Help Required - about:blank

[dominicb]

Hello all

Can anyone please help? My browser (IE6 - Win XP Pro) has been hijacked by the about:blank page hijacker. It's driving me mad. Can anyone please tell me how to get rid of it or recommend any (preferably free) software to remove it? I have tried using Start Page Guard, but this doesn't remove the offending files, it just stops them from changing the home page, but doesn't cure other symptoms (blocking certain sites (my personal freespace for one), millions of popups telling me I have been infected spyware etc).

I have also tried using Adaware and SpyBot - I'm at my wits end.

Thank you

DominicB

 

[Sebouh]

You can try the Microsoft AntiSpyware, it can check ur pc and it prevents changes to occur to ur IE settings, you can set the IE default settings too and control the toolbars.

 

[Lax]

If I remeber correctly (which I sometimes do) the about:blank is caused by CWS (CoolWebSearch). If it's a newer variant you could use the demo of SpySweeper (just to remove it) or CWS shredder (see if it gets it, doubtful though). Prae would prolly have some better advice for you.

 

[dominicb]

Hi guys

Thanks for your very prompt advice. I've just downloaded and tried the Microsoft AntiSpyware - it found two pieces of malware on my system and removed them, but the lovely about:blank thing wasn't one of them. Still there, done a second MS scan and its supposedly clean.

BTW, Lord Anthrax, I think it is the CWS one...

Any other ideas?

Thanks

DominicB

 

[elmarcorulz]

download "hijackthis" and take a post the report back on here, we'll tell you what to delete from that

 

[Cromewell]

try adaware or spybot search and destroy to get rid of it

 

[dominicb]

Hi and thanks Elmarcorulz

I've downloaded Hijack This and run a system scan, with the results shown below. Hope this is what you wanted. Thanks again for any help you can give.

Logfile of HijackThis v1.99.1
Scan saved at 18:23:11, on 04/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\PCD32\client32.exe
C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe
C:\ePOAgent\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\Unicenter Remote Control\rcHost.exe
C:\WINDOWS\UMCSTUB.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\ePOAgent\UpdaterUI.exe
C:\Program Files\CA\Unicenter Asset Management\Agents\UMCLOGIN.EXE
C:\Program Files\CheckPoint\FireWall-1 Authentication Agent\FWSession.exe
C:\SxpInst\sxplog32.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\domjob\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\domjob\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://wesintra
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\domjob\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Weir Engineering Services
O1 - Hosts: 128.1.10.1 gora01
O1 - Hosts: 128.1.10.2 gora02
O1 - Hosts: 128.1.10.3 gora03
O1 - Hosts: 128.1.10.4 gora04
O1 - Hosts: 128.1.10.5 gora05
O1 - Hosts: 128.1.10.6 gora06
O1 - Hosts: 128.1.10.7 gora07
O1 - Hosts: 128.1.10.8 gora08
O1 - Hosts: 128.1.1.60 gms01
O1 - Hosts: 128.1.1.4 gms04
O1 - Hosts: 128.1.1.5 gms05
O1 - Hosts: 128.1.1.8 gms08
O1 - Hosts: 128.1.1.9 gms09
O1 - Hosts: 128.1.1.122 gmsnt03
O1 - Hosts: 128.1.1.162 intra
O1 - Hosts: 128.1.1.162 domprod1
O1 - Hosts: 128.1.1.140 gmsnt04
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {887CC58B-F9EA-4D79-9699-2C66F954EE7E} - C:\WINDOWS\System32\hhdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PC-Duo System Snapshot] C:\PCD32\CLBOOT32.EXE
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [UAMAgent] C:\Program Files\CA\Unicenter Asset Management\Agents\UMCLOGIN.EXE /I
O4 - HKLM\..\Run: [CA-AMAgent] C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: FireWall-1 Authentication Agent.lnk = C:\Program Files\CheckPoint\FireWall-1 Authentication Agent\FWSession.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://wesintra
O18 - Filter: text/html - {B4749A5E-2CB2-479B-942E-9250DD1C853B} - C:\WINDOWS\System32\hhdd.dll
O18 - Filter: text/plain - {B4749A5E-2CB2-479B-942E-9250DD1C853B} - C:\WINDOWS\System32\hhdd.dll
O20 - AppInit_DLLs: RCEnumDD.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: Client32 - Productive Computer Insight Ltd - C:\PCD32\client32.exe
O23 - Service: DM Primer (DMPrimer) - Unknown owner - C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe" -DMPRIMER_SERVICE_: (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\ePOAgent\FrameworkService.exe
O23 - Service: Unicenter Remote Control Host (rcHost) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Remote Control\rcHost.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE

 

[Byteman]

May I jump in?...

