• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 267
  • Last Modified:

about blank installed by an Unknow site

Hi Guys,

Thanks in advance for your help. I need to fix my computer. some unknow site install a program in my computer and they set this site ( http://www.securitysafeguards.net/  ) as a " about:blank " in my internet explorer page. Every time I open up my browser I got this site as a defoult and I tryed to deleted by going to tool/options/ and remove that site but I didn't get any luck. This site is what they said in their stie:

Your private info is collected by W32.Sinnaka.A@mm
Your IP address: 69.203.89.243
 
Your Country: US, United States
 
They know you're using: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
 
Operation System: OS Windows
 
Risk status for futher investigation: VERY HIGH RISK
 
Time of investigation: Mon Mar 27 19:29:14 PST 2006

What can I do to remove this site from my system. I appreciate your help.

Thanks again!



 
0
JoeSand2005
Asked:
JoeSand2005
  • 9
  • 7
  • 4
  • +1
1 Solution
 
rpggamergirlCommented:
You either install and run Ewido in Safe Mode:
Download and install the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.

Or:
download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", "Save".  Post a link to the saved list here.
0
 
Irwin SantosComputer Integration SpecialistCommented:
http://www.majorgeeks.com/HijackThis_d3155.html

download and install.. post the report here.

got Anti - Virus software/spyware running?
0
 
JoeSand2005Author Commented:
Hi rpggamergirl,

How can I get the logfile? and what do you mean by "Just upload the logfile created?
Thanks!

Joe
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
Irwin SantosComputer Integration SpecialistCommented:
run hijack this.. and follow the directions on displaying the report..

copy and paste into this question.. SUBMIT.. so that we can see.
0
 
rpggamergirlCommented:
What I meant is, you can upload the log file in those sites and only post the link to the log here.
EE doesn't recommend Hijackthis logs posted in the topic, but we do need to see the log in order to help you, so we suggest uploading the log somewhere else and only post the url here.
0
 
rpggamergirlCommented:
I prefer to see the log posted right in the topic, BUT EE has its rules that Hijackthis logs should not be posted in the topic.

Sorry, if that is not convenient I do understand.
0
 
JoeSand2005Author Commented:
This is what I got from the scan and save from Hijackthis and what I got is a text file with many paths. This is the path highlighted by the text file
C:\WINDOWS\system32\VTTimer.exe

I don't know how to save a log file can you explain please?

0
 
JoeSand2005Author Commented:
Hi rpggamergirl,

How can I know about the logfiel that would be paste on this site ( http://www.rafb.net/paste/ )
Thank you so much!

Joe
0
 
rpggamergirlCommented:
When you run Hijackthis, there should be an option where you can click, something like:
"scan and save a logfile" then after it finishes scanning, a notepad will open, you can then copy the entire contents of the notepad and paste that in those sites,
or just paste it here on this topic.
Surely EE can be lenient on this once :)

If you  need further assistance I will run my Hijackthis and type a step by step instructions for you.
0
 
Irwin SantosComputer Integration SpecialistCommented:
@rpggamergirl...what wrong with posting hijack this here?  I've solve several hundred Questions with hijackthis here at EE.
0
 
rpggamergirlCommented:
You need to scan yous pc with Hijackthis first, then after scanning a notepad will open full of entries,
that notepad contents is the one you will paste at:

http://www.hijackthis.de/ 
and click "Analyse", "Save".  Post a link to the saved list here.


OK, it will be easier, if you paste the Hijackthis log file here on this topic.
0
 
rpggamergirlCommented:
irwinpks,
I would really love it, if Askers will just post the Hijackthis logs here in the topic, but I've been told off by some other experts. And then I've read it in EE rules that they don't welcome Hijackthis logs.

I also help at another forum and it is so great just to look at the Hijackthis log right there in the topic. But here at EE has different rules.
0
 
JoeSand2005Author Commented:
Hi rpggamergirl,

if I paste the notepad file here, It will be open to the public then I would be in a deeper trouble. what do you think?
0
 
JoeSand2005Author Commented:
I got the notepad file but I dont know what's the name of the exe fiel I need to delete.
Thanks!

0
 
rpggamergirlCommented:
JoeSand2005,
Just post the contents of the notepad here.
If you use your pc in a company network, then just remove all the 017 entries and post the rest here.
0
 
JoeSand2005Author Commented:
Here it goes, I hope I won't put my computer in risk.



Logfile of HijackThis v1.99.1
Scan saved at 10:57:35 PM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.4\OLAP\bin\msmdsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\AOL\1132461502\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1132461502\ee\AOLServiceHost.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\common files\aol\1132461502\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1132461502\ee\AOLServiceHost.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis 1.99.1\HijackThis.exe

O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp9F24.tmp
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132461502\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.4\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.4\OLAP\Config (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Thanks!
0
 
Wayne BarronCommented:
As well as the information provided here.
Please also download and install " Microsoft AntiSpyware"
Located here:      http://www.microsoft.com/athome/security/spyware/software/default.mspx

After it is installed run the program, accept [yes] on all. (the community is up to you, the last option)

Then run the scan, and follow the instructions given.

Good Luck
0
 
rpggamergirlCommented:
I was expecting R's lines in Hijackthis but there were none?

Please, Download Smitrem:
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in Safe Mode:

Open the "smitRem" folder, then double click the "RunThis.bat" file to start the tool. Follow the prompts on screen.  Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.


Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.


Fix these entries if still present:
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp9F24.tmp
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll


Uninstall "Security Toolbar" if listed in Add/Remove programs.

Delete this folder:
C:\Program Files\Security Toolbar


0
 
Irwin SantosComputer Integration SpecialistCommented:
here's one..

how about uninstalling AOL.. is that possible?  can you access via WEBmail instead?
0
 
JoeSand2005Author Commented:
Hi rpggamergirl,

Thanks so much for your help! The SmiTrem method was the only one that works for my case. I got everything back to normal in my pc.  I appreciate your time.

Thanks!

Joe
0
 
rpggamergirlCommented:
JoeSand2005,
You're welcome! glad to hear that problem is gone.
Thank you for the points with "A" grade! :)


>>Here it goes, I hope I won't put my computer in risk.<<

Rest assured that there is nothing in your Hijackthis log that would compromise your pc's security.
As you can see, all those entries only relate to programs you have installed in your pc just like everyone else. You have nothing to worry about. :)

You might like to check Tony Klein's article "How Did I Get Infected in the First Place?"
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I

Happy computing!
Best wishes!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 9
  • 7
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now