Hi there. I seem to have picked up a similar to problem to many of the users here - IE now defaults to an address "about:blank". My virus software (CA's eTrust EZ Antivirus) is reporting I'm infected with Winshow.AY & AZ.
Having downloaded & run HijackThis - the results are:-
Any help will be extremely well received. Many thanks.
Logfile of HijackThis v1.99.1
Scan saved at 15:20:38, on 25/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Hijackthis\HijackThis.exe
Please download APM from here. Also download and install Ad-aware from here.
Once you have installed Ad-aware, run the program and in the bottom right hand corner click 'Check For Updates'. Update Ad-aware following the prompts and then close the program, we will use it later.
Right click the DelDomains.inf file inside and click Install, making sure Internet Explorer is closed. You won't see anything happen, it performs a silent process.
Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both provide. For SpywareBlaster, run the program and 're-enable all protection'. For IE/Spyads, run the batch file and reinstall the protection.
Download about:Buster from here. We'll use this later.
There is an entry in your HijackThis log which I need you to make a note of when you run HijackThis again following the instructions below. The 02 BHO with 'no name' is the route of this infection. Please note that this filename can change on successive reboots. In your current log above it is:
O2 - BHO: (no name) - {C2D7E58E-EB57-9656-3397-96581EDBB05C} - C:\WINNT\netzc32.dll<--note filename on the end
You will need to alter the APM instructions below accordingly if the filename has changed.
Disconnect from the internet, run HJT again and checkmark the boxes next to the following:-
Run about:Buster
Close ALL windows and browsers. This is a very important step!!
Click on 'Check for updates' and download any new reference file.
Now click on 'Start'. When the scan has finished let it scan again.
Save the report it produces to notepad and post it's contents in your next reply.
Navigating with Windows Explorer (Windows Key + e)
Delete the following files in bold:
C:\WINNT\netzc32.dll]<--Or whatever it may have changed to
C:\WINNT\tarwc.dll
Now open Ad-Aware SE and configure with the following settings:
1.Close ALL windows except Ad-Aware SE.
2. Click on the Gear icon (second from the left at the top of the window) to access the preferences/settings window.
3. In the GENERAL window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)
-Under Definitions: *Prompt to udate outdated definitions - set the number of days
4. Click on the SCANNING button on the left and select in green :
-Under Driver, Folders & Files: *Scan Within Archives
-Under Select drives & folders to scan: *choose all hard drives
-Under Memory & Registry: (all green) *Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URLs
*Scan my Hosts file
5. Click on the ADVANCED button on the left and select in green:
-Under Shell Integration: *Move deleted files to recycle bin
-Under Logfile Detail Level: (all green) *include addtional object information
*DESELECT - include negligible objects information
*include environment information
-Under Alternate Data Streams: *Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT
6. Click the TWEAK button and select in green:
-Under the Scanning Engine: *Unload recognized processes during scanning
*Scan registry for all users instead of current user only
-Under the Cleaning Engine: *Let Windows remove files in use at next reboot
-Under the Log Files: *Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check and make Green: Include Module list in logfile
7. Click on PROCEED to save the settings.
8. Click Start
*Choose:'Perform Full System Scan' *DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
9. Click Next and Ad-Aware SE will scan your hard drive with the options you have selected and clean automatically.
10. If Ad-Aware SE finds bad entries in the registry or bad files, you will receive a list of what it found in the window. Right click on any of the bad entries and click on 'select all'.
11. Click finish
12. When finished, mark everything for removal and get rid of it.
(Right-click the window and choose Select All from the drop down menu and click Next).
13. Close Ad-Aware SE.
Then click on Start > Run and type cleanmgr into the run box.
Make sure Temporary Files, Temporary Internet Files and Recycle Bin ONLY are checkmarked and click 'OK'.
Then on Internet Explorer, click on Internet Options->Programs->Reset Web Settings button to restore the default homepage and search settings to whatever you prefer.
Reboot and run two online virus scans from any of the following locations and post a summary of their findings in your next reply along with a fresh HijackThis log and the report from about:Buster.
I've copied everything to the letter, but come across an issue.
When I came to run HJT, the entries had changed slightly from the submission I sent you so I was unable to check against:-
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
None of these entries existed. The actual HTJ logfile at this point is attached as Highjackthis2.txt
I checked all of the other entires as requested & clicked fix - all ok.
Came to run APM, clicked on 1524 c:\winnt\explorer.exe in top window,, but no c:\winnt\netzc32.dll in bottom window.
Ran HTJ again in case it had changed it's name as you suggested and it had to c:\winnt\system32\crmq.dll.
However, ran APM again, clicked on c:\winnt\explorer.exe in top window but there is no reference of c:\winnt\system32\crmq.dll in the bottom window (or netzc32.dll).
crmq.dll does exist in Windows explorer - 101KB.
(netzc32.dll does not exist but c:\winnt\netzc32.exe does! It is 0KB. There are an amazing number of other similar named files of 0KB. 310 of them in fact!)
So, tried again. Ran HJT (logfile attached called highjackthis3.txt) and checked against:-
All ran OK.
Again ran APM, no reference of crmq.dll against Explorer.
Looked for the file and it no longer exists.
Ran HJT again and things look very similar - highjackthis4.txt. The problem file is now called C:\WINNT\netqw.dll but again no reference to it against explorer.exe in APM. A little stuck now ??
Thanks so much for your help so far. Am going to do very little with the PC until I receive another reply from you, Don't want to confuse matters.
I've never had any problems with APM before so I'm not exactly sure what's going on there.
We'll try another way. Once again check the filenames are the same as below in your HjackThis log before you fix them. Your latest log suggests the infection has gone full blown now with the addition of an 04 entry and an 023 service entry.
Please download about Buster from here and install it to it's own dedicated folder on your C: (Ex: C:\about Buster), Also download Killbox from here and unzip the contents of KillBox.zip to a convenient location. We'll use them later.
Click Start > Run > type services.msc, then click OK
Scroll down and right click on 'Network Security Service'.
Select 'Properties' and set the "Service Status" option to "Stop"
Set "Startup type" to "Disabled", click Apply, then OK.
Run HijackThis again and checkmark the following entries:
Close ALL windows and browsers and click FIX CHECKED
Double-click on KillBox.exe.
Click "Delete on Reboot".
Paste this file into the top "Full Path of File to Delete" box.
C:\WINNT\ymnhj.dll
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Delete on Reboot prompt.
Click "No" if asked if you want to reboot now.
Repeat the above steps for the following files.
Reboot into Safe Mode.
Tap F8 repeatedly when your machine starts to boot up.
Select 'Safe Mode' from the options that appear.
Run about:Buster
Close ALL windows and browsers. This is a very important step!!
Now click on 'Start'. When the scan has finished let it scan again.
Save the report it produces to notepad and post it's contents in your next reply.
Then click on Start > Run and type cleanmgr into the run box.
Make sure Temporary Files, Temporary Internet Files and Recycle Bin ONLY are checkmarked and click 'OK'.
Reboot and run an online virus scan at TrendMicro and RAV. Let them fix/remove anything they find.
OK. Did everything you said apart from 1 thing - I think I forgot to "Set "Startup type" to "Disabled", click Apply, then OK." Sorry!
The file names that HJT found were called:-
R1s - c:\winnt\kkyii.dll
02 - c:\winnt\sdkop32.dll.
I could delete kkyii.dll with Killbox but sdkop32.dll didn't seem to be there.
I've since run services.mcr and the Network Security service is still there but when I click on it gives a "General internal error". I can get to the properties and it is still referencing c:\winnt\d3nz32.dll which we removed with Killbox. Also showing as 'Automatic' against 'startup type'.
Anyway, here is the Buster log. Did it a few times because it kept opening Windows explorer.
Scanned at: 16:01:06 on: 28/02/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
Scanned at: 17:17:38 on: 28/02/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
And here is the HJT log, just run.
Logfile of HijackThis v1.99.1
Scan saved at 18:06:24, on 28/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Feels like we're learning some stuff. Some of the error messages I was finding have disappeard. IE seems to run a little smoother although popups are still appearing.
Thanks again, promise to follow further help to the letter next time.
Click File> Save As. Click the drop down arrow next to Save as type: and select 'All files'. In the filename box type fix.reg and save it to a convenient location. Once saved, double click it and confirm that you want it to merge with the registry.
Install, update and scan your computer with Ad-Aware SE by following the instructions here. Remove everything the scan finds and then restart your machine.
Install, update and scan your computer with Spybot Search & Destroy by following the instructions here. Remove everything the scan finds and then restart your machine.
Download, install and run Crap Cleaner to clean out your temp files, temp internet files and recycle bin. Note: This will remove all login cookies unless individually retained via Options> Cookies.
Install the Google Toolbar from here. Not only is it an invaluable tool but incorporates a pretty good popup stopper as well.
Then post a fresh HijackThis log and let me know how things are running.
All done as you suggested. Very early days but things appear to be running far quicker and no error messages being reported so far. Yippeeee.
Here is the HJT log
Logfile of HijackThis v1.99.1
Scan saved at 10:58:27, on 01/03/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
If you think I should do anything else, please let me know.
Also, all I have running is a fairly old McAfee virus checker running. Enterprise version installed from my old work.
Can you recommend any firewall / security software to download/purchase that should protect me in future?
Hi - bit more info.
I logged out as administrator and back in as my own user.
All not quite perfect. I ran Ad-aware & Spybot. Both found stuff that I removed.
My McAfee also found c:\!submit\d_deiter.exe and described it as a Dialer-Gen virus. This is the original one I started to notice. It seems to create an executable mkc001.exe. I deleted both of these files with Killbox.
Not sure if all healthy or not. IE seems to be running ok and so far Google toolbar has blocked 1 pop-up.
Again here is the latest HJT log - again run from my user login, not administrator. Am I in the clear or is there more to do?
Thanks again.......
Logfile of HijackThis v1.99.1
Scan saved at 13:13:59, on 01/03/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Hi. Did all as you suggested apart from I couldn't delete C:\winnt\ymnhj.dll
Used Killbox to do it and the file just didn't exist. That file always seems to be removed/renamed after every HJT Fix.
The results of the RAV scan are a little worrying, attached in file Rav report.txt. The first one it finds is 'c:\deiter.chm' which does seem to be causing the/some problems. Is there anything I ought to do about that one?
Below is the HJT log. Thanks again.
Logfile of HijackThis v1.99.1
Scan saved at 07:44:49, on 02/03/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
