PDA

View Full Version : Problem: About:Blanc



Dutch-Girl
2006-09-13, 14:29
:greeting: Hello members of the Spybotteam,

My IE-browser is infected with About:Blanc. I just found out that I have an illegal version of WindowsXP. I bought this computer secondhand. I don't have the financial abbility to buy a legal version yet.
So my first question is if it is possible to just upgrade my XP version with a legal XP/SP2 upgrade?

I hope that you can help me to fix my problem with About:Blanc. I give you first the log of the online-scan from Panda:

Incident Status Location

Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mila\Application Data\Mozilla\Firefox\Profiles\flxq94ue.default\cookies.txt[.as-eu.falkag.net/]

Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\mila\Application Data\Mozilla\Firefox\Profiles\flxq94ue.default\cookies.txt[.bravenet.com/]

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\mila\Application Data\Mozilla\Firefox\Profiles\flxq94ue.default\cookies.txt[.com.com/]

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\mila\Application Data\Mozilla\Firefox\Profiles\flxq94ue.default\cookies.txt[.statcounter.com/]

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\mila\Application Data\Mozilla\Firefox\Profiles\flxq94ue.default\cookies.txt[.xiti.com/]

Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\mila\Application Data\Mozilla\Firefox\Profiles\flxq94ue.default\cookies.txt[landing.domainsponsor.com/]

Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\mila\Application Data\Mozilla\Firefox\Profiles\flxq94ue.default\cookies.txt[stat.onestat.com/]

Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\mila\Application Data\Mozilla\Firefox\Profiles\flxq94ue.default\cookies.txt[www48.seeq.com/]

Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\mila\Cookies\mila@bravenet[1].txt

Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\mila\Cookies\mila@landing.domainsponsor[1].txt

Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\mila\Cookies\mila@metriweb[1].txt

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\mila\Cookies\mila@searchportal.information[2].txt

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\mila\Cookies\mila@server.iad.liveperson[1].txt

Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\mila\Cookies\mila@stat.onestat[2].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\mila\Cookies\mila@statcounter[2].txt

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\mila\Cookies\mila@xiti[1].txt



After the online scan i updated en played Spybot S&D version 1.4 in Safemode. The scan was clean.

Then i scaned with hijjackthis. So now I give you the log of hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 11:30:06 AM, on 9/13/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/?di&from=start.home.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: stmv Class - {88F0D89E-3536-4F90-B1F6-CB55F86FD14E} - C:\WINDOWS\System32\wmvddk.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Openen in een nieuwe achtergrondtab - res://C:\Program Files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/229?74ba4af2775444828734f3041c966eba
O8 - Extra context menu item: Openen in een nieuwe voorgrondtab - res://C:\Program Files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/230?74ba4af2775444828734f3041c966eba
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/nl/4,0,0,90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/nl/1,0,0,23/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game03.zylom.com/activex/zylomgamesplayer.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common

I hope you can help me to fix this problem (or problems:confused:). I like to thank you alraedy just for trying.

Greetings from an unknowing dutchgirl:D:

Dutch-Girl
2006-09-15, 13:03
Hello there,

I wanted to add something to my post, but there is not an "edit"button in that post. And the posting rules say that I may not edit my posts. So what can I do, should I wait untill one of you can help me or can I just place another post down to my first post?

Thank You.

Dutch-Girl
2006-09-17, 17:08
Hello again,

I want to make my computer safe by upgrading WindowsXP pro, this because my current XP isn't genuine.

But I read in a topic from tashi that you may not upgrade to SP2 before the computer is clean from infections:

http://forums.spybot.info/showpost.php?p=25290&postcount=4

Tomorrow I would be able to buy an upgrade for WindowsXP pro, but before I do that I must be sure that someone of you can help me to clean my computer.

So can someone please help me?:sad:

LonnyRJones
2006-09-17, 20:30
Hello

I would like a copy of this file first if at all possible
C:\WINDOWS\System32\wmvddk.dll
Attach it here please , let me know when you have.
http://www.thespykiller.co.uk/forum/index.php?board=1.0


Start Hijackthis and place a check next to these items If there.

