about:blank Home Page High Jacker

tinusvr · 04-13-2005, 02:09 PM

I have the about:blank Spyware problem on my laptop. I tried Adware, Spybot and a couple of other Spy Remove programs without any success.

I created this result file with HighjackThis Analyzer. I followed the guidelines that were explained in on of the posts. I hope someone can help me to get rid of this annoying Spyware problem.

Thank you for your help.

**Pancake** · 04-13-2005, 08:42 PM

I have Posted this log for better viewing......

Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 3:20:33 PM, on 4/13/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\IP VPN Remote Services\cvpnd.exe
C:\BOSSDE\DEClntNT.EXE
C:\Program Files\3C Software\ImpactECS\Imp3CSvr.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe
C:\WINNT\System32\RASLOGON.EXE
C:\WINNT\system32\winmn32.exe
C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
C:\Program Files\AccessManager\SMOC\spi_da.exe
C:\Program Files\AccessManager\Client\DAPlugin.exe
C:\HighJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fabrics1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = f1aussm001.fabrics1.com:8002
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.bp.com;*.fabrics1.com;*.*.bp.com;*.*.*.bp.com;*.amoco.com;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\ActiveX\ACROIE~1.OCX
O2 - BHO: (no name) - {270B9E11-6C0E-5996-097E-0F955B318C70} - C:\WINNT\addcj.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [IBMPMSVC] C:\WINNT\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [iRAS Logon Tool Current User Settings] C:\Program Files\BP\iRAS\ACU.exe
O4 - HKLM\..\Run: [Nokia Connection Monitor] "C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe"
O4 - HKLM\..\Run: [RASLogon] %SystemRoot%\System32\RASLOGON.EXE
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\eXpress\NS Client\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [winmn32.exe] C:\WINNT\system32\winmn32.exe
O4 - HKLM\..\RunOnce: [atllb32.exe] C:\WINNT\atllb32.exe
O4 - HKLM\..\RunOnce: [d3eu.exe] C:\WINNT\d3eu.exe
O4 - Global Startup: Cisco Systems IP VPN Remote Services.lnk = C:\Program Files\IP VPN Remote Services\vpngui.exe
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O12 - Plugin for .dmn: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL
O12 - Plugin for .dmo: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL
O12 - Plugin for .dmu: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL
O14 - IERESET.INF: START_PAGE_URL=http://ffbunet.fabrics1.com/
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {10101010-1010-1111-1010-101010101011} - mhtml:C:\\WINX.MHT!http://216.240.137.41/counter/ie.exe
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgc.ops.placeware.com/etc/...uicksilver.cab
O16 - DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} (EZUploader Control) - http://www.ezprints.com/software/ezuploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fabrics1.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fabrics1.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fabrics1.com
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\System32\ccsrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\IP VPN Remote Services\cvpnd.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: BOSS DiagWin Client (DEClntService) - Unknown owner - C:\BOSSDE\DEClntNT.EXE
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Impact Server - 3C Software, Inc. - C:\Program Files\3C Software\ImpactECS\Imp3CSvr.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe

End of KRC HijackThis Analyzer Log.

rjf · 04-13-2005, 08:54 PM

This is a cut and paste from a notepad file a friend sent me, he had murder trying get rid of about blank from a customers machine. I have not tried this myself but I know a few who have and they say it has worked for them.
Please read it very carefully as it involves registry editing and one mistake in the registry can crash your OS.

Quote:

Programs Needed:

Reglite.exe
(available at “ http://www.resplendence.com/download/reglite.exe ”)

Microsoft Recovery Console
(an option available on your Windows CD or root drive)
run “X:\i386\winnt32.exe /cmdcons”
where “X” is either CD drive letter or is “C” for your root.

