?
Solved

Trojan about:blank

Posted on 2005-04-29
23
Medium Priority
?
676 Views
Last Modified: 2013-12-04
Yesterday, Norton gave me a message that a trojan virus was caught. However when I went to my home page, about:blank kept appearing even after I reset my home page. I then ran ad-ware which flagged the trojans(3) and I deleted them. However when I went back to explorer the about:blank page was still there and when I ran ad-ware again the trojans were still there. I keep getting popus and my system is slower. How do I totally get rid of this.
Thanks
 
0
Comment
Question by:Hidesign
  • 10
  • 6
  • 3
  • +2
23 Comments
 
LVL 16

Assisted Solution

by:CodedK
CodedK earned 400 total points
ID: 13898410
Hi..
:)

Online check (Big Database):
http://housecall.trendmicro.com
-----------------------------------------------------------------------------------------------------
Applications (Spyware):

AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper ==> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster ==> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
-----------------------------------------------------------------------------------------------------
Also have a look at Microsofts anti spyware tool :-
http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://www.microsoft.com/security/malwareremove/default.mspx
and click on "Check My PC for infection"
-----------------------------------------------------------------------------------------------------
For removal infection go to
http://www.sarc.com/avcenter/tools.list.html
-----------------------------------------------------------------------------------------------------
HijackThis ==> http://www.merijn.org/files/hijackthis.zip
analysis ==> http://www.hijackthis.de
-----------------------------------------------------------------------------------------------------

Application (Management)

Download Codestuff Starter...
http://members.lycos.co.uk/codestuff/
 
For applications/malware that run on startup... coz they dont always hide at
currentversion\run where the average user will search...
Search on google for each exe running to identify whether they are legitimate.
-----------------------------------------------------------------------------------------------------
Antivirus:
Stinger (From Mcaffe Freeware)
-----------------------------------------------------------------------------------------------------
A firewall like Zonealarm....
-----------------------------------------------------------------------------------------------------

Its good to be prepared but dont overdo it... :/
Installing many of these apps mentioned will slow down ur computer...
So choose the one that fit ur needs and install it :)

Pay attention on apps running at startup and services also ..
Hope that helps. :)

CodedK
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13899564
There's several versions of "About:Blank"
Let's see which one you've got -
Do this -

Download HijackThis (version 1.99.1) from:
http://www.gatesofdelirium.com/ee/tools/
Place it into a folder of it's own - something like:
C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
Do not run it directly from the "Zip" file, a "temp" folder, or the Desktop.
HijackThis makes "backups" and it's good to have them in a centralized location.

With all browser windows closed - run HijackThis and
copy and paste the log file into the Analysis site here:
http://www.hijackthis.de/en

Click on the "Analyze" button; and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis -
Post a LINK to that page back here.

We'll take a look at it!  :)

Please, do not post your log file here!

Here's the Experts-Exchange guidelines on posting HijackThis logs:
http://www.experts-exchange.com/Web/Browser_Issues/Q_21149514.html

There's versions of this "stuff" that all the "Spyware" removers listed above
will have no effect on.
Let' see what "About: Bkank" you have.

Good luck!
RF
0
 

Author Comment

by:Hidesign
ID: 13900683
Rf,
I followed your directions  - here is the link. Thanks for your help
http://www.hijackthis.de/logfiles/dd087b661ce9b94c045717bfa63ff845.html
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 12

Assisted Solution

by:rossfingal
rossfingal earned 800 total points
ID: 13900855
Hi!

This is the version of "About:Blank" you have:
http://www.pchell.com/support/onlythebest.shtml

Follow the removal procedure exactly -
do not skip ANY steps!

Good luck!

RF
0
 

Author Comment

by:Hidesign
ID: 13901639
Thanks - I went to the link and got the page "
Homepage set to res://random.dll/index.html#randomnumber". Before I do the steps I want to verify with you that this is the right one. There is also a link for removing about:blank. Is the link you sent me the one I should use.
Thanks again
HS
0
 

Author Comment

by:Hidesign
ID: 13902794
RF,
 I tried the directions in http://www.pchell.com/support/onlythebest.shtml.
I am still getting about:blank as my home page. Hopefully I did it correctly. What do you think my next step should be.
Thanks again
Heidi
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13903787
Hi!

Run HijackThis again, run your log through the analysis site -
Post a LINK to your new log here.
Sometimes this "thing" is stubborn.

