[about:blank Quick Web Search] -
about:blank Quick Web Search
Discuss about:blank Quick Web Search
Posted by: imtomr
Posting my log. Please review and advise.
Thanks in advance.
Tom Roberts
Posted by: imtomr
I don' see my attachment, so I will post the log.
Logfile of HijackThis v1.99.1
Scan saved at 4:10:01 PM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\javaxo32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\javamr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spmfg.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spmfg.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\spmfg.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spmfg.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spmfg.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spmfg.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {62794EE0-B02F-CC2E-795B-B9C0ABFCDF9A} - C:\WINDOWS\system32\sdkvj32.dll
O4 - HKLM\..\Run: [javaxo32.exe] C:\WINDOWS\javaxo32.exe
O4 - HKLM\..\RunOnce: [javaja.exe] C:\WINDOWS\javaja.exe
O4 - HKLM\..\RunOnce: [atluu.exe] C:\WINDOWS\atluu.exe
O4 - HKLM\..\RunOnce: [javamr.exe] C:\WINDOWS\javamr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {9FFE4756-72C0-4BE7-9F56-DE729D949F10} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9FFE4756-72C0-4BE7-9F56-DE729D949F10} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://intranet
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409[/url]
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - [url]http://vapwea.ops.placeware.com/etc/place/ERASER/VAEpws-a1/5.1.7.413/lib/quicksilver.cab[/url]
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - [url]http://aolcc.aol.com/computercheckup/qdiagcc.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {78FAE917-35E2-4A6B-9B40-000AD226482B} (MSN Money Ticker) - [url]http://moneycentral.msn.com/cabs/ticker.cab[/url]
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - [url]http://moneycentral.msn.com/cabs/pmupdate2.exe[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - [url]http://www.live365.com/players/play365.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = parente.dom
O17 - HKLM\Software\..\Telephony: DomainName = parente.dom
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = parente.dom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = parente.dom
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apitm32.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: DeviceID Authentication Agent (ServiceWrapper) - Unknown owner - C:\PROGRA~1\iPass\DeviceID\bin\ServiceWrapper.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: VNC (WinVNC) - Unknown owner - C:\WINDOWS\system32\rc\winvnc.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
t
Posted by: Lobos
Hello imtomr
Welcome to Tech Forums
We'll need to download these program(s) to help us deal with the "[b]About:Blank[/b]" infection:
-
Download, unzip to your desktop [url=http://www.intermute.com/spysubtract/cwshredder_download.html]CWShredder[/url] and run it, then:
1. Click "[b][i]Check For Update[/i][/b]" make sure your version is 2.14
([i]If an update isn't available, skip to step #4.[/i])
2. Click "[b][i]Click here to Download the upate[/i][/b]".
3. When the new version has been downloaded, click "[b][i]Save[/i][/b]".
4. Exit the program.
Download, unzip to your desktop [url=http://www.majorgeeks.com/download4289.html]About:Buster[/url] and run it, then:
1. Click "[b][i]Update[/i][/b]".
2. Click "[b][i]Check For Update[/i][/b]"
([i]If no new version is available, skip to step #4[/i].)
3. Click "[b][i]Download Update[/i][/b]", and wait for it to be installed.
4. Exit the program.
===============
Download the [url=http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.removal.tool.html]Backdoor Agent[/url] cleanup utility from [b]Symantec[/b] and follow the instructions on their page.
===============
Reboot your computer into "[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam]Safe Mode[/url]"
===============
Next, locate [url=http://www.intermute.com/spysubtract/cwshredder_download.html]CWShredder[/url] that you downloaded earlier and run it, then:
1. Click "[b][i]Fix ->[/i][/b]"
===============
Next, locate [url=http://www.majorgeeks.com/download4289.html]About:Buster[/url] that you downloaded earlier and run it, then:
1. Click "[b][i]Start[/i][/b]".
([i]Wait for the initial ADS scan to complete.[/i])
2. Click "Yes", to shutdown any IE session currently open.
([i]Wait for the about:blank scan to complete.[/i])
3. Click "[b][i]Ok[/i][/b]", to scan once more.
4. Click "[b][i]Yes[/i][/b]", to shutdown any IE sessions currently open.
5. Click "[b][i]Yes[/i][/b]", to begin the second pass.
6. Click "[b][i]Save log[/i][/b]", and post this log back along with your new log.
7. Click "[b][i]Exit[/i][/b]".
8. Click "[b][i]Exit[/i][/b]".
===============
Reboot your computer normally.
