and an exe or 32kB equaling 96 kB, or an "ocx" of 64kB and a "exe" of 32kB equaling 96kB, and if we found those dll's, ocx's, txt's, or exe, it would then make another dll or exe or txt equaling 96kB, the program or hijack actually does have and end thank god.
All of this was to throw us of course, and anything that scanned it. But now we can see that the whole hijack was in a main file of 96kB, don't know which one, but we know what its size is.
Again, if we leave the exe's and delete the 96kB dll file only, those 3 exe's would then make either, another dll of 96kB, or make 3 exe's(because remember, each exe is 32kB 3x32 is 96, then those 3 exe's "might" make more exe's of itself incase we found the pattern, and found out how to look for it would be by the file size(like I did)because remember I found 11 once?. This might be because I was deleting dll's before all this, and it just kept creating extra exe's.
May be confusing, but that's that pattern and how I defeated it.
And no virus, spyware or even BHO program can detect this, because the main one(s) are turned off, until the one that is active is deleted, which is the one BHO or spyware programs will detect, which is uselss in ths case.
Have a nice day.
PS: If you have problems, you can reach me @ neobot@the-pentagon.com
I'll run you through the procedure exactly. I'll try to explain as best I can.
Open your Windows folder and your Windows\system32 folder at the same time and order them both by size.
Now, because the files name might be different for all of us(or even the size for that matter), we have to work off the files size...If yours is different, you can see what to do anyways.
These are the sizes to look for(In my case anyway).
19, 56 and 91 and 96 kB in your windows folder AND
32, 64 and 96 kB in your system32 folder.
The way to find these files is it to check by hovering your mouse over each and every one. If it's part of this hijack, it will not display its type, description or who made it(microsoft or whoever).
So, start in your system32 folder and find all the files that are 96kB, hold the "ctrl" key and hover the mouse over it, if no type, description or who made it is displayed, then highlight it, while still holding the "ctrl" key, go up to the next file and check it also, if it has a type, description, and who made it, then DON'T highlight it and move on like this until you get all files 96kB in size. DONT DELETE THEM YET. Keep going up until you find all files that are 64kB also, and do exactly the same thing, then do the same for the files that are 32kB.
Once you have them all highlighted, go to your windows folder that should already be opened and find the file that BHOdemon reported,(it will take 30 seconds to create a new dll) so this is enough time, because all the files we need to delete are already highlighted.
The only one we have to take a few seconds to get to is the file in windows folder that BHO reported.Now delete all them files you highlighted in your system 32 folder, it will then say "this is a system file, if you delete it, blahblahblah" just delete it as this might be the main program that started it all, if it really is a system file we need, then it will say who made it(microsft or whoever) when we hover the mouse over it, but if it didn't, then it belongs to this hijack(Because all legit files have a description and who made it). Then quickly go into your windows folder and delete that file BHO reported.
That's it. Hijack defeated.
You see the pattern this hijack made? The person who made it was so smart, that if someone like me found the files to delete, then the main program (in system32 folder) would make the same hijack, only in another type of file and maybe location too, but it only goes between windows folder and system32 folder(like exe's, dll or txt), and if we found those exe's or whetever and deleted them, it would then make a main dll of 64kB and an exe or 32kB equaling 96 kB, or an "ocx" of 64kB and a "exe" of 32kB equaling 96kB, and if we found those dll's, ocx's, txt's, or exe, it would then make another dll or exe or txt equaling 96kB, the program or hijack actually does have and end thank god.
All of this was to throw us of course, and anything that scanned it. But now we can see that the whole hijack was in a main file of 96kB, don't know which one, but we know what its size is.
Again, if we leave the exe's and delete the 96kB dll file only, those 3 exe's would then make either, another dll of 96kB, or make 3 exe's(because remember, each exe is 32kB 3x32 is 96, then those 3 exe's "might" make more exe's of itself incase we found the pattern, and found out how to look for it would be by the file size(like I did)because remember I found 11 once?. This might be because I was deleting dll's before all this, and it just kept creating extra exe's.
May be confusing, but that's that pattern and how I defeated it.
And no virus, spyware or even BHO program can detect this, because the main one(s) are turned off, until the one that is active is deleted, which is the one BHO or spyware programs will detect, which is uselss in ths case.
Have a nice day.
PS: If you have problems, you can reach me @ neobot@the-pentagon.com
Hey, I found the main programs, they're called "Serach Extender", "ShoppingWizard" and "Home Search Assistant" go remove it in your add remove programs
If you've done the procedure I just explained, then it wont find them and it will leave the garbage there, you need something like Tweak XP to delete the entry. They are harmless now though, as the main threat is taken care of.
rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/SearchExtender.html
rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/ShoppingWizard.html
rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/HomeSearchAssistant.html
Maybe it was hooked into the url.dll?Maybe someone from BHO can examine how I defeated it, so we can know what exactly was the main program and how it replicated and why.
If you've done the procedure I just explained, then it wont find them and it will leave the garbage there, you need something like Tweak XP to delete the entry. They are harmless now though, as the main threat is taken care of.
rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/SearchExtender.html
rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/ShoppingWizard.html
rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/HomeSearchAssistant.html
Maybe it was hooked into the url.dll?Maybe someone from BHO can examine how I defeated it, so we can know what exactly was the main program and how it replicated and why.
Or, you can go to the registry and delete the entries. Open start\run type in regedit. Be careful here, it's not to be messed with, if you get confused, just use tweak xp or something.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Scroll the list to find <
"Serach Extender"
"ShoppingWizard"
"Home Search Assistant"
then right click that folder and delete.
Hijack has been destroyed
Mission Accomplished
Game Over.
end of line
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Scroll the list to find <
"Serach Extender"
"ShoppingWizard"
"Home Search Assistant"
then right click that folder and delete.
Hijack has been destroyed
Mission Accomplished
Game Over.
end of line
Didn't go thru your way, I found it differently. I happened to remember the original name I started deleting, AND the creation date. After a couple frustrating hours, I searched the DATE and found the original filename in the \restore\temp directory. (WinMe) with an extension of .o along with a couple other files on the drive from that date (7/24/2004). Not sure yet what else was interconnected, but this seems to have killed it.
Incidentally, two days ago I cleaned one that actually loaded in Safe mode in XP! Couldn't be deleted. Had to boot from Winternals CD (not cheap) attach to the XP installed, and delete the file. Worked like a charm.
Incidentally, two days ago I cleaned one that actually loaded in Safe mode in XP! Couldn't be deleted. Had to boot from Winternals CD (not cheap) attach to the XP installed, and delete the file. Worked like a charm.
Cool, funny that, that was the way I was doing it originally.
But, I found that, I had more files then just one, "I had over 90 files to delete" so I thought to order them by date, but because I had forgotten when I got this and all those dll's that I deleted a few weeks ago, I would be looking for files I have no idea when they were created, so I couldn't order by date.
But the new files I could keep track of were created at the same time "cause I seen them created on the fly", but what's funny is, their dates didn't match, so I wasen't sure if they were part of the hijack, as the programmer probably thought of this too. So I done it by file size, because this is what I knew for certain.
But, I found that, I had more files then just one, "I had over 90 files to delete" so I thought to order them by date, but because I had forgotten when I got this and all those dll's that I deleted a few weeks ago, I would be looking for files I have no idea when they were created, so I couldn't order by date.
But the new files I could keep track of were created at the same time "cause I seen them created on the fly", but what's funny is, their dates didn't match, so I wasen't sure if they were part of the hijack, as the programmer probably thought of this too. So I done it by file size, because this is what I knew for certain.
Windows Xp/2000 restore point fix's it.The D:\I386\winnt32.exe /cmdcons for those peep's that dont have a good restore point. I'll try and use IQ454's file size fix for the win98 boxs i get today. If the fix dosent work ill be going back to the deleat partion format (win re install) fix that does work. I'm not used to being stumped like this normaly there is always a fix for crap like this (But this ones differnt so far). One thing i can say is its been makeing us Comp tec's lots of work, but i never feel good reformating a customers comp. I'd perfer to remove the culprit('s) instesd. I'm hopeing that IQ454's fix works on all the comps i come across today so's we can put this About:Blank hijack to rest. Is there a name for this one yet? is it a spyware, adware, virus or pest or all of the above??
Yep, RC probably would have worked, was in the system32 directory. I just had Winternals sitting here next to me, as I use it regularly enough. Struck me as interesting, I take this crap out of systems daily, first one that I've seen loads in Safe mode.
Part of the ease (for lack of a better term) of taking out crapware HAS been the fact of recognizing more recent dates in the files, I've only seen a couple using older dates. When the scumbags get smarter and put old file dates.... then the job gets harder.
Part of the ease (for lack of a better term) of taking out crapware HAS been the fact of recognizing more recent dates in the files, I've only seen a couple using older dates. When the scumbags get smarter and put old file dates.... then the job gets harder.
Originally posted by a1_andy:
One thing i can say is its been makeing us Comp tec's lots of work, but i never feel good reformating a customers comp. I'd perfer to remove the culprit('s) instesd.
So would I, formatting is a last resort most of the time. Lately, though, the crap has been getting smarter, and it's getting personal. Damned if I'll let them get the best of me.
One thing i can say is its been makeing us Comp tec's lots of work, but i never feel good reformating a customers comp. I'd perfer to remove the culprit('s) instesd.
So would I, formatting is a last resort most of the time. Lately, though, the crap has been getting smarter, and it's getting personal. Damned if I'll let them get the best of me.