HiJackThis.exe
(available at “ http://download.com.com/3000-2144-10227352.html ”)

There are two application extensions (.dll) files that
Need to be deleted. One is hidden (thanks Akadia!),
one is detected with “HiJackThis.exe”

1) With “Reglite.exe” find name of hidden file:

Double Click on “AppInit_DLLs” located in
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\”
The “value” window reveals the hidden file name.
(mine was “hlpl.dll”, yours may be different!)
In this example let’s call it “hidden.dll”

2) Rename the hidden file:

Close Windows and reboot using “Windows Recovery Console”
Go to “c:\Windows\system32\” and do two things.
Change file from read only by typing “attrib –r hidden.dll”
Then rename it (I don’t know why, but this procedure did not work
until I renamed it) type “rename hidden.dll nasty.dll”
(and remember that “hidden.dll” is for this explanation only
use the name you found earlier) Type “exit” and reboot to Windows.

3) Edit registry to remove hidden file

Run “reglite.exe” again.
Double Click on “AppInit_DLLs” located in
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\”
Delete the file in “value” window, the “size” window changes also.
“Apply” changes and exit “reglite.exe”

4) Edit registry to remove the second file

Run “HiJackThis.exe” and scan the registry.
Check the boxes to remove the following entries:
“R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank”
(as you can see my second .dll was called “jheckb.dll” yours may be different) For this example let’s call it “obvious.dll”.

Finally delete the two .dlls (“hidden.dll” and “obvious.dll”)
You should be running again.

**Pancake** · 04-13-2005, 09:11 PM

Hi and Welcome
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes.

Download any of the required programs before attempting to start any of the fixes.

Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------

Download and run AboutBuster & CWShredder (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below.

How to setup AboutBuster

Download AboutBuster

Then unzip all files from the zip folder to a folder or your desktop. Start it and press the OK button. Then hit the update button and a new screen will appear. On that screen press the Check for Updates button..

To scan your machine, press the Start button and then press OK. The program should start scanning. When it is done, press the exit button and reboot. Once rebooted run About:Buster one more time.

This program is updated often so you should always use the built in update feature before you scan with it.

---------------------------------------------------------------------

How to install and run CWShredder

Download CWShredder
Choose the stand alone version. This is free.
Save cwshredder.exe into its own directory, NOT in a TEMPorary folder or on the DESKTOP.
I recommend, c:/program files/CWShredder/
Close all browsers
Unzip into same directory
Doubleclick CWSInstall.exe
Click <Check for updates> and let it install all updates
Click <Fix>
Click <Next>
Close CWShredder//

----------------------------------------------------------------------

Files highlighted in BLACK will need to be removed from your hard drive.

------------------------------------------------------------------

Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode and then run "Hijack This"
------------------------------------------------------------------

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click End Process for each one if they are still listed.

C:\WINNT\system32\winmn32.exe
C:\WINNT\atllb32.exe
C:\WINNT\d3eu.exe
------------------------------------------------------------------

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {270B9E11-6C0E-5996-097E-0F955B318C70} - C:\WINNT\addcj.dll
O3 - Toolbar: (no name
O4 - HKLM\..\Run: [winmn32.exe] C:\WINNT\system32\winmn32.exe
O4 - HKLM\..\RunOnce: [atllb32.exe] C:\WINNT\atllb32.exe
O4 - HKLM\..\RunOnce: [d3eu.exe] C:\WINNT\d3eu.exe
O16 - DPF: {10101010-1010-1111-1010-101010101011} - mhtml:C:\\WINX.MHT!http://216.240.137.41/counter/ie.exe

------------------------------------------------------------------

Open Windows Explorer and delete the following highlighted file/s (or delete the whole (Red) folder if listed).

C:\WINNT\system32\winmn32.exe
C:\WINNT\atllb32.exe
C:\WINNT\d3eu.exe

-------------------------------------------------------------------
Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files.

When finished please post a new log......

tinusvr · 04-16-2005, 07:49 AM

Pancake thanks for the reply and help.

I carried out all the steps that you sugessted and it seems that with your help the about:blank problem is cleared.

This is the new Highjack this Analyzer file that I created after completing all the steps in your response.