===============
Run [b]HiJackThis[/b] then:
1. Click "[b][i]Config...[/i][/b]"
2. Click "[b][i]Misc Tools[/i][/b]"
3. Click "[b][i]Open Process manager[/i][/b]"
-
Next, while holding down the [b]CTRL[/b] key, locate ([i]if present[/i]) and click on ([i]highlight[/i]) each of the following:
[b][color=#000000]C:\WINDOWS\[/color][color=#ff0000]javaxo32.exe[/color][/b]
[b][color=#000000]C:\WINDOWS\[/color][color=#ff0000]javamr.exe[/color][/b]
Now double-check and make sure that only those item(s) above are highlighted, then click "[b][i]Kill process[/i][/b]". Now, click "[b][i]Refresh[/i][/b]", check again, and repeat this step if any remain.
===============
Now, let's open a [b]command prompt[/b] and unregister the dll(s) we're going to remove, by entering the following:
[b][color=#000099]regsvr32 /u[/color] [color=#ff0000]sdkvj32.dll[/color][/b]
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
===============
Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present:
[color=#9933cc][b] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spmfg.dll/sp.html#44768 [/b][/color]
[color=#9933cc][b] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spmfg.dll/sp.html#44768 [/b][/color]
[color=#9933cc][b] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank [/b][/color]
[color=#9933cc][b] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\spmfg.dll/sp.html#44768 [/b][/color]
[color=#9933cc][b] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spmfg.dll/sp.html#44768 [/b][/color]
[color=#9933cc][b] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spmfg.dll/sp.html#44768 [/b][/color]
[color=#9933cc][b] R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spmfg.dll/sp.html#44768 [/b][/color]
[color=#9933cc][b] R3 - Default URLSearchHook is missing [/b][/color]
[color=#9933cc][b] O2 - BHO: (no name) - {62794EE0-B02F-CC2E-795B-B9C0ABFCDF9A} - C:\WINDOWS\system32\sdkvj32.dll [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [javaxo32.exe] C:\WINDOWS\javaxo32.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\RunOnce: [javaja.exe] C:\WINDOWS\javaja.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\RunOnce: [atluu.exe] C:\WINDOWS\atluu.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\RunOnce: [javamr.exe] C:\WINDOWS\javamr.exe [/b][/color]
[color=#9933cc][b] O9 - Extra button: Microsoft AntiSpyware helper - {9FFE4756-72C0-4BE7-9F56-DE729D949F10} - (no file) (HKCU) [/b][/color]
[color=#9933cc][b] O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9FFE4756-72C0-4BE7-9F56-DE729D949F10} - (no file) (HKCU) [/b][/color]
[color=#9933cc][b] O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - [url]http://moneycentral.msn.com/cabs/pmupdate2.exe[/url] [/b][/color]
[color=#9933cc][b] O23 - Service: Network Security Service (NSS) ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apitm32.exe (file missing) [/b][/color]
Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]".
===============
Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders:
[i]files...[/i]
[b]C:\WINDOWS\[color=#ff0000]javaxo32.exe[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]javamr.exe[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]spmfg.dll[/color][/b]
[b]C:\WINDOWS\system32\[color=#ff0000]sdkvj32.dll[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]javaja.exe[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]atluu.exe[/color][/b]
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '[i]in use[/i]', try deleting them from "[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam]Safe Mode[/url]".
===============
Post back a new log, and let me know how everything goes.
-
[your name].
Posted by: Warez Monster
Remove entries at your own risk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spmfg.dll/sp.html#44768
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spmfg.dll/sp.html#44768
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\spmfg.dll/sp.html#44768
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spmfg.dll/sp.html#44768
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spmfg.dll/sp.html#44768
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spmfg.dll/sp.html#44768 This entry should be fixed by HijackThis!
R3 - Default URLSearchHook is missing Should be fixed if you do not know the application or if no application is mentioned. This entry should be fixed.
O4 - HKLM\..\Run: [javaxo32.exe] C:\WINDOWS\javaxo32.exe It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.
O4 - HKLM\..\RunOnce: [javaja.exe] C:\WINDOWS\javaja.exe Must be fixed!
O4 - HKLM\..\RunOnce: [atluu.exe] C:\WINDOWS\atluu.exe It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.
O4 - HKLM\..\RunOnce: [javamr.exe] C:\WINDOWS\javamr.exe It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/...all/xscan53.cab[/url] This entry is possibly nasty. Should be fixed.
O23 - Service: VNC (WinVNC) - Unknown owner - C:\WINDOWS\system32\rc\winvnc.exe" -service (file missing Unknown service. (winvnc.exe" -service (file missing))
Unnecessary (deactivated) entry that can be fixed.