So far so good, 3 outa 4 win98 boxs fixed aint bad. 4th one was a truly infested. One thing that i did fined that IQ454 maynot have had or noticed is that Launching "Notepad.exe" would create the problem all over again. notepad seemed to be infested. so as well as IQ454's method i del all the notepad.exe programs i can fined and replace it with a good one. And i instead of Del the files right away i move them to a new folder. (just incase its a real os/program file) I also remove the hard drive after removeing the reg enties, then do the file matching then moving with th HD as a slave in anouther box, win2k. Thanx IQ454, tis beat (for now I think).
Oh and seeing as Notepad.exe was recreating this hijack on launch, This Hijack should be clasifide as a Virus, also beacuse it recreates itself when inproperly removed. In my opinion.
I think im going to make my notepad.exe in both my windows folder and system32 folder as "read only" and see if this hijack can still infest me. Something to do this weekend. I wonder....
I think im going to make my notepad.exe in both my windows folder and system32 folder as "read only" and see if this hijack can still infest me. Something to do this weekend. I wonder....
Update..LOL
Eather the Hijack is gone (off the net) or changing the 2 notepad.exe's to read only prevents the hijack from even takeing place. I surfed all the smut that i could think of in the last hours with no popup blocker or firewall (getting hundreds of popups) and blindliy clicking away on all the links i could find. Then as im closeing up the Ie windows i notice sevral small box's in the top left of my screen blank, I couldent expand it or veiw its properties/contents. Then the header changes to "syntax error". LOL. Im gona try all weekend to get this hijack again to see if this is a real way of blocking hijacks and ad-ware from being installed without permision's. Wouldent it be nice if this was the be all of end all of fixes for this problem. In all my ad-ware scans found nothing but cookies surly i should have got a addware by now? I'm gona keep trying. and i'd enjoy some feedback on this. maybe name some sites for me that will surely give me some ad-ware, spywares and/or hijack's?? know of eny??
winxp sp1
Eather the Hijack is gone (off the net) or changing the 2 notepad.exe's to read only prevents the hijack from even takeing place. I surfed all the smut that i could think of in the last hours with no popup blocker or firewall (getting hundreds of popups) and blindliy clicking away on all the links i could find. Then as im closeing up the Ie windows i notice sevral small box's in the top left of my screen blank, I couldent expand it or veiw its properties/contents. Then the header changes to "syntax error". LOL. Im gona try all weekend to get this hijack again to see if this is a real way of blocking hijacks and ad-ware from being installed without permision's. Wouldent it be nice if this was the be all of end all of fixes for this problem. In all my ad-ware scans found nothing but cookies surly i should have got a addware by now? I'm gona keep trying. and i'd enjoy some feedback on this. maybe name some sites for me that will surely give me some ad-ware, spywares and/or hijack's?? know of eny??
winxp sp1
Ahh sorry, I missed your update, okay, so then you fixed machine 4? Nevermind about the log then.
Although I'm sure it would be an active x control that's the cause, and then maybe created a hybird for notepad to send info off, which isn't really infected, because I found one file that was write protected "jlkopi.log". It seems that the main ocx file created dll's and dats first off, and if anyone of those files got deleted and we missed one, because all files are exactly the same thing, even though the extentions were different, (because I checked the javascripts) it was still the same file, just many variations of it.
And notepad might have been infected to enable it to plant a log file for feedback on everything that was happening on the system and to the files it created. Now that log file would've created a hybrid link which talks to notepad evertime it's open to record info for the log, and when you hit the net it sends the info back to the creator, and the hybrid change will happen everytime you hit the net or change its routined files, it will enable it to tell the main dll to do the redirecting. And if all were deleted and the ocx was left, then that ocx would've created alternate files of different sizes with random names, sorta like a stage 2 infection.
So,
stage 1, ocx creates dll and dats, dats get deleted.
stage 2, ocx creates dll. dll gets deleted, ocx creates new dll, and exe's to match. dll gets deleted, exe's can't find active dll, exe's tell ocx that dll can't be found, ocx then creates a new dll with another random name, and exe's to match, ocx finally gets found and deleted, dll can't find ocx and creates more exe's of itself incaase it's found, exe's recreate ocx incase both are found, dll gets deleted, exe's create another dll, exe's get deleted, dll creates more exe's with another dll that deletes itself.
Restarts stage 2 with new instructions. ocx creates dll's and exe's with different file names and splits the files into smaller pieces changing the files size also. And ends there. Then starts all over again if any are left behind. Either of the files left behind(which have all got the same instuctions) will create what it needs again to start the process all over
Log files link to the main ocx, dat, dll, exe's has been severed, notepads link to log file has been severed, log file goes ape shit and creates more dll's with random names but always the same size from now on, dll's get deleted, BHO turns the dll off, ocx can't find dll, ocx creates new dll, and so on and so forth...
stage 1
dat=56kB x 1 dll x 1 dll(deleted itself) = 19kB =94kB
stage 2
exe=32kB x 3 = 96kB...exe's are right protected.
exe=32kB x 1 dll = 64kB = 96kB....exe and dll are right protected.
txt=96kB...txt is right protected.
dll=96kB...dll is right protected.
ocx=96kB...ocx is right protected.