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13904042
One other thing - there's a new version of "AboutBuster" (ver. 4) see here:
{About:Buster 4}   http://www.besttechie.net/forums/index.php?showtopic=1488

Also, use "The Hoster" to reset your hosts file:
Please download the Hoster from here:
          http://members.aol.com/toadbee/hoster.zip
          Unzip it to the desktop and run it.
          Click "Restore original HOSTS" and OK any prompts.
          You may have to reimmunize with Spybot, SpywareBlaster,
          and/or IE-SPYADs, etc. after doing this.
          Please restart your computer

RF
0
 

Author Comment

by:Hidesign
ID: 13904210
Here is the link from hijackthis
http://www.hijackthis.de/index.php#anl

I also noticed that when I sign as a guest without admin rights, ny home page is correct.  Is there something about an admin user that the trogan latches on to.
Also explorer pops up without even me having to click on. Something might have changed in the start up but I don't want ot touch anything until you see my analyzer results.  

In step 4 of the instructions to remove the trojan, the service name of "Network Security Services" had strange characters and the path is C:\WINDOWS\system32\mfctf.exe /s. I then deleted from the registry any occurance of mfctp.exe according to the directions. Does this make sense?

Thanks
HS
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13904310
No, you're still posting the link to the Analysis page - not the link to
the page with your saved analysis, which is what we need.
Read my instructions above carefully.
After your log is analyzed, you have to click on "Save Analysis" and then post a
link to the page that is generated.

Yes, deleting all references to it in the Registry is fine.
However, We still need to see a new HijackThis log.
Quite often, you have to go through the removal procedure
numerous times.

By the way, if it's seems like I don't get back to this question in a timely fashion -
I'm having a very unpleasant time with my Internet connection!  :)

RF
0
 
LVL 9

Expert Comment

by:imnajam
ID: 13904433
Hi Hidesign,

Microsoft's new spyware removal tool is your best bet to get rid of such crap. you can get a copy for your self from the link below:)
http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

it may not require you to postback again and again hopefully work at first.

Cheers!
0
 
LVL 9

Expert Comment

by:imnajam
ID: 13904452
if you wish to go thorough the process of hijackthis, do as suggested  in the PAQ.

http://www.experts-exchange.com/Security/Q_21031644.html?#11352877
0
 
LVL 9

Expert Comment

by:imnajam
ID: 13904455
another link that might be very informative for you by petelong

http://www.petenetlive.com/Tech/Browsers/hijack.htm
0
 

Author Comment

by:Hidesign
ID: 13905279
RF,
Here is the correct link. Sorry about posting the incorrect one.
http://www.hijackthis.de/logfiles/dd087b661ce9b94c045717bfa63ff845.html
Thanks
HS
0
 

Author Comment

by:Hidesign
ID: 13905470
I tried the Microsoft spyware tool. It  found spyware and deletled it but when I went to explorer, I received a warning that unclassified spyware.65 spyware was trying to change my home page. I ran the scanner again and again (4 more times) and it founds the spyware and deletes it but it keeps coming back. Also each time I ran it, it showed different files were infected and different registry keys.
What should be my next step. This spyware is unbelievable.
Thanks
 
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13908301
Did you go through the removal procedure from the link I gave you -
without skipping any steps?
(http://www.besttechie.net/forums/index.php?showtopic=1488)

RF
0
 
LVL 15

Expert Comment

by:greyknight17
ID: 13914391
Here's a breakdown of detailed instructions if you need it (step by step):

Please print out or copy this page to Notepad.  Make sure to work through the fixes in the exact order it is mentioned below.  If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.  You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.  Also make sure that 'Display the contents of system folders' is checked.  If you have Windows XP, the  search feature is a little different.  When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom.  Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean.  If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.zip and unzip it to a folder on your the Desktop.  Run AboutBuster and click OK.  Click Update and then Check For Update to see if there are any updates.  Close the program now.

Reboot into Safe Mode by hitting the F8 key until menu shows up.  In some systems, this may be the F5 key, so try that if F8 doesn't work.  
Go to Start->Run and type in services.msc and hit OK.  Then look for Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) and double click on it.  Click on the Stop button and under Startup type, choose Disabled.

