about:blank hijack - Hijackthis logfile posted

[jazsnap]

Sorry about previous post as a guest, I had registered but wasn't logged in.

Hi,

Problem is about:blank page is showing some kind of Microsoft search page with random search topics entered in the search window such as Xanax, etc. Also random pop-ups keep appearing + porn, finance sites are appearing in the favourites. Hijack this file is posted below, can anyone help me rid my system of this.

Jason

------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 16:44:07, on 03/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winfg.exe
C:\WINDOWS\iekb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\matthewcross\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\edabr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edabr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\edabr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\edabr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edabr.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\edabr.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {54351455-EFE9-7EFE-3393-B2622AF47B0F} - C:\WINDOWS\system32\javazs.dll
O4 - HKLM\..\Run: [iepr.exe] C:\WINDOWS\system32\iepr.exe
O4 - HKLM\..\Run: [atlnw.exe] C:\WINDOWS\system32\atlnw.exe
O4 - HKLM\..\Run: [iekb.exe] C:\WINDOWS\iekb.exe
O4 - HKLM\..\RunOnce: [winfg.exe] C:\WINDOWS\system32\winfg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = icw-watches.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = icw-watches.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{715C312A-E541-48AA-AA6A-A1CEFC325DE7}: NameServer = 192.168.1.2,192.168.1.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = icw-watches.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = icw-watches.co.uk
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdknh.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[guestolo]

Download the following tools please, we'll need them in a bit

Make sure that you have the latest version of Cwshredder
From my signature below, download and save to Desktop CWShredder.exe
We'll need this later

==Download to desktop About:Buster.zip
by RubbeR Ducky
Unzip the contents to desktop, a folder will be placed on your desktop
Open it and run About:buster.exe
Click the Update Button and check for updates, if any, download them
Then close it for now, we'll need this later

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Install for now, don't run a scan yet

==Download and UNZIP to desktop Cwsserviceremove.zip
So you have cwsserviceremove.reg on the desktop
Cwserviceremove.zip
We'll need this later

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

==Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

==Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- Remote Procedure Call (RPC) Helper <-there are others similiar, just look for this one

Double click on it--- STOP the service-- If running
In the drop down menu, change the startup type to Disabled

==Using Windows Explore, navigate to these files and delete them if found and if you can, carry on if you can't find or remove them
C:\WINDOWS\system32\edabr.dll <-file
C:\WINDOWS\system32\winfg.exe <-file
C:\WINDOWS\system32\atlnw.exe <-file
C:\WINDOWS\system32\iepr.exe <-file
C:\WINDOWS\system32\sdknh.exe <-file
C:\WINDOWS\iekb.exe <-file

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off

==Start About:Buster and hit ok.   Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to scan more than twice, try 3 or 4 times until no files or Data Streams are found

==Double click on cwsserviceremove.reg and allow it to merge to the registry

==Do another scan with Hijackthis and put a check next to these entries:
Not all may exist, but fix what appears

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\edabr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edabr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\edabr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\edabr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edabr.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\edabr.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {54351455-EFE9-7EFE-3393-B2622AF47B0F} - C:\WINDOWS\system32\javazs.dll
O4 - HKLM\..\Run: [iepr.exe] C:\WINDOWS\system32\iepr.exe
O4 - HKLM\..\Run: [atlnw.exe] C:\WINDOWS\system32\atlnw.exe
O4 - HKLM\..\Run: [iekb.exe] C:\WINDOWS\iekb.exe
O4 - HKLM\..\RunOnce: [winfg.exe] C:\WINDOWS\system32\winfg.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdknh.exe (file missing)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Run CWShredder.exe, click the FIX button and let it fix what it finds

===RESTART the computer back to Normal mode
Back in Windows

===Look for a file called shell.dll in your C:\Windows\system32 folder
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
 Under the  Security tab | Custom Level
Check ActiveX security settings:
Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

I'm going to ask that you post back a number of logs
Try and supply them all, thanks

Post back with a fresh Hijackthis log
Also, post the logs from About:Buster

I want to check to see if your hosts file was edited
Could you do the following
==Open Hijackthis>>Open Misc tools section>>Open Hosts file manager
Click the "Open in Notepad"
Copy and paste back the whole contents of this notepad file too

Also, let me know if you have Spybot 1.3 installed, I'm just checking