There are a few hijaks out there that are very hard to get rid of, HSA and it's varients and about:blank, and it's varients. As of recently there are no known single programs that could actually take these things out completely. And if you don't get it ALL out, it will re-seed with in a very short time. Usually you need a combination of hijackthis, reglite, and maybe killbox, ccleaner, wouldn't hurt to throw into the fray. You also could do with a good virus cleaning first. Try panda online before going any further then continue with what's below.
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

I have heard claims that a product called Adware Away will kill it (if it does, it's the 1st to effectively do so), try downloading it (trial version is ok), installing it, updating it and running a full scan, let it clean your about:blank and post your results here so we know if it works well (you'll have to run it, reboot and run it again). If it doesn't work than proceed with the following instructions. (remember to turn off system restore, don't run hijack this with any IE windows open). Oh and be sure to run the panda scan before anything else.

Manual removal:
You need to look at the "O20 - AppInit_DLLs: RCEnumDD.dll" line in you hjt log. That is the hidden file that will keep on reinfecting you time after time. You need to also end these processes first: sxplog32.exe, spoolsv.exe, smss.exe. These are trojans and possibly part of you infection, run the virus scan first if any of these are still there then end their process, hjt can do this in the misc. tools section.

After ending the processes, search & delete the following with reglite. RCEnumDD.dll

Use hjt and check the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {887CC58B-F9EA-4D79-9699-2C66F954EE7E} - C:\WINDOWS\System32\hhdd.dll
O18 - Filter: text/html - {B4749A5E-2CB2-479B-942E-9250DD1C853B} - C:\WINDOWS\System32\hhdd.dll
O18 - Filter: text/plain - {B4749A5E-2CB2-479B-942E-9250DD1C853B} - C:\WINDOWS\System32\hhdd.dll
O20 - AppInit_DLLs: RCEnumDD.dll
O23 - Service: DM Primer (DMPrimer) - Unknown owner - C:\Program Files\CA\SharedComponents\DesktopCommonServices\DM Primer\dmprimer.exe" -DMPRIMER_SERVICE_: (file missing)

After this reboot to safe mode and search again for any of the offending files, if found than delete them and boot normal.

See if that fixes things. (It may not we usually have to go through this a couple of times until it gets completely cleaned out.

 

[Daz @ home]

May Sound Stupid And Too Simple.
Have You Tried ''go Back'' Or ''system Restore'' To A Point Before This Took Hold?

Just An Idea.

 

[Byteman]

System restore will take a snapshot of your settings, which will also include all the nasties. Besides, the actual files still exist and will continue to re-infect the machine no matter if you restore your settings to a previous time or not.

Like I said in my first paragraph above, there are some of these things that are just plain ol' hard to get rid of, and Ad-AwareSE and SpyBot can't deal with these hijacks effectively because they can't get to the hidden file that re-seeds the hijack.

 

[elmarcorulz]

go into internet explorer options, now try and type something in there. you may of clicked "use blank" or something similar. sorry if youve tried this and have already put something.

if that doesnt fix it.....

