Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

about:blank


  • This topic is locked This topic is locked

#1
megillw

megillw

    New Member

  • Member
  • Pip
  • 5 posts
Hi!

I'm having trouble with the about:blank spyware. I've followed the instructions on your getting started page and CWShredder now comes up blank, but I can't reset the home page on ie, and it still has a funny 'reset menu settings" menu entry in the tools menu. I would just abandon it completely, and switch to firefox, but I seem to run into pages that won't run under anything but IE on a fairly regular basis :-(

I'll post the hijack this logs next post. Any help here would be most appreciated.

Cheers,
William
  • 0

Advertisements


#2
megillw

megillw

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi!

Here's the logfile after a virus sweep by sophos (which came up clean) and a reboot.

Cheers,
William


Logfile of HijackThis v1.99.1
Scan saved at 01:01:59, on 24/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS.0\System32\inetsrv\inetinfo.exe
C:\WINDOWS.0\System32\niSvcLoc.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS.0\system32\nipalsm.exe
C:\WINDOWS.0\system32\nipalsm.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\msbk.exe
C:\WINDOWS.0\System32\sistray.EXE
C:\WINDOWS.0\System32\khooker.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS.0\LTSMMSG.exe
C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS.0\system32\addyx32.exe
C:\WINDOWS.0\System32\ctfmon.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.0\System32\wuauclt.exe
C:\WINDOWS.0\System32\wuauclt.exe
C:\ftp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.0\cnrju.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.0\cnrju.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS.0\cnrju.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.0\cnrju.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.0\cnrju.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS.0\cnrju.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {69CF0404-1DE2-88F0-5166-D451391C3676} - C:\WINDOWS.0\system32\d3le32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.0\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS.0\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS.0\System32\khooker.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [IMAQBoot] C:\Program Files\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [addyx32.exe] C:\WINDOWS.0\system32\addyx32.exe
O4 - HKLM\..\RunOnce: [msbk.exe] C:\WINDOWS.0\system32\msbk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F11562B-8634-4A11-9425-63DCFE88D382}: NameServer = 194.168.4.100 194.168.8.100
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS.0\System32\vbsys2.dll
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing)
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS.0\system32\nipalsm.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS.0\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS.0\System32\niSvcLoc.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Network Security Service (NSS) (%AF) - Unknown owner - C:\WINDOWS.0\d3fj32.exe (file missing)
  • 0

#3
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
You have a nasty About:Blank infection. This fix requires several

tools that need to be downloaded. Please download these now, we will

run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders:

http://www.bleepingc...torial=62#winme

During the fix do NOT connect to the internet. Unless you

can memorize these instructions, it would be a good idea to print

them out.


Boot into safe mode:
Restart your computer and as soon as it starts booting up again

continuously tap F8. A menu should come up where you will be given

the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file)

to post a copy for review.

Run CWShredder
-Next, click on the: Fix button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they

are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.0\cnrju.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.0\cnrju.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS.0\cnrju.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.0\cnrju.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.0\cnrju.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS.0\cnrju.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {69CF0404-1DE2-88F0-5166-D451391C3676} - C:\WINDOWS.0\system32\d3le32.dll
O4 - HKLM\..\Run: [addyx32.exe] C:\WINDOWS.0\system32\addyx32.exe
O4 - HKLM\..\RunOnce: [msbk.exe] C:\WINDOWS.0\system32\msbk.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS.0\System32\vbsys2.dll
O23 - Service: Network Security Service (NSS) (%AF) - Unknown owner - C:\WINDOWS.0\d3fj32.exe (file missing)


Then delete the following files (if they exist):

C:\WINDOWS.0\system32\addyx32.exe
C:\WINDOWS.0\system32\msbk.exe
C:\WINDOWS.0\system32\d3le32.dll
C:\WINDOWS.0\System32\vbsys2.dll
C:\WINDOWS.0\d3fj32.exe


Reboot into normal mode (simply restart your computer as you normally

would), and run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Then restart your computer one more time and post a new HJT log as

well as the About:Buster log I asked you to save earlier.

Edited by Efwis, 23 February 2005 - 07:36 PM.

  • 0

#4
megillw

megillw

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi!

Seems to have worked! Here's the logs:

Logfile of HijackThis v1.99.1
Scan saved at 02:57:52, on 24/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS.0\System32\inetsrv\inetinfo.exe
C:\WINDOWS.0\System32\niSvcLoc.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS.0\system32\nipalsm.exe
C:\WINDOWS.0\system32\nipalsm.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\System32\sistray.EXE
C:\WINDOWS.0\System32\khooker.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS.0\LTSMMSG.exe
C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS.0\System32\ctfmon.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\ftp\HijackThis.exe
C:\WINDOWS.0\System32\wuauclt.exe
C:\WINDOWS.0\System32\wuauclt.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.0\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS.0\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS.0\System32\khooker.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [IMAQBoot] C:\Program Files\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing)
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS.0\system32\nipalsm.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS.0\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS.0\System32\niSvcLoc.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Network Security Service (NSS) (%AF) - Unknown owner - C:\WINDOWS.0\d3fj32.exe (file missing)

and

Scanned at: 02:02:08 on: 24/02/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16


ADS not scanned System(FAT)
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

----------------

Thanks very much for your help. I'm not sure what to do about the two (missing file) references. Hijack this doesn't seem able to 'fix' them - I've tried several times, but they keep reappearing. Are they anything to worry about?

Cheers,
William
  • 0

#5
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
no nothing to worry about.

Your Log is Clean, But You Need to Update Windows and IE to get all the Latest Security Patches that Protects Your Computer.

This can be accessed by going to http://www.windowsupdate.com/ and following the prompts.

also, for Future Protection
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
https://netfiles.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see
So how did I get infected in the first place?
  • 0

#6
megillw

megillw

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks! That's a relief! I'll get cracking on the protection front. I've been reluctant to install XP service pack 2 since the last time I tried, my whole system went completely unstable and I ended up having to rebuild from scratch. I understand this happens occasionally, and that MS is aware of the problem. Hopefully they've addressed it in newer releases of SP2. When I have time to deal with the upgrade, I'll give it another shot. Meantime, I think I'll stick to Firefox and watch my step...

Thanks again!

Cheers,
William
  • 0

#7
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
a lot of the unstability is because of malicious programs already on the computer. I have it installed and have had no problems at all.
  • 0

#8
megillw

megillw

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
might very well have been - until this recent bit of ugliness, I'd never heard of spyware, so my machine might very well have been swamped. I'll take your advice and go install SP2 (but not tonight - 3:30 am and I've got to catch a train in 3 hours! :-)

Thanks again!

William

PS. how do I go about making a donation to geekstogo? Can't seem to find a link on the website?
  • 0

#9
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
Geeks to go doesn't have a site wide donation system. they have chosen to have the helpers recieve the donation instead. if you would still like to do this then click on my name and contact me by pm as I have not installed my link yet.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP