RSS Forums RSS

about:blank virus

Please support our Viruses, Spyware and other Nasties advertiser: Programming Forums
Reply
Posts: 18
Reputation: Dreg_02 is an unknown quantity at this point 
Solved Threads: 0
Dreg_02 Dreg_02 is offline Offline
Newbie Poster

Re: about:blank virus

  #1  
Jun 28th, 2004
Originally Posted by Dreg_02
After posting that last one, I tried that program that was posted by happyguy. It seemed to work, the about blank crud isnt coming back for now. However I am remaining skeptical about it. It actually found alot more crud than i thought it would. I guess ad-aware doesn't really find everything. Anyway, it's working for me, but try it at your own risk. I'll let you know if I have an reoccurrances. thanx for the help everyone!

Okay update, it came back! I went into safe-mode ran a cwshredder search, it found 1 CWSearchX.exe and killed it. I also ran an adaware and PC doctor scan. Ad-aware found the CoowWebSearch cookie and PC doctor found a bunch of cookies and the seemingly-imortal Twain-Tech thing, anyway, I ran this hijack this log in safe mode immediatly after the CWShredder was ran, but before the other 2, check it out.

Logfile of HijackThis v1.97.7
Scan saved at 2:08:56 AM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Dreg\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Dreg\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Dreg\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Dreg\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Dreg\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Dreg\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Dreg\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.afes.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [spdjldoxbhm] C:\WINDOWS\System32\lrrhxr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Commo
AddThis Social Bookmark Button
Reply With Quote  
Posts: 9,294
Reputation: crunchie is a name known to all crunchie is a name known to all crunchie is a name known to all crunchie is a name known to all crunchie is a name known to all crunchie is a name known to all 
Solved Threads: 596
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: about:blank virus

  #2  
Jun 28th, 2004
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Dreg\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Dreg\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Dreg\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Dreg\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Dreg\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Dreg\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

--------------------------------------------------------------------------

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

Close all windows except HijackThis and fix the lines above.

In the upper window of APM select explorer.exe
In the lower window find and rightclick the BHO from the HijackThis log (systb.dll)
Select Unload DLL and click OK on the prompts that follow.

Reboot and scan with AdAware (after updating the reference file) to remove the txt and html protocol association.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

Please do not PM me for help, (I will ignore you if you do). Instead, post in the public forum where others may benefit.
Reply With Quote  
Posts: 9,294
Reputation: crunchie is a name known to all crunchie is a name known to all crunchie is a name known to all crunchie is a name known to all crunchie is a name known to all crunchie is a name known to all 
Solved Threads: 596
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: about:blank virus

  #3  
Jun 28th, 2004
Originally Posted by Dreg_02
Okay update, it came back! I went into safe-mode ran a cwshredder search, it found 1 CWSearchX.exe and killed it. I also ran an adaware and PC doctor scan. Ad-aware found the CoowWebSearch cookie and PC doctor found a bunch of cookies and the seemingly-imortal Twain-Tech thing, anyway, I ran this hijack this log in safe mode immediatly after the CWShredder was ran, but before the other 2, check it out.

Have split your post out to your own thread for simplicity .
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

Please do not PM me for help, (I will ignore you if you do). Instead, post in the public forum where others may benefit.
Reply With Quote  
Reply

Quick Reply to Thread

Only community members can participate in forum threads. You must register or log in to contribute.

Register


Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum
Views: 7926 | Replies: 2 | Currently Viewing: 1 (0 members and 1 guests)

 

Thread Tools Display Modes
Linear Mode Linear Mode
Forums | Blogs | Tutorials | Code Snippets | Whitepapers | RSS Feeds | Advertising
All times are GMT -4. The time now is 3:21 pm.
Newsletter Archive - Sitemap - Privacy Statement - Acceptable Use Policy - Contact Us
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2008 DaniWeb® LLC