O2 - BHO: stmv Class - {88F0D89E-3536-4F90-B1F6-CB55F86FD14E} - C:\WINDOWS\System32\wmvddk.dll
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Any problems now ?

Dutch-Girl
2006-09-18, 14:35
Hello LonnyRJones,

First of all I want to thank you for your time.

I tryed to make a copy of the file you asked me for. But I couldn't open or copy it.

So I ran hijackthis and checked en deleted the item:

O2 - BHO: stmv Class - {88F0D89E-3536-4F90-B1F6-CB55F86FD14E} - C:\WINDOWS\System32\wmvddk.dll

After rebooting my computer nothing changed.


The About:Blancpage is in the back of my browser. I can't see it untill I close my IE, then it appears for a second and dissapears again. Sometimes IE stops working completly and I have to reboot my computer to start again.

Then I get a message that my system recovered from a serious problem
The erroreport is:

BCCode: 1000008e BCP1: 80000004 BCP2: 804FA46D BCP3:FOOD62D0
BCP4: 00000000 OSVer: 5_1_2600 SP: 0_0 Product: 256_1

The technical information about the error report:
C:\WINDOWS\Minidump\Mini 091706-03.dmp
C:\DOCUME~1\MILA\locals~1\Temp\WER1.tmp.dir00\sysdata.xml



I think that the message above has to do with the illegal XP on my computer.


Can I now upgrade my XP version, without problems? Or is it not clean yet?
If you want to have a new hijjackthis log or another scan to make sure of it please let me know. I want to work on a safe en genuine computer as soon as possible.

Thank you very much,
Dutch-Girl

LonnyRJones
2006-09-18, 17:27
Hi

Now that we fixed that BHO and it has been a few hours are there any hijack's or redirects when searching or other problems ?

Dutch-Girl
2006-09-18, 21:19
Hello,

I geus I don't have that problem anymore, but IE is still not working good. When I opened multiple tabs IE got stuck and i get a blanc page with no name. After a few seconds a got a message about an error report with another tecnical report than the one I putted in my last post.

Also is MSN live messenger not starting automaticly like it did before. I have to reboot my computer en the second time it started Msn automaticly. The thirt time not en the fourth time it started automaticly again.

I dont have any more problems that I'm aware off.

Do you think that my computer is clean now?

LonnyRJones
2006-09-18, 21:42
It sounds like perhaps you need to go though and check the settings for whomever is your internet provider and the settings within MSN live messenger .

Please do go get a legal copy of windows

I suggest you check here and possibly contact them to find out how without having to reinstall windows completly
http://www.microsoft.com/genuine/downloads/FAQ.aspx (http://www.microsoft.com/genuine/downloads/FAQ.aspx)

Dutch-Girl
2006-09-18, 21:47
Thank you!

I bought a legal productkey today. So I'm going to instal it now. I hope everything goes alright.

I will let you know when it's don oke?

Thank you again for the time you spent on me.

With Kindest regards

Dutch-Girl

LonnyRJones
2006-09-18, 21:49
"I bought a legal productkey today"

Fantastic

Do some research first, i think you can just used the product key and not have to install windows.

Dutch-Girl
2006-09-18, 22:05
I don't know for shure if it's just a licence-code I'm not an expert, but the people of the computershop where I bought the "OEM-software" told me that I just had to put in the cd en then fill in the productcode, after doing that it would be a legal XP.

So I hope that everything is going alright.

Dutch-Girl
2006-09-21, 01:10
Hi there,

It worked, I'm having a genuine windows now. It took some time to find out what to do, because I'm not so good with computers. I had to install WindowsXP proffesionel completely.
The fortune of that is that my XP now is in Dutch and before it was in English.

LonnyRJones, I want to thank you for your help and time.

I hope I won't be back soon, because most of the time that return will be an other problem with the computer.

With kindest regards

Dutch-Girl

LonnyRJones
2006-09-23, 10:46
Fantastic, im sure glad you were able to do that.

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

tashi
2006-09-28, 23:10
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread. :)

Applies only to the original topic starter.