nyam-nyam.biz?search hijack

I also got this nasty bugger, here is the hijackthis file, as you can see there is nothing suspicious in it. BTW the about.htm mentioned at R0 did not exist.


Logfile of HijackThis v1.99.0
Scan saved at 21:33:57, on 04.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Programme\ScanSoft\OmniPagePro11.0\opware32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Spyware Doctor\swdoctor.exe
C:\Programme\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\proquota.exe
C:\WINDOWS\system32\logon.scr
M:\Box\CWS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bluewin.ch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Omnipage] C:\Programme\ScanSoft\OmniPagePro11.0\opware32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Programme\Palm\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Programme\Palm\hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.bluewin.ch
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104149457625
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bcj.ch
O17 - HKLM\Software\..\Telephony: DomainName = bcj.ch
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bcj.ch
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe

I have done some manual cleaning of the root in C: and deleted any suspicious files, even non executables and 0 byters that are not part of the OS. There was even a 0 byte ntldr with a different extension. Additionally I found a suspicious dll in "%program files%\PPC Advertor" directory called ppc.dll, which was alone in its own directory. Also I found that there was an odd wmplayer.exe.tmp file in the Windows Media Player directory which I also deleted as a version check showed empty spaces. Strange enough the wmplayer had been renamed on 21.12.2004 (most likely the day of the infection)! I have not done anything in the registry. After this the browser came up with about:blank in the address field and a browser error (the nyam-nyam page was gone). After re-setting the startpage everything was fine and the hijack did not reappear.

Sorry if I cannot give the specific file that caused this however it must have been one of the three above.

Leone

i can confirm you that this ****ing spyware is the lonely dll called "ppc.dll".
i had the same problem and since i deleted this file, the search engine startpage nyamnyam.byz do not reappear.

Thanks for confirming this. Now the big question remains, how on earth is this file being called anyway. There are no traces in the registry so it must be called through another file. I mean you cannot find any trace in AppInitDLLs nor in the run sections of the registry, nor does the actual filename ever appear in the registry. So how did they do it, that is the big mistery? It appears that hijack programmers have found a new exploit. Maybe someone can shed some light on this.

Leone

The only thing that i know about this file its you cant delete it while u are connected to internet, because it used by a another program.You have to turn off ur internet connection before, if you want to kill it.
So, it can detect when your internet connection is on.

Hi Leone,

I have done some more research and this hijack may be related to the CWS findmenow.

Please download CWShredder from Here Save it to a convenient location such as your Desktop

Close ALL browser windows or it may not work! Run CWShredder and select "Fix" (do not just Scan). It will automatically remove the infections.

Please post your results.

Tom

You see I was able to delete the file without having to recourse to safe mode. IE was not started at that time. But internet connection was over the LAN so always open. So I guess it must be the IE that calls the dll though as said above no traces in the registry. I have also no possibility to check it again as when deleting the dll the problem's gone and I would not know how to get infected again.

Leone

I've got the same hijack on a cutomers machine.

I alread yfound the ppc.dll yesterday and deleted. Now whenever I run Internet Explorer it crashes. The crash doesn't happen in safe mode.

It's a fully updated Windoiws XP Home.

I found this in the registry, didn't help with anything by deleting it.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\TypeLib\{53B95204-7D77-11D2-9F81-00104B107C96}]

[HKEY_CLASSES_ROOT\TypeLib\{53B95204-7D77-11D2-9F81-00104B107C96}\1.0]
@="About 1.0 Type Library"

[HKEY_CLASSES_ROOT\TypeLib\{53B95204-7D77-11D2-9F81-00104B107C96}\1.0\0]

[HKEY_CLASSES_ROOT\TypeLib\{53B95204-7D77-11D2-9F81-00104B107C96}\1.0\0\win32]
@="C:\\Program Files\\PPC Advertor\\ppc.dll"

[HKEY_CLASSES_ROOT\TypeLib\{53B95204-7D77-11D2-9F81-00104B107C96}\1.0\FLAGS]
@="0"

[HKEY_CLASSES_ROOT\TypeLib\{53B95204-7D77-11D2-9F81-00104B107C96}\1.0\HELPDIR]
@="C:\\Program Files\\PPC Advertor\\"

Ok so I uninstalled Service Pack 2, reinstalled IE6, and then reinstalled SP2 and Internet Explorer is still crashing, but not in safe mode.

ANYONE!?!? HELP!?!?!

had to delete this:

C:\Windows\System32\lsd_f3.dll

And then cleared the registry using Sytem Mechanic.

Seems to be going fine.