Thanks all for the help and responses. Please let me know if I need to clear more entries.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:19:57 AM, on 4/16/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\IP VPN Remote Services\cvpnd.exe
C:\BOSSDE\DEClntNT.EXE
C:\Program Files\3C Software\ImpactECS\Imp3CSvr.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe
C:\WINNT\System32\RASLOGON.EXE
C:\HighJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fabrics1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = f1aussm001.fabrics1.com:8002
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.bp.com;*.fabrics1.com;*.*.bp.com;*.*.*.bp.com;*.amoco.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\ActiveX\ACROIE~1.OCX
O4 - HKLM\..\Run: [IBMPMSVC] C:\WINNT\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [iRAS Logon Tool Current User Settings] C:\Program Files\BP\iRAS\ACU.exe
O4 - HKLM\..\Run: [Nokia Connection Monitor] "C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe"
O4 - HKLM\..\Run: [RASLogon] %SystemRoot%\System32\RASLOGON.EXE
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\eXpress\NS Client\AeXAgentActivate.exe" /logon
O4 - Global Startup: Cisco Systems IP VPN Remote Services.lnk = C:\Program Files\IP VPN Remote Services\vpngui.exe
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O12 - Plugin for .dmn: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL
O12 - Plugin for .dmo: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL
O12 - Plugin for .dmu: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL
O14 - IERESET.INF: START_PAGE_URL=http://ffbunet.fabrics1.com/
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgc.ops.placeware.com/etc/...uicksilver.cab
O16 - DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} (EZUploader Control) - http://www.ezprints.com/software/ezuploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fabrics1.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fabrics1.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fabrics1.com
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\System32\ccsrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\IP VPN Remote Services\cvpnd.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\CWShreder\CWShredder.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: BOSS DiagWin Client (DEClntService) - Unknown owner - C:\BOSSDE\DEClntNT.EXE
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Impact Server - 3C Software, Inc. - C:\Program Files\3C Software\ImpactECS\Imp3CSvr.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe

End of KRC HijackThis Analyzer Log.
====================================================================

greyknight17 · 04-16-2005, 09:49 AM

Just one minor one. Check and fix in HijackThis:

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgc.ops.placeware.com/etc...quicksilver.cab

No need for new log.

Get the latest service pack for Windows 2000 if you can.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

tinusvr · 04-18-2005, 11:25 AM

I am very grateful for the help that I received from this forum.

With the help from Pancake and Greyknight17 I was able to clean my laptop from the about:blank Browser Highjacker Spyware problem.

Thanks again for your help. All of you deserve a medal of honor.

All the best.

04-13-2005, 08:42 PM	#2 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	I have Posted this log for better viewing...... Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 3:20:33 PM, on 4/13/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe C:\Program Files\AccessManager\Client\AMBroker.exe C:\Program Files\Network ICE\BlackICE\blackd.exe C:\Program Files\IP VPN Remote Services\cvpnd.exe C:\BOSSDE\DEClntNT.EXE C:\Program Files\3C Software\ImpactECS\Imp3CSvr.exe C:\Program Files\AccessManager\PMAC\sp_SWIns.exe C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe C:\WINNT\System32\RASLOGON.EXE C:\WINNT\system32\winmn32.exe C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe C:\Program Files\AccessManager\SMOC\spi_da.exe C:\Program Files\AccessManager\Client\DAPlugin.exe C:\HighJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fabrics1 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = f1aussm001.fabrics1.com:8002 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .bp.com;.fabrics1.com;..bp.com;...bp.com;.amoco.com;<local> R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\ActiveX\ACROIE~1.OCX O2 - BHO: (no name) - {270B9E11-6C0E-5996-097E-0F955B318C70} - C:\WINNT\addcj.dll O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O4 - HKLM\..\Run: [IBMPMSVC] C:\WINNT\System32\ibmpmsvc.exe -helper O4 - HKLM\..\Run: [iRAS Logon Tool Current User Settings] C:\Program Files\BP\iRAS\ACU.exe O4 - HKLM\..\Run: [Nokia Connection Monitor] "C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe" O4 - HKLM\..\Run: [RASLogon] %SystemRoot%\System32\RASLOGON.EXE O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\eXpress\NS Client\AeXAgentActivate.exe" /logon O4 - HKLM\..\Run: [winmn32.exe] C:\WINNT\system32\winmn32.exe O4 - HKLM\..\RunOnce: [atllb32.exe] C:\WINNT\atllb32.exe O4 - HKLM\..\RunOnce: [d3eu.exe] C:\WINNT\d3eu.exe O4 - Global Startup: Cisco Systems IP VPN Remote Services.lnk = C:\Program Files\IP VPN Remote Services\vpngui.exe O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll O12 - Plugin for .dmn: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL O12 - Plugin for .dmo: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL O12 - Plugin for .dmu: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL O14 - IERESET.INF: START_PAGE_URL=http://ffbunet.fabrics1.com/ O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {10101010-1010-1111-1010-101010101011} - mhtml:C:\\WINX.MHT!http://216.240.137.41/counter/ie.exe O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgc.ops.placeware.com/etc/...uicksilver.cab O16 - DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} (EZUploader Control) - http://www.ezprints.com/software/ezuploader.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fabrics1.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fabrics1.com O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fabrics1.com O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\System32\ccsrvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\IP VPN Remote Services\cvpnd.exe O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe O23 - Service: BOSS DiagWin Client (DEClntService) - Unknown owner - C:\BOSSDE\DEClntNT.EXE O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe O23 - Service: Impact Server - 3C Software, Inc. - C:\Program Files\3C Software\ImpactECS\Imp3CSvr.exe O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe End of KRC HijackThis Analyzer Log. Last edited by Pancake; 04-13-2005 at 08:44 PM.

04-13-2005, 09:11 PM	#4 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Hi and Welcome It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1 Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes. Download any of the required programs before attempting to start any of the fixes. Turn off System Restore instructions (WinXP) Rightclick My Computer \| Properties \| System Restore \| check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point. SHOW HIDDEN FILES AND FOLDERS. To show hidden files instructions (WinXP) Doubleclick My Computer \| Tools \| Folder Options \| View tab Select Show Hidden Files and Folders Uncheck Hide extensions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders \| Yes \| Apply \| OK ------------------------------------------------------------------ Download and run AboutBuster & CWShredder (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below. How to setup AboutBuster Download AboutBuster Then unzip all files from the zip folder to a folder or your desktop. Start it and press the OK button. Then hit the update button and a new screen will appear. On that screen press the Check for Updates button.. To scan your machine, press the Start button and then press OK. The program should start scanning. When it is done, press the exit button and reboot. Once rebooted run About:Buster one more time. This program is updated often so you should always use the built in update feature before you scan with it. --------------------------------------------------------------------- How to install and run CWShredder Download CWShredder Choose the stand alone version. This is free. Save cwshredder.exe into its own directory, NOT in a TEMPorary folder or on the DESKTOP. I recommend, c:/program files/CWShredder/ Close all browsers Unzip into same directory Doubleclick CWSInstall.exe Click <Check for updates> and let it install all updates Click <Fix> Click <Next> Close CWShredder// ---------------------------------------------------------------------- Files highlighted in BLACK will need to be removed from your hard drive. ------------------------------------------------------------------ Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode and then run "Hijack This" ------------------------------------------------------------------ Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click End Process for each one if they are still listed. C:\WINNT\system32\winmn32.exe C:\WINNT\atllb32.exe C:\WINNT\d3eu.exe ------------------------------------------------------------------ Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {270B9E11-6C0E-5996-097E-0F955B318C70} - C:\WINNT\addcj.dll O3 - Toolbar: (no name O4 - HKLM\..\Run: [winmn32.exe] C:\WINNT\system32\winmn32.exe O4 - HKLM\..\RunOnce: [atllb32.exe] C:\WINNT\atllb32.exe O4 - HKLM\..\RunOnce: [d3eu.exe] C:\WINNT\d3eu.exe O16 - DPF: {10101010-1010-1111-1010-101010101011} - mhtml:C:\\WINX.MHT!http://216.240.137.41/counter/ie.exe ------------------------------------------------------------------ Open Windows Explorer and delete the following highlighted file/s (or delete the whole (Red) folder if listed). C:\WINNT\system32\winmn32.exe C:\WINNT\atllb32.exe C:\WINNT\d3eu.exe ------------------------------------------------------------------- Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files. When finished please post a new log...... __________________ Eddy

04-16-2005, 07:49 AM	#5 (permalink)
tinusvr Registered User Join Date: Apr 2005 Posts: 9 OS: NT200	about:blank Broweser Highjacker New Log Pancake thanks for the reply and help. I carried out all the steps that you sugessted and it seems that with your help the about:blank problem is cleared. This is the new Highjack this Analyzer file that I created after completing all the steps in your response. Thanks all for the help and responses. Please let me know if I need to clear more entries. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 7:19:57 AM, on 4/16/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe C:\Program Files\AccessManager\Client\AMBroker.exe C:\Program Files\Network ICE\BlackICE\blackd.exe C:\Program Files\IP VPN Remote Services\cvpnd.exe C:\BOSSDE\DEClntNT.EXE C:\Program Files\3C Software\ImpactECS\Imp3CSvr.exe C:\Program Files\AccessManager\PMAC\sp_SWIns.exe C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe C:\WINNT\System32\RASLOGON.EXE C:\HighJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fabrics1 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = f1aussm001.fabrics1.com:8002 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .bp.com;.fabrics1.com;..bp.com;...bp.com;.amoco.com;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\ActiveX\ACROIE~1.OCX O4 - HKLM\..\Run: [IBMPMSVC] C:\WINNT\System32\ibmpmsvc.exe -helper O4 - HKLM\..\Run: [iRAS Logon Tool Current User Settings] C:\Program Files\BP\iRAS\ACU.exe O4 - HKLM\..\Run: [Nokia Connection Monitor] "C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe" O4 - HKLM\..\Run: [RASLogon] %SystemRoot%\System32\RASLOGON.EXE O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\eXpress\NS Client\AeXAgentActivate.exe" /logon O4 - Global Startup: Cisco Systems IP VPN Remote Services.lnk = C:\Program Files\IP VPN Remote Services\vpngui.exe O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll O12 - Plugin for .dmn: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL O12 - Plugin for .dmo: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL O12 - Plugin for .dmu: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL O14 - IERESET.INF: START_PAGE_URL=http://ffbunet.fabrics1.com/ O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgc.ops.placeware.com/etc/...uicksilver.cab O16 - DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} (EZUploader Control) - http://www.ezprints.com/software/ezuploader.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fabrics1.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fabrics1.com O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fabrics1.com O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\System32\ccsrvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\IP VPN Remote Services\cvpnd.exe O23 - Service: CWShredder Service - InterMute, Inc. - C:\CWShreder\CWShredder.exe O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe O23 - Service: BOSS DiagWin Client (DEClntService) - Unknown owner - C:\BOSSDE\DEClntNT.EXE O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe O23 - Service: Impact Server - 3C Software, Inc. - C:\Program Files\3C Software\ImpactECS\Imp3CSvr.exe O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe End of KRC HijackThis Analyzer Log. ====================================================================

04-16-2005, 09:49 AM	#6 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Just one minor one. Check and fix in HijackThis: O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgc.ops.placeware.com/etc...quicksilver.cab No need for new log. Get the latest service pack for Windows 2000 if you can. Your log is clean. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-18-2005, 11:25 AM	#7 (permalink)
tinusvr Registered User Join Date: Apr 2005 Posts: 9 OS: NT200	about:blank problem fixed I am very grateful for the help that I received from this forum. With the help from Pancake and Greyknight17 I was able to clean my laptop from the about:blank Browser Highjacker Spyware problem. Thanks again for your help. All of you deserve a medal of honor. All the best.