ABOUT.Blank and Hijackthis Log
-
ABOUT.Blank and Hijackthis Log
From the looks of things, I guess I'm in good company! Seems like everyone is having problems with this About Blank Trojan Virus.
Funny how this happend just in time for my Norton Internet Security Subscription 2004 to expire! I can download the latest antivirus files, but it won't automaticall protect my computer. I'll probably purchase the 2005 upgrade some time tomorrow.
I've run Spybot and Adaware several times now and they've found several Trojans and Spyware on my computer. But it seems like the problem never goes away. I guess that suggest there is something wrong with the registry
I have read some of the other user's issues with the About blank virus. However, before I use the fixes suggested to them, I thought I would post my log file (someone might suggest a different fix).
As per the instructions on this forum, I have downloaded the latest version of HiJackThis, Spyboy & Adaware. I ran Spybot and Adaware before obtaining the Hijackthis Log file. Here it is:
Logfile of HijackThis v1.99.1
Scan saved at 10:14:09 PM, on 6/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\crze.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\HiJackThis\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\catnv.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\catnv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\catnv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\catnv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\catnv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Dominic\Application Data\Mozilla\Profiles\default\1f797nm3.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Dominic\Application Data\Mozilla\Profiles\default\1f797nm3.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0BB499B1-E92E-7D81-A802-F1F83F6C63EE} - C:\WINNT\system32\addkj32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FD347C09-91C4-3682-B08E-E6EA1D58C954} - C:\WINNT\system32\mfcxr32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [crze.exe] C:\WINNT\system32\crze.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: Help - {A8C8D753-0E5B-4344-8148-94DF9F50F0E8} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {AD8BA404-0B55-46B0-BE6F-59672937C740} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {F5155B68-646D-4C25-86CF-F6871F14493E} - http://www.comcastsupport.com (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} - http://www.thewows.com/plugins/ue/Install_UE.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
-
Hello,Dominic Greco & Welcome
Make sure you can view hidden and system files: Instructions here
Then Boot to safe mode: Instructions here
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\catnv.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\catnv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\catnv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\catnv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\catnv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0BB499B1-E92E-7D81-A802-F1F83F6C63EE} - C:\WINNT\system32\addkj32.dll
O2 - BHO: Class - {FD347C09-91C4-3682-B08E-E6EA1D58C954} - C:\WINNT\system32\mfcxr32.dll
O4 - HKLM\..\Run: [crze.exe] C:\WINNT\system32\crze.exe
These 2 items here if not put inplace by you or Admins of PC fix them
NOTE some software like Spybot will do this so make sure
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ComcastHSI - {AD8BA404-0B55-46B0-BE6F-59672937C740} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {F5155B68-646D-4C25-86CF-F6871F14493E} - http://www.comcastsupport.com (file missing) (HKCU)
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} - http://www.thewows.com/plugins/ue/Install_UE.exe
Delete the following files\folders IF still present:
C:\WINNT\system32\addkj32.dll<---This file
C:\WINNT\system32\mfcxr32.dll<---This file
C:\WINNT\system32\crze.exe<---This file
Then do this here
click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS
That will change everything back to defaults (M$)......
Change your homepage and search engines to whatever you wish and reset your pc.
When it boots back up, open IE and see if the page stays the way that you set it.
& get this here out of the way
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Then do a reboot tell us how the PC is doing & show us new logfile.
HGD
-
Thanks for the help!
I have performed the fixes you have recommended and here is the latest Hijack this log file:
Logfile of HijackThis v1.99.1
Scan saved at 4:55:33 PM, on 7/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\mszn.exe
C:\WINNT\system32\d3fm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\umlwj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Dominic\Application Data\Mozilla\Profiles\default\1f797nm3.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Dominic\Application Data\Mozilla\Profiles\default\1f797nm3.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {A2F9A004-1F9E-FA80-CD1C-1F50A4F6A0AA} - C:\WINNT\ielh32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [d3fm.exe] C:\WINNT\system32\d3fm.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O23 - Service: Network Security Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\mszn.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
While it seems to work, one thing I DO notice is the ABOUT Blank still keeps popping up. No matter how many times I've run Hijackthis (in safe Mode) made the repairs (again), and run Spybot and Adaware. Am I doing something wrong here or missing a critical item?
Thanks again for the help
Dominic
-
Hi,Dominic Greco
Yes this one is a hard one to kill but don't give up on me here
Press control-alt-delete to get into the task manager and end the follow processes if they exist:
mszn.exe
d3fm.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
Go to Start->Run and type "Services.msc" (without quotes) then hit OK
Scroll down and find the service called.
Network Security Service ( 11Fßä�#·ºÄÖ`I)
Make sure it is selected in color. Right click on the service and click on stop. Right click on it again and go to Properties. In the Properties screen and under the General Tab, change the Startup Type to Disabled in the dropdown box. Click on Apply. Then OK. If the service isn't listed go ahead with the rest of these instructions anyway.
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\umlwj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {A2F9A004-1F9E-FA80-CD1C-1F50A4F6A0AA} - C:\WINNT\ielh32.dll
O4 - HKLM\..\Run: [d3fm.exe] C:\WINNT\system32\d3fm.exe
O23 - Service: Network Security Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\mszn.exe
Make sure you can view hidden and system files: Instructions here
Then Boot to safe mode: Instructions here
Delete the following files\folders IF still present:
C:\WINNT\ielh32.dll<---This file
C:\WINNT\system32\d3fm.exe<---This file
C:\WINNT\system32\mszn.exe<---This file
Then do this here
Clean out temporary files:
* Start | Run | type cleanmgr | OK
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Click "OK" to remove them.
* Click "Yes" to confirm the deletion.
& again do this here
click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS
That will change everything back to defaults (M$)......
Change your homepage and search engines to whatever you wish and reset your pc.
When it boots back up, open IE and see if the page stays the way that you set it.
Then do a reboot see how it is & show us a new logfile.
HGD
