Solved

Stupid ABOUT:BLANK Problem!

Posted on 2004-08-03
16
1,187 Views
Last Modified: 2010-04-11
Ok, you wonderful experts, the little lady is going crazy.  How on earth do I finally get rid of this evil piece of (*&%(*&!!!  I have Windows XP and I've ran the CSWshredder program and temporarily got rid of it.  I know that there is much more to it than that but I don't feel I know enough to mess with the registry.  I've been told that screwing it up, screws your computer.  I am begging, down on my hands and knees, for someone to help me out.  I ran the hijackthis program and will include the log below.  I am not an expert, I am afraid of the registry so PLEASE be simple in your explanations.  500 points to the angel who helps me get rid of this thing once and for all.

Logfile of HijackThis v1.97.7
Scan saved at 12:09:37 PM, on 8/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINNT\System32\wisptis.exe
C:\Documents and Settings\Jen\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Chris\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Chris\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Chris\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Chris\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Chris\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Chris\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C5BD18F-06BD-4B51-9684-83BACC5E0330} - C:\WINNT\System32\dbeccd.dll
O2 - BHO: (no name) - {9B7AA30F-8FEF-4896-8DA0-D858AE072976} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38157.4371875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
0
Comment
Question by:MissB618
  • 5
  • 3
  • 3
  • +4
16 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 460 total points
Comment Utility
Hello MissB618 =)

First of all Download these tools and install Adaware and Spybot:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================================================
then TURN OFF ur System Restore >> http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
then put a check mark against these entries and click on Fix Checked !!!!!

===============================================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Chris\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Chris\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Chris\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Chris\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Chris\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Chris\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {4C5BD18F-06BD-4B51-9684-83BACC5E0330} - C:\WINNT\System32\dbeccd.dll
O2 - BHO: (no name) - {9B7AA30F-8FEF-4896-8DA0-D858AE072976} - (no file)
=================================================================================
then......

1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool and delete all viruses it found
4. Run the Spyware Removal tools and delete everything they detect
5. Then goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Reboot back in Normal Mode and check if problems are gone
9. If YES then Great, otherwise Download this new version of HijackThis, run it and Post the Log File here:
http://www.wilderssecurity.com/supportfiles/HijackThis1980.exe
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
and Remember C:\Documents and Settings\ur usernmae\Local Settings
is a Hidden Folder, so to view it, open Explorer>Tools>Folder Options>View
and select Show Hidden Files, adn apply
now u shud see this folder :)
0
 
LVL 1

Assisted Solution

by:potuncle
potuncle earned 40 total points
Comment Utility
Oh, and stop using Internet Explorer. Try the Firefox browser from mozilla.org. You won't get any spyware/malware/adware installed on your computer if you don't use IE.

Jason
0
 
LVL 10

Expert Comment

by:dis1931
Comment Utility
Not sure exactly what the problem is but if you are just trying to stop IE from displaying about:blank and an empty page when you open it go to Internet Explorer and then click Tools --> Internet Options.  You will see a general tab and a space for an address.  You can type any webpage you want to start from....such as http://www.google.com or http://www.msn.com or even about:blank.  I think this is what you are looking for.

Dis
0
 
LVL 1

Expert Comment

by:ignusb
Comment Utility
Looking through your running processes, I would personally be worried about
C:\windows\System32\svchost.exe
(thats the one with the capital for System)
Are you running Windows XP Home or Pro?
that path was the path for the Blaster.32 worm... so you may want to watch out for it.
0
 

Expert Comment

by:xsgwiseman
Comment Utility
Hey.. I have removed this about:blank hijacker with complete success many times off customers machines. There are a few programs that are
absolutely necessary. Here they are:

cwshredder.exe (This has to be version 1.59.1) This is the only one that truely removes the CWS about:blank hijacker.

http://www.downloads.subratam.org/CWShredder.exe

About:Buster Will remove the hidden .dll thats replacing the hijacker every time you reboot (You will want to update this to its latest version before you scan with it)

http://www.atribune.org/downloads/AboutBuster.zip

And my personal favorite.. There is one ultra hard to remove variant of this hijacker. For some reason the company that produces this hijacker actually made an uninstall.exe available on their site.. The site didn't last long.. they shortly took it down.. But I saved the uninstall file for later use. You can find it on my site:

http://www.angelfire.com/rpg/afkscript/uninstall.zip

I am almost positive one of these 3 will remove your problem permanently. I would try running them all in regular mode and then reboot your system into safe mode and run them all again just to be sure.

In case you didn't know: to get into safe mode, when you first turn on your computer hit f8 every 2-3 seconds. If you see the windows load screen you missed your chance and must restart and try again. If you did it right you'll see a menu with "Safe Mode" at the top. In this mode no viruses or malware will be loaded. This makes removal alot easier. But make sure you run the programs in regular mode first as about:buster needs the .dll to be hooked to a process in order to detect it.
0
 
LVL 3

Expert Comment

by:fatlad
Comment Utility
FAO ignusb

Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct
 a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started.

It is not a particularly good indicator of blaster or of other worms.
0
 

Expert Comment

by:xsgwiseman
Comment Utility
Windows Worm doors cleaner gives you 1 click fixes for most of the holes that allow worms in. When run it also checks the memory footprint of all svchosts and lets you know if you are infected by any worms. It rocks. It even beats microsoft patches which leave the services still running and the ports still open.

http://www.firewallleaktester.com/wwdc.htm
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 1

Expert Comment

by:ignusb
Comment Utility
fatlad
1) FAO? [is that from thunderbirds]
2) %SystemRoot%\system32 is the correct system32 folder, yea, that one, no the one next to it, yes, the one without the capital
0
 
LVL 3

Expert Comment

by:fatlad
Comment Utility
Ignusb

1) FAO = For Attention Of, I am pretty sure if orginates from paper mail days. Thunderbirds had FAB, which apparently does not stand for anything.
2) Not sure what you are on about here, Windows in not case sensitive for foldernames, e.g. it sees System32 the same as system32, and the two folders can not sit in the same parent. Unix is totally different and will treat these as two different entities.
0
 
LVL 1

Expert Comment

by:ignusb
Comment Utility
haha, sorry bout the FAO confusion... i never really cared about thunderbirds so didn't pay attention
in my experience with windows, it tends to freak out a bit when you use the wrong case at the beginning of a file/path... i've always had problems with that, maybe i just attract technology problems, in the last week, i've crashed linux 5 or 6 times, crashed my cellphone, made my wireless keyboard/mouse receiver pick up radio (that tends to send things a bit odd, i can't control the mouse very well) and to top it off, there's been some electrical faults in every vehicle i have travelled in (busses included)... Technology is raging against me, maybe i should stop using it and move to an amish village...

One more thing, MissB618 - Learn how to use linux to the extent of windows that you need to, and then use WINE to use any windows applications you may need.
0
 
LVL 3

Expert Comment

by:fatlad
Comment Utility
lol ignusb, are you sure you are not my dad? He seems to have the same problems, except he can't even spell linux!
0
 
LVL 1

Expert Comment

by:ignusb
Comment Utility
Ha, ur dad can say linux? mine says lunis...
0
 
LVL 1

Expert Comment

by:ignusb
Comment Utility
But for MissB618... WE STILL DON'T KNOW THE EXACT QUESTION!!! *bump* Please tell us the exact problem...
0
 

Expert Comment

by:xsgwiseman
Comment Utility
Is this problem solved?
0
 

Author Comment

by:MissB618
Comment Utility
My apologies for not getting an acceptance to this sooner everyone.  We had a tragedy in the family and, needless to say, this was put on the back burner.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now