Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

About.blank Hijacker [CLOSED]


  • This topic is locked This topic is locked

#1
Simon Jacques

Simon Jacques

    New Member

  • Member
  • Pip
  • 2 posts
I have used Ad-aware, Spybot and some other spyware removers. No luck. My desktop has the message that IE has a fatal error and the background is completely blue. The homepage it always goes to is About.blank which is advertising various spyware products. I would appreciate any help.
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 8:20:48 PM, on 05/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\System32\SMSSU.EXE
D:\WINDOWS\System32\Tmntsrv32.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\system32\pctspk.exe
D:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
D:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
D:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
D:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
D:\WINDOWS\Chatut.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nvdtl\Xkfb.exe
D:\WINDOWS\System32\winamp.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\SMSSU.EXE
D:\WINDOWS\System32\Tmntsrv32.EXE
C:\wp.exe
D:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\WINZIP\winzip32.exe
D:\Documents and Settings\cwinxp\Local Settings\Temp\HijackThis.exe

R3 - URLSearchHook: (no name) - _{cfbfae00-17a6-11d0-99cb-00c04fd64497} - (no file)
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - D:\WINDOWS\xmllib.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "D:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "D:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Chatut] D:\WINDOWS\Chatut.exe
O4 - HKLM\..\Run: [Pndvoovz] C:\Program Files\Odwgj\Iunt.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySpotter] D:\Program Files\SpySpotter\SpySpotter.exe -onreboot
O4 - HKLM\..\Run: [Qwnthfn] C:\Program Files\Nvdtl\Xkfb.exe
O4 - HKLM\..\Run: [Winamp Agent] D:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] D:\WINDOWS\System32\csrs.exe
O4 - HKLM\..\Run: [Local Security Authority Service] D:\WINDOWS\System32\lssas.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SMSSU] D:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] D:\WINDOWS\System32\Tmntsrv32.EXE
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [senn87] D:\WINDOWS\System32\senn87.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - D:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - D:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download KillBox http://www.greyknigh...spy/KillBox.exe. Don't run it yet.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

SpySpotter - it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Spyware Vanisher or FreeScanner


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - _{cfbfae00-17a6-11d0-99cb-00c04fd64497} - (no file)
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - D:\WINDOWS\xmllib.dll
O4 - HKLM\..\Run: [Chatut] D:\WINDOWS\Chatut.exe
O4 - HKLM\..\Run: [Pndvoovz] C:\Program Files\Odwgj\Iunt.exe
O4 - HKLM\..\Run: [SpySpotter] D:\Program Files\SpySpotter\SpySpotter.exe -onreboot
O4 - HKLM\..\Run: [Qwnthfn] C:\Program Files\Nvdtl\Xkfb.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] D:\WINDOWS\System32\csrs.exe
O4 - HKLM\..\Run: [Local Security Authority Service] D:\WINDOWS\System32\lssas.exe
O4 - HKCU\..\Run: [SMSSU] D:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] D:\WINDOWS\System32\Tmntsrv32.EXE
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [senn87] D:\WINDOWS\System32\senn87.exe


Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\Program Files\Nvdtl\
C:\Program Files\Odwgj\
c:\spywarevanisher-free\
C:\wp.exe
c:\wp.bmp
D:\Program Files\SpySpotter\
D:\WINDOWS\Chatut.exe
D:\WINDOWS\Chatut.exe
D:\WINDOWS\System32\csrs.exe
D:\WINDOWS\System32\lssas.exe
D:\WINDOWS\System32\senn87.exe
D:\WINDOWS\System32\SMSSU.EXE
D:\WINDOWS\System32\Tmntsrv32.EXE
D:\WINDOWS\xmllib.dll


Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

Can you change your background now? I want you to right click on your Desktop and go to Properties. How many tabs do you have there?
  • 0

#3
Simon Jacques

Simon Jacques

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I am using firefox now as recommended but I still have probelms operating my computer from desktop.
Thanks a lot for all your help but some things are still on my computer [as you will see below] The 2 ones Hijack This and Killbox could not get rid of were

dwindows system 32 \smssu.exe & system 32\Tmntsrv32.exe. Which are now each appearing twice rather than once. Can I just send these to the recycle bin and delete them this way?

Why is this? I dont get it. My desktop now has a black background [which is ok] but rightclicking on it shows the properties option to be grayed out.
Anyway, here is the report. If you can fix this I will donate something to you.

Logfile of HijackThis v1.99.1
Scan saved at 9:00:03 PM, on 05/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\System32\SMSSU.EXE
D:\WINDOWS\System32\Tmntsrv32.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\system32\pctspk.exe
D:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
D:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
D:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
D:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\System32\winamp.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\SMSSU.EXE
D:\WINDOWS\System32\Tmntsrv32.EXE
D:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\HijackThis.exe
D:\WINDOWS\System32\ss.exe

O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - D:\WINDOWS\xmllib.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "D:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "D:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winamp Agent] D:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SMSSU] D:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] D:\WINDOWS\System32\Tmntsrv32.EXE
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - D:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - D:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Security IGuard
Virtual Maid
Search Maid


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - D:\WINDOWS\xmllib.dll
O4 - HKCU\..\Run: [SMSSU] D:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] D:\WINDOWS\System32\Tmntsrv32.EXE

Copy the below in bold:

d:\wp.exe
d:\wp.bmp
d:\Windows\sites.ini
d:\Windows\popuper.exe
d:\WINDOWS\System32\wldr.dll
d:\Windows\System32\helper.exe
d:\Windows\System32\intmonp.exe
d:\Windows\System32\msmsgs.exe
d:\Windows\System32\ole32vbs.exe
d:\Windows\system32\msole32.exe
D:\WINDOWS\System32\SMSSU.EXE
D:\WINDOWS\System32\Tmntsrv32.EXE
D:\WINDOWS\System32\ss.exe


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Delete these folders if they exist:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard


To fix the wallpaper/background problem, right click on this link and choose Save As. Save that file somewhere. Now double click on that file you just saved and say Yes to add/merge it into the registry.

Restart and post a new HijackThis log.
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP