CWS.Blank

[Andries Jansen]

Hello,

I'am trying to get rid of cws.blank.
My homepage is www.314zdec.biz/sextracker.html
When I hit the homepage button, the homepage is set to blank.

This is what I've tried:

Program Result
CWShredder 2.12 not infected
CoolWWWSearch.SmartKiller removal tool not infected
Pestpatrol 151220004.4.4.4.80 not infected
HitmanPro
Only Spysweeper detects and removes csw.blank, but when I
start ie cws.blank is back
This is the HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 11:09:12, on 29-12-2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton
AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\WUTemp\HijackThis19802.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
= Koppelingen
O3 - Toolbar: Norton Internet Security -
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center]
c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
- http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104185393402
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Thanx in advance
Andries

 

[Don Varnau]

Hi,
There are several versions of AboutBlank in circulation. You will probably
have to try a number of these procedures.

I've read a report that Panda Titanium Anti-virus can remove this See:
http://www.pandasoftware.com/products/titanium2004/ You can try the product
before you buy it.

It probably won't remove this hijack, but try Ad-aware SE
http://www.lavasoft.de/software/adaware/ Install Ad-aware, then search for
updates before using the program.

- - - - - -
More difficult manual removal methods:

AumHa Forums- res [random].dll-sp.html CWS Variant:
http://forum.aumha.org/viewtopic.php?t=6207
and
http://forum.aumha.org/viewtopic.php?t=6466
Computer Cops - aboutblank:
http://computercops.biz/article-5199-nested-0-0.html
Removing the AboutBlank Virus
http://www.akadia.com/services/about_blank_virus.html
AboutBlank homepage- Security at DaniWeb computer support:
http://www.daniweb.com/techtalkforums/thread5531.html
PC Hell-homepage changing to res--random.dll-index.html:
http://www.pchell.com/support/onlythebest.shtml

Security tips and other useful information at
http://mvps.org/winhelp2002/unwanted.htm
More information at http://www.aumha.org/a/quickfix.htm
and http://www.mvps.org/inetexplorer/Darnit.htm

If those procedures don't remove the malware, HijackThis should be used to
post a log to the appropriate forum at one of these sites.
HijackThis instructions and download:
http://www.tomcoyote.org/hjt/
http://www.aumha.org/downloads/hijackthis.exe
Additional information at
http://www.aumha.org/a/parasite.php#hjt

Forums:
http://forum.mvps.org/ Excellent, fairly prompt help. Visit
http://forum.aumha.org/viewtopic.php?t=4075 before posting the log.

http://castlecops.com/forum67.html&sid=57adff15a7c93e9e1ed2f1415a696c47
http://tomcoyote.com/forums/
http://www.lavasoftsupport.com/
http://www.spywareinfo.com/forums/
http://boards.cexx.org/
http://www.wilderssecurity.com/index.php


Good luck. Hope this helps,
Don
MVP IE/OE

Hello,

I'am trying to get rid of cws.blank.
My homepage is ww_w.314zdec.biz/sextracker.html
When I hit the homepage button, the homepage is set to blank.

This is what I've tried:

Program Result
CWShredder 2.12 not infected
CoolWWWSearch.SmartKiller removal tool not infected
Pestpatrol 151220004.4.4.4.80 not infected
HitmanPro
Only Spysweeper detects and removes csw.blank, but when I
start ie cws.blank is back
This is the HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 11:09:12, on 29-12-2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
[SNIP]

Thanx in advance
Andries