Hijack browser - about:blank accessing onemoresearch.net

Unknown

Hi,

I see that I'm not alone in the browser hijacking, spyware morphing, persistent malware crowd. I've literally spent hours running everything under the sun, yet still there remains this about:blank hijack attempt in IE. Everytime it looks like it's removed it simply re-downloads itself. I've tried CWShredder (after using the CWKiller - killer), ad aware, MS Spyware removal, stinger, housecall antivirus, aboutbuster, etc. Aboutbuster is the only one that seems to really find it, but it can't remove it. I'll include the hijackthis log as well as the aboutbuster log. It seems to indicate that the trojan is removed but if you load up IE again, it simply re-downloads it.

Any help at all would be greatly appreciated.

Logfile of HijackThis v1.99.0
Scan saved at 7:01:46 PM, on 1/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
F:\WINDOWS\System32\taskmgr.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\WinRAR\WinRAR.exe
F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.032\HijackThis.exe
F:\WINDOWS\System32\Notepad.exe
F:\Program Files\Outlook Express\msimn.exe
F:\Documents and Settings\Administrator\Desktop\aboutbuster\AboutBuster\AboutBuster.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AF22CF05-B24B-23F2-43FF-B4CBCDCE93E4} - F:\WINDOWS\ipcl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106342625169
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2635961B-C5D0-4A25-9B9F-47C334C55BC5}: NameServer = 142.161.2.155 142.161.130.155
O17 - HKLM\System\CS1\Services\Tcpip\..\{2635961B-C5D0-4A25-9B9F-47C334C55BC5}: NameServer = 142.161.2.155 142.161.130.155
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - F:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O21 - SSODL: XZvkzP - {902E3EE5-3A84-944F-C99B-61DA91AD2244} - F:\WINDOWS\System32\wua.dll
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe



**********ABOUTBUSTER LOGFILE - SCANNED 4 TIMES *************

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23


Removed Data Streams:
F:\WINDOWS\button1.gif:cnjse
F:\WINDOWS\setuplog.txt:yqshh
F:\WINDOWS\Sti_Trace.log:iaukr
F:\WINDOWS\TMUPDATE.DLL:vmlnr
F:\WINDOWS\UNWISE.EXE:wnsie
F:\WINDOWS\vbaddin.ini:pnlog
F:\WINDOWS\winnt.bmp:vskot


Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23


Removed Data Streams:
F:\WINDOWS\button1.gif:cnjse
F:\WINDOWS\setuplog.txt:yqshh
F:\WINDOWS\Sti_Trace.log:iaukr
F:\WINDOWS\TMUPDATE.DLL:vmlnr
F:\WINDOWS\UNWISE.EXE:wnsie
F:\WINDOWS\vbaddin.ini:pnlog
F:\WINDOWS\winnt.bmp:vskot


Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 3 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 4 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Buckeye_Sam

It will do that if you don't get every last piece of it before using IE again. Nasty stuff. Chance are that your log is already different now than it was when you posted this one. Please post a new hijackthis log and we'll get it all this time.

KingRaj

Logfile of HijackThis v1.99.0
Scan saved at 10:20:53 AM, on 1/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
F:\WINDOWS\System32\svchost.exe
F:\excursion\mirc.exe
F:\WINDOWS\explorer.exe
F:\Program Files\SpyCatcher\Scheduler daemon.exe
F:\Program Files\Outlook Express\msimn.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\Microsoft Office\Office10\FRONTPG.EXE
F:\Program Files\Ahead\Nero\nero.exe
F:\WINDOWS\System32\imapi.exe
F:\Program Files\WinRAR\WinRAR.exe
F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.844\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "F:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "F:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKLM\..\RunOnce: [sys68157015] F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\9096ca98.exe delete
O4 - HKLM\..\RunOnce: [sys151025875] F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\9096ca98.exe delete
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [sys151025875] F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\9096ca98.exe delete
O4 - Startup: Scheduler.lnk = F:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106342625169
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2635961B-C5D0-4A25-9B9F-47C334C55BC5}: NameServer = 142.161.2.155 142.161.130.155
O17 - HKLM\System\CS1\Services\Tcpip\..\{2635961B-C5D0-4A25-9B9F-47C334C55BC5}: NameServer = 142.161.2.155 142.161.130.155
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - F:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O21 - SSODL: XZvkzP - {902E3EE5-3A84-944F-C99B-61DA91AD2244} - F:\WINDOWS\System32\wua.dll
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

***** ABOUT BUSTER ******

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23


Removed Data Streams:
F:\WINDOWS\regopt.log:ompsi
F:\WINDOWS\unvise32qt.exe:bmfwk


Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23


Removed Data Streams:
F:\WINDOWS\regopt.log:ompsi
F:\WINDOWS\unvise32qt.exe:bmfwk


Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 3 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Buckeye_Sam

Please download and install CCleaner
http://www.ccleaner.com/ccdownload.php



Download(right click and select Save file as or Save link as): DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf

To use: Close all open browsers
Right-click DelDomains.inf and select: Install

This should remove those 015 entries.



Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\RunOnce: [sys68157015] F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\9096ca98.exe delete
O4 - HKLM\..\RunOnce: [sys151025875] F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\9096ca98.exe delete
O4 - HKCU\..\RunOnce: [sys151025875] F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\9096ca98.exe delete



Run CCleaner.



Reboot and post a new hijackthis log.