Page 2 - about:blank removal?

If you wait to remove your infection, it will probably morph and it may be more difficult to deal with. The removal instructions are safe. AboutBuster has a fairly good success rate, but this is a difficult infection to remove!

Firefox is a great browser. You won't regret giving it a try.

Tom

A message to StartUpMan and Chief Wigs: Thanks for enlightening me about Firefox. I apologize for having doubts about installing a new browser and will soon be using Firefox,I'm sure! I think I was kinda paranoid about suggestions to download something new when I'd just been severely violated by CoolWebSearch! I have heard nothing but positives about Firefox from everyone ,including my engineer son! He has it on his pc and uses both browsers! I now realize I was wrong in my estimation of an unknown browser!
Now for Tom MyBoy! Tom,I always follow your advice. I'm gonna try to have my engineer son walk me through the procedure on speakerphone. ASAP. I have (if you remember) two jobs Monday to Thursday! I've been running Adaware several times every day and removing the CWS trash on a constant basis. I'll report back as soon as I finish this procedure . Thanks to everyone who's tryna help this cyberdonkey.

If you have any questions regarding the removal process, just holler! It's really quite straightforward. I understand your concern, but once again, about:Buster is extremely safe to use.

Tom

Here;'s my latest Hijackthis log!

Logfile of HijackThis v1.97.7
Scan saved at 12:04:25 AM, on 9/29/2004
Platform: Windows 2000 SP5 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\winnt\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\winnt\System32\pctspk.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\tcpsvcs.exe
C:\winnt\system32\slserv.exe
C:\winnt\System32\snmp.exe
C:\winnt\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\winnt\Explorer.EXE
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\winnt\system32\myzgk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\winnt\system32\myzgk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\winnt\system32\myzgk.dll/sp.html#28129
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\user1\Application Data\Mozilla\Profiles\default\pnupqyfd.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D6686F2-1D4C-405E-8D00-4C23C7F08FB4}: Domain = earthlink.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D6686F2-1D4C-405E-8D00-4C23C7F08FB4}: Domain = earthlink.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{3D6686F2-1D4C-405E-8D00-4C23C7F08FB4}: Domain = earthlink.net

Here's my AboutBuster log!

Scanned at: 11:40:31 PM on: 9/28/2004


-- Scan 1 ---------------------------
about:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Deleted 2 Service Keys Successfully!
Removed! : C:\winnt\acikkh.dat
Removed! : C:\winnt\atlct32.exe
Removed! : C:\winnt\winel32.exe
Removed! : C:\winnt\cruf.exe
Removed! : C:\winnt\crzc32.exe
Removed! : C:\winnt\cryy.exe
Removed! : C:\winnt\crmp.exe
Removed! : C:\winnt\crft32.exe
Removed! : C:\winnt\apict32.exe
Removed! : C:\winnt\ntqb.exe
Removed! : C:\winnt\crim32.dll
Removed! : C:\winnt\javanb.dll
Removed! : C:\winnt\winxb32.exe
Removed! : C:\winnt\crgi32.dll
Removed! : C:\winnt\apikb.exe
Removed! : C:\winnt\winpd32.dll
Removed! : C:\winnt\atlsh.exe
Removed! : C:\winnt\apiqj.exe
Removed! : C:\winnt\apint32.exe
Removed! : C:\winnt\atlfr32.exe
Removed! : C:\winnt\apikq.dll
Removed! : C:\winnt\mfcoh32.exe
Removed! : C:\winnt\sdkpn.exe
Removed! : C:\winnt\sdkfg32.exe
Removed! : C:\winnt\javatz.exe
Removed! : C:\winnt\apitj32.exe
Removed! : C:\winnt\atluu.dll
Removed! : C:\winnt\ieax32.dll
Removed! : C:\winnt\system32\atlas32.exe
Removed! : C:\winnt\system32\ntbg.exe
Removed! : C:\winnt\system32\appsi32.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
about:Buster Version 3.0
Reference List : 15


I hope I'm ok . Some of the html#28129 items had a different letter pattern in the original Hijack this scan and so I didn't check them,They are still present! You can see them above in my HijackThis log!! Let me know if I need to do some more removal!.Thanks a million! teacher4u
Tomorrow I install firefox!

The items below are the #29129 itemswhich I didn't remove because the dll file was "myzgk.dll" instead of "efpww.dll" which was on your list to be removed!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\winnt\system32\myzgk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\winnt\system32\myzgk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\winnt\system32\myzgk.dll/sp.html#28129
Do I need to run HijackThis again and remove the above items?Tank you! teacher4u

Boot into Safe Mode: Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode.

Scan with HijackThis and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\winnt\system32\myzgk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\winnt\system32\myzgk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\winnt\system32\myzgk.dll/sp.html#28129

Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

Scan with Adaware and let it remove any bad files found.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Reboot to normal mode, scan again with Hijack This and post a new log here.

Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Post a fresh HijackThis log and the AboutBuster report back here please.

Tom

Tom,Can I just delete the temporary and TIF files thru Accessories/System Tools/ Disc Cleanup? There are some problems with cleanmgr. ! Thanks teacher4u

Yes, no problem.

Tom

Logfile of HijackThis v1.97.7
Scan saved at 4:11:56 PM, on 9/29/2004
Platform: Windows 2000 SP5 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\winnt\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\winnt\System32\pctspk.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\tcpsvcs.exe
C:\winnt\system32\slserv.exe
C:\winnt\System32\snmp.exe
C:\winnt\system32\stisvc.exe
C:\winnt\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\HJT\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\user1\Application Data\Mozilla\Profiles\default\pnupqyfd.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D6686F2-1D4C-405E-8D00-4C23C7F08FB4}: Domain = earthlink.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D6686F2-1D4C-405E-8D00-4C23C7F08FB4}: Domain = earthlink.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{3D6686F2-1D4C-405E-8D00-4C23C7F08FB4}: Domain = earthlink.net

Here's AboutBuster's scan 9-29-04

Scanned at: 3:55:34 PM on: 9/29/2004


-- Scan 1 ---------------------------
about:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
about:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

Ok you did it! Good work!!!!

These are tools that will help keep you from getting infected again:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. http://www.wilderssecurity.net/spywareguard.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

All are very small free programs. Occasionally check for updates.

Check for updates for Windows and Internet Explorer every week or so. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available" http://v4.windowsupdate.microsoft.com/

Please take a minute to read: So how did I get infected in the first place?
http://computercops.biz/postlite7736-.html

Tom

Tom,You'da man! ,Jerry

Thanks! Pleasure working with you!

Tom