Make sure to close any open browsers.  Go into HijackThis->Config->Misc. Tools->Open process manager.  Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\sdkeb.exe
C:\WINDOWS\syskv32.exe

Run a scan in HijackThis.  Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129         
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yah oo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AB05AE41-F1D5-D736-88F2-C487321270C0} - C:\WINDOWS\javaqv32.dll
O2 - BHO: GetPostLog module - {C9B0D3DC-DC2B-4a17-8E34-02CD4C1E573F} - C:\WINDOWS\gpl.dll (file missing)
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [sdkeb.exe] C:\WINDOWS\sdkeb.exe
O4 - HKLM\..\RunOnce: [syskv32.exe] C:\WINDOWS\syskv32.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mfctf.exe (file missing)

Run AboutBuster and click OK.  Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all).  It will ask you if you want a second scan, choose Yes.  Save the log file and post it here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\javaqv32.dll
C:\WINDOWS\gpl.dll
C:\WINDOWS\sdkeb.exe
C:\WINDOWS\syskv32.exe
C:\WINDOWS\system32\mfctf.exe

Reboot into Normal Mode run a new HijackThis scan.  Save the log file and run the scan at hijackthis.de and post a link to the analyzed log.
0
 

Author Comment

by:Hidesign
ID: 13917342
Thank you - I will go though the process now. Yesterday I ran spysweeper and it deleted the spyware but it kept reinstalling itself. The program atlvk32.exe kept getting flagged. I was not able to delete it out of windows but I kept deleting it out of my registry. Is this part of the about:blank hijacker.
Now when I go into Outlook, I keep getting the message the it can't connect to the database engine.
I'll write back after I try the above directions. Thanks for everybodys input.
0
 

Author Comment

by:Hidesign
ID: 13918363
I went through the process above, step by step. I still have the hijacker. It seems that each time a different executable is the culprut. Now it seems to be ieqs.exe. What program keeps generating the hijacker. Thanks

Here is the link to my new hijack analysis: http://www.hijackthis.de/logfiles/70cc4cc6e41e8699bf5fa141498c1de3.html

Here is the AboutBuster logfile:

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 2 Random Key Entries
Removed! : C:\WINDOWS\kmovo.dat
Removed! : C:\WINDOWS\xuvwy.dat
Removed! : C:\WINDOWS\System32\kiwbg.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

0
 
LVL 15

Accepted Solution

by:
greyknight17 earned 800 total points
ID: 13918899
Please print out or copy this page to Notepad.  Make sure to work through the fixes in the exact order it is mentioned below.  If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.  You should 'not' have any open browsers when you are following the procedures below.

Reboot into Safe Mode by hitting the F8 key until menu shows up.  In some systems, this may be the F5 key, so try that if F8 doesn't work.  

Go into HijackThis->Config->Misc. Tools->Open process manager.  Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\ipzc.exe
C:\WINDOWS\ieqs.exe

Go to Start->Run and type in services.msc and hit OK.  Then look for Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I)  and double click on it.  Click on the Stop button and under Startup type, choose Disabled.

Run a HijackThis scan and check and fix the following:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C3EAA18C-9344-C91C-7AEA-9FEE6792B86A} - C:\WINDOWS\ntqx.dll
O4 - HKLM\..\Run: [ipzc.exe] C:\WINDOWS\ipzc.exe
O4 - HKLM\..\RunOnce: [ieqs.exe] C:\WINDOWS\ieqs.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mfctf.exe (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\ipzc.exe
C:\WINDOWS\ieqs.exe
C:\WINDOWS\ntqx.dll
C:\WINDOWS\system32\mfctf.exe

Reboot into Normal Mode run a new HijackThis scan.  Save the log file and run it at hijackthis.de.  Give us the link to the log.
0
 

Author Comment

by:Hidesign
ID: 13919487
Here's the new hijack link:
http://www.hijackthis.de/logfiles/70cc4cc6e41e8699bf5fa141498c1de3.html

(about:blank is still there)

Thanks
0
 
LVL 15

Expert Comment

by:greyknight17
ID: 13922718
Just want to confirm, are you in Safe Mode when doing these fixes?  Is Internet Explorer closed?

Check and fix all those R0 and R1 entries except for the one with localhost.  Also check this one:

O2 - BHO: (no name) - {3C149E0B-2AF5-C8DC-F78A-AAC09F8001C3} - C:\WINDOWS\syszi32.dll

Then hit Fix Checked.

Run AboutBuster.  Delete this file:

C:\WINDOWS\syszi32.dll

Restart and go back to normal mode.  Do a new HijackThis scan and post it at that hijackthis.de site.
0
 

Author Comment

by:Hidesign
ID: 13993565
I have finally resolved this problem. I did all the above directions and then used Spysweeper in safe mode and the about:blank was gone. Thanks for all your help - I'll split the points since the fix was a combination of different answers.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question