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\domjob\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://wesintra
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\domjob\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Weir Engineering Services

from what i can tell something here is causing your problem. but dont do anything yet without someone confirming my suspicions

 

[Byteman]

oh ya, by the way what are all these entries in your host file?
O1 - Hosts: 128.1.10.1 gora01
O1 - Hosts: 128.1.10.2 gora02
O1 - Hosts: 128.1.10.3 gora03
O1 - Hosts: 128.1.10.4 gora04
O1 - Hosts: 128.1.10.5 gora05
O1 - Hosts: 128.1.10.6 gora06
O1 - Hosts: 128.1.10.7 gora07
O1 - Hosts: 128.1.10.8 gora08
O1 - Hosts: 128.1.1.60 gms01
O1 - Hosts: 128.1.1.4 gms04
O1 - Hosts: 128.1.1.5 gms05
O1 - Hosts: 128.1.1.8 gms08
O1 - Hosts: 128.1.1.9 gms09
O1 - Hosts: 128.1.1.122 gmsnt03
O1 - Hosts: 128.1.1.162 intra
O1 - Hosts: 128.1.1.162 domprod1
O1 - Hosts: 128.1.1.140 gmsnt04

If you don't recognize the IP addresses or computer names then have hjt remove them as well. They look like they may be a bunch of computers on a LAN your also on???

 

[elmarcorulz]

i think ive found whats causing it.

O14 - IERESET.INF: START_PAGE_URL=http://wesintra

its changing the start page to http://wesintra which doesnt exist. if you see something with that in it, delete it

 

[Byteman]

Be sure to take out the files I posted (post#8), sxplog32.exe, spoolsv.exe, smss.exe, these are verifiable trojans. Have you taken out the hjt entries I and elmarcorulz suggested? Post back when you have...

 

[Lax]

When I get home I will tell you exactly what to delete. As for the R's you can delete all of those without a problem.

 

[Byteman]

They have been told what to delete... (please read #8, 12, 14)

 

[dominicb]

Hi guys

Thanks for all the posts - sorry for the delay in posting back. I think the long winded routine worked, and it seems I can now do what I couldn't before - access my home pages, and funnily enough excelforum.com, where I am a regular contributor. It also seems that my home page is no longer the wonderful (???) about:blank. BTW wesintra is our intranet at work and was my previous homepage before about:blank kicked in.

So for the benefit of the next people you give advice to, here's what worked and what didn't.
Spybot and Adaware - nope
Start Page Guard - nope
MS Antispyware - nope
Panda Online - couldn't use it because it's an online scan and the hijacker hijacks the online dialog box (clever)
Adware Away - nope

Deleting the files and keys with HJT did work, but I couldn't have done that on my own. One last thing, I couldn't delete the files smss.exe or spoolsv.exe. Any ideas? I tried halting the service with HJT but it wouldn't have it, and I also tried deleting the files (in my System32 directory) during startup, again using HJT to no avail. They don't seem to be affecting my system at the moment but if they are known trojans I'd rather they weren't there.

BTW did you know that the guys who set up this about:blank hijacker actually sell you a solution to get rid of it? You probably did.

Anyway a massive thanks to everyone who offered good advice on how to get rid of it, particularly Byteman and Elmacorulz.

Thanks again guys

DominicB

 

[elmarcorulz]

no problem

anytime, thats what we're here for

 

[Byteman]

Thanks for the reply.

Good to hear things are back toward normal. Thank you for trying AdwareAway, I now know not to recommend it despite the claims. Also you may want to boot to safe mode to delete those files, (F8 key on a reboot will let you into safemode), find the files and rightclick on them, click Properties and if they have a check by "Read only", uncheck it and delete them.

Good Luck,
Byteman

 

[Lax]

Did you try uising spyspweeper like I had suggested?

P.S. I know what was told to delete, I'm restating it for him and you also might want to delete
cam.exe
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=71183

rchost.exe
http://www.bleepingcomputer.com/startups/rchost.exe-33.html

dmprimer.exe which goes along with rchost and cam.exe to my knowledge

O20 - AppInit_DLLs: RCEnumDD.dll
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: DM Primer (DMPrimer) - Unknown owner - C:\Program Files\CA\SharedComponents\DesktopCommonServices\DM Primer\dmprimer.exe" -DMPRIMER_SERVICE_: (file missing)
O23 - Service: Unicenter Remote Control Host (rcHost) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Remote Control\rcHost.exe

In fact all the Unicenter stuff unless you yourself installed it. Someone else will prolly be along to help a little more.

P.P.S. smss.exe or spoolsv.exe are needed in windows. smss.exe is for metworking and spoolsv.exe is for printing.