Main point?
ocx created 2 versions of itself in the beginning, then once tha tversion was found and defeated, it would then create another 6 versions of itself. Even though they are different extentions and different file sizes, they're still the same exact file combined.
Although I'm sure it would be an active x control that's the cause, and then maybe created a hybird for notepad to send info off, which isn't really infected, because I found one file that was write protected "jlkopi.log". It seems that the main ocx file created dll's and dats first off, and if anyone of those files got deleted and we missed one, because all files are exactly the same thing, even though the extentions were different, (because I checked the javascripts) it was still the same file, just many variations of it.
And notepad might have been infected to enable it to plant a log file for feedback on everything that was happening on the system and to the files it created. Now that log file would've created a hybrid link which talks to notepad evertime it's open to record info for the log, and when you hit the net it sends the info back to the creator, and the hybrid change will happen everytime you hit the net or change its routined files, it will enable it to tell the main dll to do the redirecting. And if all were deleted and the ocx was left, then that ocx would've created alternate files of different sizes with random names, sorta like a stage 2 infection.
So,
stage 1, ocx creates dll and dats, dats get deleted.
stage 2, ocx creates dll. dll gets deleted, ocx creates new dll, and exe's to match. dll gets deleted, exe's can't find active dll, exe's tell ocx that dll can't be found, ocx then creates a new dll with another random name, and exe's to match, ocx finally gets found and deleted, dll can't find ocx and creates more exe's of itself incaase it's found, exe's recreate ocx incase both are found, dll gets deleted, exe's create another dll, exe's get deleted, dll creates more exe's with another dll that deletes itself.
Restarts stage 2 with new instructions. ocx creates dll's and exe's with different file names and splits the files into smaller pieces changing the files size also. And ends there. Then starts all over again if any are left behind. Either of the files left behind(which have all got the same instuctions) will create what it needs again to start the process all over
Log files link to the main ocx, dat, dll, exe's has been severed, notepads link to log file has been severed, log file goes ape shit and creates more dll's with random names but always the same size from now on, dll's get deleted, BHO turns the dll off, ocx can't find dll, ocx creates new dll, and so on and so forth...
stage 1
dat=56kB x 1 dll x 1 dll(deleted itself) = 19kB =94kB
stage 2
exe=32kB x 3 = 96kB...exe's are right protected.
exe=32kB x 1 dll = 64kB = 96kB....exe and dll are right protected.
txt=96kB...txt is right protected.
dll=96kB...dll is right protected.
ocx=96kB...ocx is right protected.
Main point?
ocx created 2 versions of itself in the beginning, then once tha tversion was found and defeated, it would then create another 6 versions of itself. Even though they are different extentions and different file sizes, they're still the same exact file combined.
I tried to solve the problem with hijacked about:blank homepage as follows (Windows ME):
I located the .dll files with SpywareGuard or BHO Demon 2.0. In my case:
C:\windows\bruhh.dll/sp.htm#29126
The size of the file was 91kB.
I opened the file with notepad in windows explorer. I looked for more .dll files of the same size in windows folder and system folder. I found more than 10 of them under the names tdfva.dll, addgn.dll, addgn.dll, apiix.dll, sdkyq.dll, taddwq.dll, syzda.dll, ntpt32.dll, javacp32.dll, netaf32.dll, javaxo32.dll, netan.dll, apicz32.dll, cryk32.dll. I opened them all with notepad. I found out that the content of all files is the same as the content of the detected file bruhh.dll. I deleted the content of the files one after other and saved the changes (under their original names). So all the mentioned .dll files are now empty (and harmless) files in windows and system folders. Since then I have no problems.
I located the .dll files with SpywareGuard or BHO Demon 2.0. In my case:
C:\windows\bruhh.dll/sp.htm#29126
The size of the file was 91kB.
I opened the file with notepad in windows explorer. I looked for more .dll files of the same size in windows folder and system folder. I found more than 10 of them under the names tdfva.dll, addgn.dll, addgn.dll, apiix.dll, sdkyq.dll, taddwq.dll, syzda.dll, ntpt32.dll, javacp32.dll, netaf32.dll, javaxo32.dll, netan.dll, apicz32.dll, cryk32.dll. I opened them all with notepad. I found out that the content of all files is the same as the content of the detected file bruhh.dll. I deleted the content of the files one after other and saved the changes (under their original names). So all the mentioned .dll files are now empty (and harmless) files in windows and system folders. Since then I have no problems.
