downloader.small.6.I about:blank hijack - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.3

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Sep 2^nd, 2010, 12:34pm

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   downloader.small.6.I about:blank hijack

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: downloader.small.6.I about:blank hijack (Read 2779 times)

cretonic1
Newbie

Patience disired by all and possessed by few

Posts: 2

downloader.small.6.I about:blank hijack
« on: Jul 1^st, 2004, 2:21am »

Quote

Modify

Once agian the CWS gang has become infinitly annoying. I recieved a trojan (downloader.small.6.I) detected with AVG under files xdldr17.exe and xdldr24.exe (which i promptly deleted) However the damage was done. I have been Hijacked to the CWS's newest link Smartsearch with the "about:blank" address note the lack of anything else in address just standard "about:blank" which i normally use for my homepage minus the smartsearch engine. For two weeks I have been reading up on this variant and still am unable to remove it. I have used CWS (updated), Hijack This (Helper), miniremoval_coolwebsearch_smartkiller, spybotSD, stinger, sphjfix107, Win98Fix, adaware, procexp9x, RegSrch, SpyKiller2004, and countless hours of manual review and editing of the system registry looking for some clue as to the file that keep generating the re-installation of said hijacker. Hijack detects 2 entries in log as follows:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
and adaware comes up with little else. everything else states that it finds nothing or that my system is clean. also note the lack of (obfuscated). I have read countless posts of Hijack logs and can find no clue as to the culprit except maybe one under the following link:
http://techrepublic.com.com/5208-6230-0.html?forumID=3&threadID=1528 51&messageID=1618163
but alas this also is to no avial but maybe a clue to the problem. I tried the mentioned solution but it didn't help me.
about the only thing i have been able to achieve is venting my fustrations emialing Madame@coolwebsearch on a daily basis to complain (I am have no doubt that I have been on her block list TY Merjin for the address hehe) anyway I have no clue what else to do about this one any assistance would be much appreciated. Right now the workaround solution I have found is to use my windows explorer instead of internet explorer to bypass the Smartsearch website (why let em profit from it right) also I am running a fully updated version of win98se (didn't like the 2000pro) have at it and good luck on this one If i don't get a solution in about a week I'm just gonna wipe my HD and start over =) wife's gonna love that one lol.
Here is the full Hijack log for those interested in it:
3Cmlink=modem
KeyMaestro=keyboard
Logfile of HijackThis v1.97.7
Scan saved at 12:41:35 AM, on 7/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.1\MOUSE32A.EXE
C:\KMAESTRO\KMAESTRO.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPLAMPC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\DOWNLOADS\SPYREMOVAL\JACKTHIS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [KeyMaestro] C:\KMAESTRO\KMaestro.exe
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: SwTray.lnk.disabled
O4 - User Startup: SwTray.lnk.disabled
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://play.hoylegames.com/cab/WONWebLauncherControl.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete .cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

IP Logged

NoSpam
Newbie

I love YaBB 1G - SP1!

Posts: 6

Re: downloader.small.6.I about:blank hijack
« Reply #1 on: Jul 5^th, 2004, 9:53am »

Quote

Modify

You can go to the Security forum at dlsreports.com (http://www.dslreports.com/forum/security,1) and post there. �There are specific rules for posting HJT logs, please read the FAQ at http://www.dslreports.com/faq/8428, follow the steps listed, and then post what specific steps you have taken, in the same order they are listed in the FAQ, and there are a few people there that can help you. Unfortunately, CWShredder is no longer being updated.

« Last Edit: Jul 5^th, 2004, 9:54am by NoSpam »

IP Logged

cretonic1
Newbie

Patience disired by all and possessed by few

Posts: 2

Re: downloader.small.6.I about:blank hijack
« Reply #2 on: Jul 6^th, 2004, 12:38am »

Quote

Modify

Nospam, ty for your time in posting but I was unable to find any references to my given topic (downloader.small.6.I about:blank hijack) at http://www.dslreports.com/forum/security I tried the search option at the above website and no results were found. �Is this faq linked with Mischel or just another forum out of thousands in which I can post my problem. �If anyone has any relevant information that could actually help someone please post here. �So far the biggest lead I have is that the new variant generates a random hidden DLL file (good luck finding it). �If I have nothing new by saturday the 10th I plan on doing a format /u on my HD and starting from scratch. �Any one else who may be infected like myself i recomend you don't waste any time (I have been researching this one for 3 weeks now and still am stuck in the mud). �I put up this post hoping someone might have found a solution or maybe to shed some light on it if they haven't. �

« Last Edit: Jul 6^th, 2004, 12:39am by cretonic1 »

IP Logged

Pages: 1

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register