Jump to content


Photo

About:Blank Removal Success sp.html


  • Please log in to reply
7 replies to this topic

#1 lorenb

lorenb

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 28 June 2004 - 02:43 PM

Hey Gang,
I had the same problems a lot of you are having with the about:blank trojan. My personal variant was creating a webpage called SP.HTML, it had 2 DLL's, one hidden and one more obvious. I FINALLY got rid of the damn thing this morning, and I would like to share my method with you guys.

If you are reading this, you know the symptoms, popups about spyware, hijacked homepage, slow system, etc.

Here is what you are going to need:
Registrar Lite: Available Here

This will help you id the pesky hidden DLL

FINDnFIX: Get it here

AdAware 6: AdAware

HiJackThis: Download Here

I think that's it...

Now here is what I did:

Open Registrar Lite and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

In the window on the right you should see APPINIT_Dll's click that, when the popup box comes up, under 'value' you should see the name of a DLL file, mine was called MCDeo.dll, I have seen a number of posts that reccomend changing the file name in this window, but that did not work for me. This step just lets you ID the file name. Remeber it, right it down, whatever you gotta do.

Next step, run FINDnFix, once you click the !LOG!.bat, it will display a text file, showing you the name of the infected file, it should be the same one you saw in Registrar Lite.

Edit the MOVEit.bat file of FINDnFIX to read like this:

move %WinDir%\System32\wdmcdeo.dllL %SystemDrive%\junkxxx\wdmcdeo.dll

you will need to substiture the name of your bad DLL for mine. In some cases this will remove the dll and you may have an easier time. Don't run it yet.

Click the FIX.bat, and let your PC reboot, this may solve part of your problem, it did not work correctly for me though.

Inititally, when I searched my drive I was unable to see the hidden DLL even after un-hiding all the files, FINDnFIX made it visable. Do a search and see if you can see the file. Once you locate it, right click on it and select properties. In the properties tab, select security, and give "full control" to everyone. Now uncheck the read only tab. If you can't do it, because it is in use, boot to safe mode, then do it. Once the read only tab is unchecked, delete the file. We are about half way there.

Go to your system folder, I have windows 2k, so mine is C:\winnt\system32. Sort the files by date, and look for the newest DLL, it will probably have a random name, mine was RJGFK.DLL, right click, uncheck read only, and delete it. You may have to do it in safe mode, and you might as well do it at the same time you dump the hidden one, or it may come back.

Run HiJack this, and get rid of all the R's, just like it says in all the other posts.

Run Adawre and delete whatever pops up.

Empty the recycling bin.

That should do the trick.

If you have problems accessing the files, boot to safe mode and do it all from there. Just be aware that both of the DLL's need to get dumped, or they will rebuild each other, and you will never get your homepage back.

Special thanks to whoever came up with findnfix, with out that I never would have been able to see the hidden dll, and I was about to take a steam roller to my laptop.

THANKS!!!!

#2 basketball13

basketball13

    Member

  • New Member
  • Pip
  • 3 posts

Posted 28 June 2004 - 04:03 PM

hello lorenb i seem to be having the same problem, about:blank is my homepage, annoying banners poppin up all the damn tim,e and not to mention slowing down my computer.. i have downloaded all the items you say u need to fix it, but im very new to this, really a novice, so i was wondering if there was anyway we could talk, mayb on aim or something so you could help me threw this....thank you for your time....my computer is upsetting me

#3 lorenb

lorenb

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 28 June 2004 - 04:13 PM

Hey Basketball13,

Try following the directions I posted and see how it works out. If you are still having a bunch of problems, post a log from HiJackThis so we can take a look at this. I am not an expert by any means, it took me 5 days to get rid of this thing.

Posting here is probably your best bet, that way you can get insight from a lot of people, a majority of them probably have more knowledge on the subject than I do anyway. Good luck, and post that log.

#4 wop

wop

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 28 June 2004 - 05:41 PM

i think im almost there but when you say edit the moveit.bat file and replace the names of your bad file with my bad file you have 'wd' in front of your dll name. my dll is called res.dll and i know it's it because it's the same exact size as all the other trojans that people have been posting. so being that how would mine look with that command with a .dll file called res.dll
thank you
YOU DA MAN!

#5 wop

wop

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 28 June 2004 - 06:27 PM

ok now i have a problem i cant get the security tab to come up on properties unless im in safe mode, but than i cant check any of the boxes ie. "full control" so now what do i do?

#6 basketball13

basketball13

    Member

  • New Member
  • Pip
  • 3 posts

Posted 28 June 2004 - 06:51 PM

hey a couple questions i did the registrar lite and the value was called C:\WINDOWS\System32\win.dll then i ran the findnfix and a log-Notepad popped up and this is what it read

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

Mon 06/28/2004
7:42pm up 0 days, 7:35

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\WIN.DLL +++ File read error
\\?\C:\WINDOWS\System32\WIN.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
WIN.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINDOWS\SYSTEM32\
win.dll Sun Jun 27 2004 5:31:08p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WIN.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group 2DEEP\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x 2DEEP\Owner
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: 2DEEP\Owner

Primary Group: 2DEEP\None



»»»»»»Backups created...»»»»»»
7:44pm up 0 days, 7:37
Mon 06/28/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-28-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-28-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLsvk
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

Windows
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
5swapdisk
TransmissionRetryTimeout
USERProcessHandleQuotaH
AppInit
DLLsvk

**File C:\FINDnFIX\WIN.TXT
Ń_åą’’’vk  €   5swapdisk h ° š  X Š’’’vk  ą   . TransmissionRetryTimeoutŠ’’’vk  €'   a USERProcessHandleQuotaH ą’’’h ° š  X ˆ Ų Ų’’’vk 8    AppInit_DLLsvk Ą’’’C : \ W I N D O W S \ S y s t e m 3 2 \ w i n . d l l Ą


then i looked around for the moveit.bat so i could change it like u said but i can't find the moveit.bat on my findnfix program....can u guys hit me back tell me if im doin something wrong thank u

#7 lorenb

lorenb

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 29 June 2004 - 09:11 AM

WOP:
Your moveit.bat would look like this:

move %WinDir%\System32\res.dll %SystemDrive%\junkxxx\res.dll

If you can not change the security settings to full control, most likely it is still read only. When you click on properties, uncheck the read only check box.

If you try that and you get an error like "Can't apply changes, process is still in use by windows" the .DLL is still running, try it in safe mode, that is the only way I got it to work. If that STILL doesnt work, start terminating processes until it does, and make sure that you do NOT have internet explorer open. If you need to read the posts as a guide, copy them into a word document, or notepad or something.

#8 lorenb

lorenb

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 29 June 2004 - 09:14 AM

Basketball13:

Your log file shows that the WIN.DLL file is present on your system, you may have a horse of a different color....

The win.dll is part of the JS.SEEKER.K virus, and removal is a different process for you.

Take a look at the page Symantec created, they show how to get rid of it:

SEEKER Virus removal




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button