Unsolved

This post is more than 5 years old

47 Posts

99932

November 30th, 2004 13:00

Help! HijackThis Log. About:blank cannot be deleted...

My PC was hit by a malicious spyware/adware which changed my default page to an unknown About:blank search page.  I found some culprits by running Spybot S&D and Ad-ware SE.  However, the About:blank spyware kept coming back to haunt me when I re-start the PC.  Would any expert here have a look at my HijackThis Log and give me some hints on how to clean the About:blank spyware.
 
Many Thanks.
 
 
Logfile of HijackThis v1.97.7
Scan saved at 下午 11:38:27, on 2004/11/30
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis Anti-Spy\HijackThis.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
 

4.8K Posts

November 30th, 2004 20:00

water,

Let's download the newest version of HiJackThis and use it to generate the log:

http://www.majorgeeks.com/download3155.html

Also, are you running a limited startup? If so, you need to give us the entire 'smack' to review.

Mike.

47 Posts

December 1st, 2004 15:00

Thanks.  I download the zip file but was not able to un-zip the file.  Is there anywhere I can download an un-zip version.

4.8K Posts

December 2nd, 2004 02:00

water,

I'm sure there is. I've checked a few sites, but all of them list it as zip. Were you getting an error message when trying to unzip the file?

Mike.

 

47 Posts

December 2nd, 2004 08:00

When I double click the icon, my system asked me which application should be used to open the file. 

Do you know where could I download a free Winzip application? 

47 Posts

December 2nd, 2004 14:00

Just download an evaluation version of Winzip and have un-zip the HijackThis file.  Here is the long from v1.98.2.  Please help...

 

Logfile of HijackThis v1.98.2
Scan saved at 上午 12:50:23, on 2004/12/3
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Program Files\HijackThis Anti-Spy\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

 

4.8K Posts

December 2nd, 2004 19:00

water,

Are you running a limited startup? Or are using a computer with multiple user accounts?

Mike.

 

4.8K Posts

December 3rd, 2004 03:00

    water,
 
    That's strange, i've never seen a HiJackThis log from a system with an about:blank infection that doesn't have any R0-R1 entry(s).
 
    Mike.
 

47 Posts

December 3rd, 2004 03:00

No.  I am using an individual notebook.

47 Posts

December 3rd, 2004 08:00

The About:blank does not hit me every time.  It usually hit me once every two login. 

Also, the log was generated after I cleaned my PC by Ad-ware SE.  Should I send you the log before the scanning?

4.8K Posts

December 3rd, 2004 11:00

    water,
 
    If the about:blank disappeared after running AdAware SE Personal, were you still having a problem when you posted? Or were you just unsure about whether AdAware had completely removed the infection?
 
    If your unsure, go ahead and post up a log and we'll look at it for you and see if anything has been left behind.
 
    Mike.

47 Posts

December 4th, 2004 07:00

The About:blank has just come back.  It didn't hit my internet brower yet because I haven't open a new IE but I found it from the IE's Properties where the Home Page Box has just been changed to About:blank. 

I did the HJT scan before running any anti-spy application.  Here is the log.  Please help.....

------------------------

Logfile of HijackThis v1.98.2
Scan saved at 下午 05:38:56, on 2004/12/4
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis Anti-Spy\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7F73CF23-6C9C-441E-B84C-FA8274CCA395} - C:\WINNT\system32\aconka.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Filter: text/html - {898DA1D5-F4B2-41CB-AEB9-C3F08552E21B} - C:\WINNT\system32\aconka.dll
O18 - Filter: text/plain - {898DA1D5-F4B2-41CB-AEB9-C3F08552E21B} - C:\WINNT\system32\aconka.dll

 

4.8K Posts

December 4th, 2004 13:00

water,
 
Let's try going to www.trendmicro.com and click " Free Online Scan" and see if it turns up anything. When it's down, select all available drives, then click " Scan".
 

 
The entry(s) below are the only ones that I can see. The two 'filters' don't show up on GOOGLE, so i'm assuming it's bad. Unless you know what they are, i'd 'fix' them.
 
 
O2 - BHO: (no name) - {7F73CF23-6C9C-441E-B84C-FA8274CCA395} - C:\WINNT\system32\aconka.dll
 
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
 
O18 - Filter: text/html - {898DA1D5-F4B2-41CB-AEB9-C3F08552E21B} - C:\WINNT\system32\aconka.dll
O18 - Filter: text/plain - {898DA1D5-F4B2-41CB-AEB9-C3F08552E21B} - C:\WINNT\system32\aconka.dll
 

 
Locate and delete the following, after fixing the above with hjt.
 
C:\WINNT\system32\aconka.dll
 
Mike.
 

47 Posts

December 4th, 2004 15:00

I deleted the file you mentioned but haven't done the www.trendmicro.com scan yet.  The following is my latest HJT scan.  Does it look good?

Just encountered another problem.  My IE cannot open web page with Java script.  I guess I have mistakenly deleted some files from the HJT scan.  Is it a reasonable assumption?

----------------

Logfile of HijackThis v1.98.2
Scan saved at 上午 01:32:44, on 2004/12/5
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis Anti-Spy\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

 

4.8K Posts

December 4th, 2004 15:00

water,

Have you tried restoring the entry(s), to see if that was the cause of the problem?

Post back the results.

Mike.

 

No Events found!

Top