Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

about:blank

Started by ashbash , Apr 17 2005 07:55 AM

  • Please log in to reply

#1
ashbash
Posted 17 April 2005 - 07:55 AM

ashbash

    New Member

  • Member
  • Pip
  • 2 posts
Lost our home page to the about:blank virus,
AVG and Adaware didn't stop it. Have since installed Norton Internet Security Package and Webroot Spysweep both detect the virus but are unable to remove it. Infact spysweep detects it removes it only for it to reappear. I have done some research on the net which would suggest that the problem is that there are two files, one that is visible and one that is not and that the invisible file is the problem as it will regenerate the visible file if it is quarantined or removed. Please advise on how to remove as I have been advised that this file risides in the key registry and is probably sending keying information to a third party.
Our pc runs on xp professional, we have a broadband connection and do have a firewall with the new Norton package installed. The xp runs with sp1. The pc is set up with a C drive that has the o/s and other programs whilst all our work is saved on a secondry hard drive labelled D. The scans indicate that the D drive is clean. I am hoping not to format the C drive unless as a last resort as we also have alot of email saved in a number of files in Outlook Express.
I hope you can help.
We have just managed to get a highjack log. I hope this helps here it is:
Logfile of HijackThis v1.99.1
Scan saved at 15:13:20, on 17/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\Automatic Update\AutoUpdate.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
D:\Lotus\organize\easyclip.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\Lotus\smartctr\SMARTCTR.EXE
D:\Lotus\smartctr\SUITEST.EXE
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\michael alexander\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ntlworld.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10925CA8-9422-4470-84D7-4B1C46573898} - C:\WINDOWS\System32\dskrfuoui.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NT Service] ntoksrnl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe
O4 - HKLM\..\RunServices: [NT Service] ntoksrnl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: Lotus SmartCenter.lnk = D:\Lotus\smartctr\SMARTCTR.EXE
O4 - Global Startup: Lotus SuiteStart.lnk = D:\Lotus\smartctr\SUITEST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://www.ntlworld.com
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: Sametime Meeting Room Client ST30SP1 - https://meetings.ama...gRoomClient.cab
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://amadeusvista....toUpdateATL.CAB
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - https://meetings.ama...STJNILoader.cab
O16 - DPF: {266BB960-7DA8-11D4-A849-00008321B7D9} (Amadeus Cmd Page Cross Communication) - http://amadeusvista....istaPWComms.CAB
O16 - DPF: {3D518D7D-422F-4787-AC71-10BB552E897B} (Amadeus_SP2_Patcher Class) - http://amadeusvista....bs/SP2Patch.CAB
O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://amadeusvista..../MSIInspect.CAB
O16 - DPF: {E90EF4C9-1476-4C49-B926-97C7D9D30A06} (Certificates_Info Class) - http://certificates....CCCert_Info.CAB
O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://amadeusvista....AmadeusInit.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{28E7EBCB-6853-46FD-96E7-20F28DD089AC}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F94DE70-45AD-4EAF-B7B3-22386F768303}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD2B0A23-0ABD-49F8-B100-A58FECB001D2}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{28E7EBCB-6853-46FD-96E7-20F28DD089AC}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{28E7EBCB-6853-46FD-96E7-20F28DD089AC}: NameServer = 69.50.184.85,195.225.176.37
O18 - Filter: text/html - {E0E7C65F-7D29-4736-BC1D-4B82E365E0FE} - C:\WINDOWS\System32\dskrfuoui.dll
O18 - Filter: text/plain - {E0E7C65F-7D29-4736-BC1D-4B82E365E0FE} - C:\WINDOWS\System32\dskrfuoui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Many thanks

ash.

Edited by ashbash, 17 April 2005 - 08:17 AM.

  • 0

Advertisements

#2
ashbash
Posted 22 April 2005 - 01:32 PM

ashbash

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Please help, I posted here nearly one week ago and I am worried that I may not have put the correct info on here to get help, if so please advise, and that this Hijack may be passing on sensitive info. etc. re our passwords etc.

Thanks in advance

Ashbash
  • 0

#3
desmith2000
Posted 25 April 2005 - 05:54 AM

desmith2000

    New Member

  • Member
  • Pip
  • 1 posts
If you want to post help in the Malware Removal forum here at GTG, you need to be a staff member. Click here to join Geek U.

ScHwErV :tazz:

Edited by Geek U Moderator

Edited by ScHwErV, 25 April 2005 - 09:48 AM.

  • 0

#4
ScHwErV
Posted 25 April 2005 - 09:50 AM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
ashbash

HiJackThis does not send any personal information.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Good Luck

ScHwErV :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP