Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I have spent hours sitting here cleaning my system with Ad-Aware, Spybot S&D, About:Buster, ADSspy, VX2Finder, LSPFix, Winsock Fix XP, and manually cleaning up files and folders! I dabbed into the registry trying to find the answer, and still came up with nothing.
My computer, to me, looks entirely clean! My ad-aware and all other scans find absolutely nothing now.
In safe mode, all is well. In normal mode, my IE settings keep reverting to SP.html and About:Blank, with no visible reason behind it.
I have used the scripts method and Reglite to try and find the registry entries using various websites, and my case doesn't fall into those guidelines at all.
Here is my Hijackthislog, but I doubt it will help any, as it is completely clean except for the SP.html and About:blank IE entries!
Logfile of HijackThis v1.98.2
Scan saved at 6:11:28 PM, on 12/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\winim.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Jon Rosen Systems\HijackThis1982.exe
C:\Jon Rosen Systems\AboutBuster\AboutBuster.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gcnlq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gcnlq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gcnlq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gcnlq.dll/sp.html#37049
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Ad-Watch SE Professional.lnk = C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
Thanks for your help, in advance!
Check this site for additional help on AboutBlank. http://www.spywareinfo.com/~merijn/cwschronicles.html#aboutblank
Before attempting to clean the system again you need to do a few things. Delete all files and folders in the Windows temp folder and empty the temp files and cookies from within IE. Then empty the recycle bin. Boot to safe mode and then run AdawareSE with current updates and then Spybot Search & destroy 1.3. You need to update these programs before booting to safe mode as internet isn't available in safe mode.
0 
What you've done so far is only part of the battle.
Get BHODemon, install and always let this run in background. Normally you should have only three things "helping" IE: Adobe, Norton AV (if installed) and SpyBot (if installed).
ANYTHING else is "a bad guy".
The hijacker's DLL can rename itself and remains hidden.
Get CWShredder and run this.
You DO have AV installed I hope.... Do a full scan just to be sure.
Get the demo version of PestPartol and note the registy locations when it finds suspect things running.
TaskMan16 is another good tool that will point to suspect DLLs instantly.Goos luck!
PvanS
0
Thanks for your input guys, even though I'm still stuck with this damned thing.
I have spent a few more hours on it today, doing stuff that you guys recommended.
My NAV2005 finds nothing on the computerAd-Aware finds 0 objects with a full scan with all the options set.
Spybot S&D 1.3 also finds nothing
About Buster 4.0 with the recent Ref List finds nothing anymore. It was finding a registry value for a while, but I went in there and cleaned that, and it hasn't returned.CWShredder 2.0 hasn't found anything since the beginning.
My Temp folders are all empty, as is the recycle bin.
I've ran a scanner called Mwav.exe and manually deleted all .dll and .exe files it found that were "bad" Most of them were hidden and set as system files, so I went into command and used the "attrib -s -h -r" command to get rid of them. That scan comes up clean now as well. The .dll and .exe files were called: "Trojan.Downloader.Win32.Agent.db"
I have also, in the meantime, done the "attrib -s -h -r" to the GCNLQ.DLL file and opened it with Notepad and removed all of it's contents. This seemed to have done nothing, even though it is still the dll in the HJT log. I found that quite interesting.
List of programs I am using, all up-to-date Ref lists:CWshredder 2.0
Hijackthis 1.98.2
About:Buster 4.0 Ref: 18
NAV2005
Ad-Aware SE 1.05
SpyBot S&D 1.3What else can I do?! Need some Logs? Want me to run more programs?
Thanks again!
0
Try doing a broad search using the search function in the Start menu. Try searching for "About*." and "Blank*." or any other you can think of. Write down the path and then go into regedit and manually remove these items. Anything referring to aboutblank should be safe to remove. Making a backup of your registry first wouldn't be a bad idea. Are you emptying the recycle bin? Working in safe mode? You may even want to disaconnect from the net while doing this. Be sure to open IE and under Tools> Internet Options> General> delete cookies and files.
0
I have mostly been working in safe mode. Only after I come up "clean" in safe mode do I cross my fingers and go into normal mode.
I have disconnected myself from the internet completely while trying to fix the problem. I clean out all the temp files/folders/recycle bin. The searches didn't come up with anything.
I took a look through my services, and there isn't anything running that is strange, either.
0
As we speak, I'm making headway!
For some reason, I felt compelled to download an MSCONFIG.exe for windows 2000.
Upon doing so, I turned off all of the programs that start up, and restarted. All of them look like normal, fine processes that I've seen before, so I never even thought "What if it is something running?"
I actually was able to clear my hijackthis log in normal mode, and not have the sp.html come back, after the restart! It's GONE! :)
I'll keep you all posted as to which process was the culprit! I'm going to turn them back on one by one to find out what happened.
0
The culprit, which I still can't believe it...
ISSSSSS....Ad-Watch!
Using Ad-Aware professional, it uses Ad-Watch as a sort-of "teatimer" like Spybot does. It starts up with windows, and it kept showing me that the entries were entered, and I kept saying "F(**(*!"
Well, now I know never ever ever to use ad-watch again, and to just stick with Spybots Tea Timer.
I was looking in the settings of Ad-Watch and didn't see anything about IE settings and reverting them back, and saving them, and such... so, I still don't understand why it kept putting back the SP.HTML values whenever I changed them.
Thanks again for all of your help everyone!
0
Hi,
I'm not using Ad-Watch or at least it doesn't show up in the Processes tab of Task Manager. Is your system still sp.html free?
There is definitely a process which is running which causes the virus to resurrect itself with different file names. Could it be svchost.exe? I have three of them running...
0
Hi
I'm not sure from your last input if you have "fixed" your problem or not but I looked back through the tools I used to fix my son's machine and found this link:
http://www.neuber.com/taskmanager/index.htmlGo there and get the TaskMan tool.
This will show you a graphic realtime chart of what is running on your system along with a probability message if the object is something you should worry about. It also provides a direct google link so you can identify objects better.
Quaratine options allow you to isolate things like sp.html and help.dll.
Best is to get the REG address, search the REGISTRY and delete those suspicious entries.
Also: get BHO Demon. This little tool allows you to "accept" the native browser helpers and will alert you immediately if an alien surfaces. On a "normal" system you will see three "helpers" here: Adobe, NAV and SpyBot.PS: AdWareAway is also a very helpful tool against trojans. If you have trouble with a trojan and NAV will not remove it, go to SARC.COM and search the data base for the trojan. Often there is a download to remove it. Many of these fixes require you to be offline when you hunt the trojan down due to their "call home" stealth/rename capability.
Regards
PvanS
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
