Jump to content


Photo

about blank, maybe


  • Please log in to reply
7 replies to this topic

#1 Blake&039;s hipcheck rules&033;

Blake&039;s hipcheck rules&033;

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 11 June 2004 - 06:33 PM

Hi!

New here. Read FAQ's; think I'm allowed to post this here...

I am a registered user of EZBoards. When posting there, there is a spell-checker function which first opens a blank screen with "aboutblank" at the top, then opens my post within the spell-checker.

When spell-checking is done and I close that window, I'm back within the EZBoard posting screen. This is the only time I see "about blank." Am I missing something dangerous of which I should be aware? Or is this a "legitimate" about blank program?

(I've read a few other "about blank" posts, and I don't see a corelation.)

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 11 June 2004 - 06:54 PM

It's very doubtful if you are infected with the imfamous "about:blank" coolweb variant. You would have more problems than enough!
As a check, download Hijack this
Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 Blake&039;s hipcheck rules&033;

Blake&039;s hipcheck rules&033;

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 11 June 2004 - 06:59 PM

Thank you, I'll do that in a while. Glad to hear that I've got a "legitimate" aboutblank function.

If/when you have time, could you please explain to this newbie what "coolware" is?

Oops... I just noticed up at the top of this page that it says that I should go somewhere else to "check for anything suspicious." Sorry.

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 12 June 2004 - 02:09 PM

No problem about posting here! It can be moved if needed.

Coolweb..... Hmmm...... I cannot really explain it in a message in a public forum! The admins would edit my post for obscene language!
It is an ad sponsored hijacker that redirects you to various sponsors sites. Very nasty to remove, in some of the latest variants.
A good description can be found in the cws chronicles by Merijn Bellekom, the writer of CWShredder.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 Blake&039;s hipcheck rules&033;

Blake&039;s hipcheck rules&033;

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 13 June 2004 - 12:50 AM

It's very doubtful if you are infected with the imfamous "about:blank" coolweb variant.  You would have more problems  than enough! 
As a check, download Hijack this
...  and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

O.K. Thank you for your help. (Absolutely no urgency in this.) Here it is:

Just curious, why did you tell me to copy HijackThis into a folder, instead of running it directly from the desktop icon?

Logfile of HijackThis v1.97.7
Scan saved at 23:44:24 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WFXSVC.EXE
C:\Program Files\Norton SystemWorks\WinFax\WFXMOD32.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINNT\System32\wfxsnt40.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\tpblx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmNT.exe
C:\Program Files\Norton SystemWorks\WinFax\WFXCTL32.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINNT\system32\spider.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hijack This dupe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {058FC709-D5CD-4A95-92DB-59E6488ECDA4} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [rqtox] C:\WINNT\tpblx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmNT.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Norton SystemWorks\WinFax\WFXCTL32.EXE
O4 - Global Startup: MailWasher.lnk = C:\Program Files\MailWasher\MailWasher.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\AdShield\AdShield\restrict.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: AdShield (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINNT\Java\ControlF1\STMeeting25.cab
O16 - DPF: {01112303-3E00-11D2-8470-0060089874ED} - http://www.comcastsu...oad/tgctlch.cab
O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} - http://www.comcastsu...wnload/tgrc.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gate...//PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1086996955796
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/p...t/msnchat41.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberli...xp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://sc.communitie...t/msnchat42.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instants...rxsigned31b.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communitie...eUC/MsnUpld.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7574.9078472222
O16 - DPF: {A0983711-D8FD-11D0-B8E1-00A024B10B98} (XCavatorCtl Control) - http://img.cmpnet.co...06/XCavator.dll
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.longridge...sie/msichat.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.nor...c/bin/cabsa.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://attmotive.bro...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.microsoft...hy/clearadj.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.c.../yiebio4025.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

#6 Blake&039;s hipcheck rules&033;

Blake&039;s hipcheck rules&033;

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 13 June 2004 - 12:59 AM

PS: I went to the information site you recommended, and then clicked here to learn how to get rid of the vulnerable Java Virtual Machine.

I have two questions:

I always say "no" when asked to "run Java applets?" so, I figure I'm pretty safe from infection?

As I consistenly read that messing with Registry is something a newbie ought not to do, is there anything involved with the removal of JVM which could get me into trouble?


#7 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 13 June 2004 - 07:39 AM

The reason for putting Hijack this into its own folder is that it automatically creates backups of each item it removes. Running it from the desktop means that these backup files will be scattered all over the desktop!

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O2 - BHO: (no name) - {058FC709-D5CD-4A95-92DB-59E6488ECDA4} - (no file)

O4 - HKLM\..\Run: [rqtox] C:\WINNT\tpblx.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab

Reboot, and delete

files
C:\WINNT\tpblx.exe

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.

Your other point about Java, if you do not run any java applets, those cannot infect you, but there are other methods! Removing the Microsoft JVM, and replacing it with the Sun version is straightforward, but if you are not happy about editing the registry, then don't do it.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#8 Blake&039;s hipcheck rules&033;

Blake&039;s hipcheck rules&033;

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 15 June 2004 - 12:28 AM

The reason for putting Hijack this into its own folder is that it automatically creates backups of each item it removes. Running it from the desktop means that these backup files will be scattered all over the desktop! 

Thanks for that explanation; good to know for future reference.

Your other point about Java, if you do not run any java applets, those cannot infect you, but there are other methods!  Removing the Microsoft JVM, and replacing it with the Sun version is straightforward, but if you are not happy about editing the registry, then don't do it.

I guess what I was asking was, "if I follow the instructions for removing JVM to a tee, will I be o.k., or is there a possibility of me getting in over my head and messing up something critical?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button