Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Please Help To Get Rid Of About:blank

Started by daweb , Mar 14 2005 11:03 AM

  • This topic is locked This topic is locked
6 replies to this topic

#1 daweb

daweb

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 14 March 2005 - 11:03 AM

Hello, It's great to have a forum like this! This is the second time in a month or so that this computer has had the About:Blank screen pop up. I thought I got rid of it the first time by running CWShredder, Spybot, and Adware Away. I'm not sure if I got completely rid of it or not? Anyhow, I'm not having much luck with it this time and around and found this forum. Hope you folks can help me out. This is the second time I ran HijackThis. The first time I went through with the tutorial and Merijn.org to figure what to fix. After doing so, it all came back again. Also, I read somewhere that the last entry is a problem and it needs to be deleted from the registry but I don't know where in the registry to look for it. O23 - Service: Network Security Service (NSS) ( 6Q'8) - Unknown owner - C:\WINDOWS\ieaw32.exe (file missing) Thanks for your time and help! :) Debbie Logfile of HijackThis v1.99.1 Scan saved at 11:18:11 AM, on 3/14/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\basfipm.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\crqc.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\system32\Osaptp.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\crmr32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\interMute\SpySubtract\SpySub.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\ccompliment\Local Settings\Temporary Internet Files\Content.IE5\ATUNA1IJ\HijackThis[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129 R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7FF827C3-DF9E-38DE-6A6A-C21E847B30E4} - C:\WINDOWS\ntsp.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Osaptp.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [crmr32.exe] C:\WINDOWS\system32\crmr32.exe O4 - HKLM\..\RunOnce: [crqc.exe] C:\WINDOWS\system32\crqc.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing) O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU) O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.static.topconverting.com O15 - Trusted Zone: *.awmdabest.com (HKLM) O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Admin.MiracleCorp.com O17 - HKLM\Software\..\Telephony: DomainName = Admin.MiracleCorp.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Admin.MiracleCorp.com O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Network Security Service (NSS) ( 6Q'8) - Unknown owner - C:\WINDOWS\ieaw32.exe (file missing)

    Advertisements

Register to Remove

#2 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 16 March 2005 - 08:32 PM

Welcome to the forum.

Please move HJT into its own permanent folder so backups can be made incase of a mistake - Suggest:
C:\MyHJT\HJT.exe or C:\MyDocuments\MyHJT\HJT.exe

Please read through the instructions before you start (you may want to print this out).

Please download and install these programs - don't run them yet!!

Please download and unzip
AboutBuster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.

Download and unzip cwsserviceremove to your desktop. use link below:
http://lineofire.gee...rviceremove.zip

Download CW-Shredder at the link below:
http://cwshredder.ne.../CWShredder.exe

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Network Security Service (NSS)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you dont find this service listed go ahead with the next steps.

2. Reboot into Safe Mode

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

crqc.exe
Osaptp.exe
crmr32.exe

If you find the files, click on them, and then click End Process => Exit the Task Manager, if not continue on.

4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nlqii.dll/sp.html#28129
O2 - BHO: (no name) - {7FF827C3-DF9E-38DE-6A6A-C21E847B30E4} - C:\WINDOWS\ntsp.dll
O4 - HKLM\..\Run: [crmr32.exe] C:\WINDOWS\system32\crmr32.exe
O4 - HKLM\..\RunOnce: [crqc.exe] C:\WINDOWS\system32\crqc.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Osaptp.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Network Security Service (NSS) ( 6Q'8) - Unknown owner - C:\WINDOWS\ieaw32.exe (file missing)

Click on Fix Checked and exit HijackThis.

5. Run AboutBuster . This will scan your computer for the bad files and delete them. It will ask to scan the system again, let it. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

6. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

7. Double click on the cwsserviceremove and when asked to merge say yes.

8. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

9. Reboot into normal mode.

10. Download and run this online virus scan:
http://housecall.tre.../start_corp.asp
Make sure you check "AutoClean"

11. Reboot and post a fresh HJT log back here by using the add reply button below, and lets see how we did, MrC

#3 daweb

daweb

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 23 March 2005 - 08:48 AM

Thanks for responding. However, an additional problem is that I cannot follow the instructions provided because I keep getting the following error: Explore.EXE-Application Error, "The instruction at "0x0254f065" referenced memory at )x00000000". "The memory could not be written" "Click on OK to terminate the program" "Click on cancel to debug the program" I get this when I try to access My Computer, Control Panel, Windows Explorer, and when I try to download the Anti-Spyware programs. I've search around on Google for likely causes and solutions. I've tried running a System Restore and I keep getting a message that it can't restore from the date selected. I've also tried running Start/Run/sfc /scannow. I'm really clueless about this and heavily rely on what I can find on the web and advice on forums. I'd really appreciate some help here. Thanks for your time! Deb

#4 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 23 March 2005 - 07:40 PM

I personally don't know, I'm not a XP expert.

I went to Google and used this to search:

The memory could not be written  Click on OK to terminate the program


and came up with these, there's many more to look at so try the search.

http://www.geekstogo...tten-t4911.html

http://www.winportal...p?ObjectID=4318

Let me know, MrC

#5 daweb

daweb

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 11 April 2005 - 07:56 AM

MrCharlie, Yes, I actually had tried all of those things before reading your post without success. It's been put on the backburner the last couple of weeks. I'm not sure where to get the help I need. In bit of a quandary. Thanks for your help, Deb

#6 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 11 April 2005 - 05:29 PM

Some of these infections modify some Windows files, here's a link to them, see if it applies:
http://www.spywarein...n/winfiles.html

You may also want to check out the System File Checker:
http://www.updatexp....cannow-sfc.html

Do you have a good restore point?
http://www.webtree.c...p/repair_xp.htm

Let me know, MrC

#7 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 08 May 2005 - 02:01 PM

Due to inactivity this topic will be closed.
If you need help please start a new thread and post a new HJT log

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·