about:blank nyam-nyam.biz hijacker variant. Help!

I've tried SpyBot, Adware Away,..etc. none of it recognizes this hijacker. I even read the other thread about the Nyam Variant but it doesn't show on my Hijack This Log. Am i doing something wrong????

Please Help!

Here is my HiJack This log:



Logfile of HijackThis v1.99.0
Scan saved at 10:32:54 PM, on 1/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Milk\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {6AB4B07E-D9D2-407C-9B55-67903C86594E} - C:\WINDOWS\System32\pliii.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1611c9b56ece7a4b2304/netzip/RdxIE601.cab
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Thank you.

My HiJackthis log looks about the same, i.e. no visible traces of a hijacker. I have tried about just everything possible under then sun, moon and stars and have removed a lot of malware and trojans, yet this one persists. It appears to not have any service, dll or exe associated with it, at least there is no trace of such a running service or dll. I have removed just about any suspicious dll or exe from the windows and system32 directory that was created after the last known installation date. Even so the nyam-nyam.biz search is able to hijack the browser. In this case someone has come up with something new. I mean even in the registry HKCU/Software/Microsoft/Internet Explorer/Main,StartPage is the correct one! Yet the browser starts with the nyam-nyam.biz search engine and about:blank.

I am glad for any suggestions.

Leone

Leone: If you'd like someone to look at your HijackThis log, please create your own thread, rather than replying to someone else's thread.

bump.

any suggestions?????

Have a look at my post at:

http://forums.devshed.com/t216200/s.html

maybe this can help, I got rid of the bugger. Though none of the existing tools was of any help, sometimes you just need to roll up your sleeves and have a look at file creation dates and odd files in your system and program dirs.

cheers,
Leone

where did you find the 3 suspicious files?

When i run LSP-Fix i get these 3 files:


mswsock.dll - Tcpip
winrnr.dll - NTDS
rsvpsp.dll - (Protocol Handler)


could any of these be it??

I think I can confirm part of Leone's solution as the cause of this nyam hijack business.

SHORT SOLUTION: Start up in safe mode. Delete directory ":\Program Files\PPC Advertor\". Open IE and type in a new start page. Restart to normal windows.

I tried every means of spyware and hijacker removal at my disposal (SB-SD, Ad-Aware, CWShredder, Hijackthis) to no avail, just as others who are reporting this hijack. In particualar though, the "PPC.dll" under "\program files\PPC Advertor\" got my attention though because when trying to delete I got a 'file in use' error. So I started up the computer in safe mode, deleted the entire "PPC Advertor" directory, opened IE and manually typed in a new start page. Changing the start page may not be necessary while in safe mode. After restarting the computer the hijack has been fixed.

Hi BigBlackCloud,

If you would like a final review of your HijackThis log, please post a fresh log.

Tom

I found PPC Advertor on my computer last night. I immediately checked my Firewall for incoming/outgoing traffic that shouldn't be and found incoming UDP suspicious and possibly related. I'll provide the info here in case anyone wants to check for the same.

There were 3 IP's. When the first failed, the next two started:

24.28.99.61
24.28.99.62
24.28.99.63

I added some advanced rules to block them. The trace route times out now. But, last night it didn't. The origin was in houston, tx. Sorry, I didn't copy the info last night.

Anyway, I used CCleaner to remove the registry entry of PPC Advertor. After that, I deleted the PPC Advertor folder found at c:/program files/ppc advertor.

When I started my browser, it didn't start at about:blank (which is what I use by default) or any website. It did, however, give a page not found error message.

Also to note, the IP's above were using the ndisuio.sys and TCAITDI.sys files. While I am not positive of the relation of these problems, you can confirm or deny this by checking your own firewall.

Hope this info helps and delivers us some new info.

Thanks,
Fast