• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
mcloutier

About:blank malware keeps coming back !

2 posts in this topic

I've been having real problems ever since I got this new laptop about a week ago...

 

My Internet Explorer home page keeps changing to About:blank but it isn't really blank, it is a search page. Sometimes it doesn't do anything else but sometimes it freezes my Internet connection and nothing works.... I tried everything I can think of. I ran Ad-aware, Spybot S&D and Symantec Anti-Virus with latest updates, it all found stuff which I removed, but the thing keeps coming back a few minutes later.

 

I also ran HiJackThis, CWShredder and even AboutBuster which was discussed on your site this morning. I also did everything mentioned in your FAQs. All of these remove the problem, but it ALWAYS keeps coming back a few minutes later.

 

I have to say I do have MS Java VM installed, which I need for a particular app that does not run with Java VM. But my version of MS JVM is the latest 5.0.3810

 

I also have BHODemon always running which tells me when the thing comes back, at which point I immediately go in and disable the .dll file that got posted in C:\Windows\System32. It's never the same file but always going to this folder.

 

By the way I also ran all Windows Critical Updates.

 

Here is my HiJackThis log, pls help me !

 

Logfile of HijackThis v1.98.0

Scan saved at 3:30:16 PM, on 2004-07-15

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Raxco\PerfectDisk\PDSched.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\System32\1XConfig.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\PMOffice Enterprise\PmoITray.exe

C:\Program Files\BHODemon 2\BHODemon.exe

C:\Documents and Settings\mcloutier\Desktop\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (disabled by BHODemon)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe

O4 - Global Startup: PmoITray.exe.lnk = C:\Program Files\PMOffice Enterprise\PmoITray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.hq.systemcorp.com

O17 - HKLM\Software\..\Telephony: DomainName = corp.hq.systemcorp.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.hq.systemcorp.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.35.3 192.168.35.6

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.hq.systemcorp.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.35.3 192.168.35.6

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.35.3 192.168.35.6

Share this post


Link to post
Share on other sites

Hi everyone !

 

I had been waiting for a reply for almost a week, and decided to attack this, and I think I have found the source of it, on my machine at least... no about:blank for the last day, which is something I had not experienced since this thing started.

 

I used information from other threads, mostly the following posts:

-from joeb on July 6: http://forums.spywareinfo.com/index.php?showtopic=7846&hl=#

-from DJ Barcode on July 19: http://forums.spywareinfo.com/index.php?sh...c=12609&st=180#

 

The problem was caused by a specific file located in C:\Windows\System32 with a size of 57,344 bytes (not Kb !). The fun part is that the file is not viewable from Windows (even if you have all view hidden files options) and its name seems to differ from one instance to the next. You can only view it when booting from a bootdisk and using software that allows to read/write NTFS partitions such as your hard drive. This will allow you to find the file but not to delete it, which needs to be done through Windows because there is Windows security applied to the file. Took me about 4h do get through all this... here's a summary of the steps I used:

 

1- create a DOS boot disk or boot cd that holds a version of NTFSPRO. Note that you need the full version of NTFSPRO with Read/Write capabilities.

2- boot into DOS from disk/cd

3- go to C:\windows\system32 and locate (using dos commands) the file which size is 57,344 bytes that is not visible from Windows. You'll notice probably 6 or 7 files of that exact size. All are regular system files that can be viewed from Windows Explorer, except one which is the problem file. It was named win.dll on my system.

4- once you have identified the problem file, rename it to something else (for example, crap.txt)

5- log back in to your workstation as you normally do (without the boot disk)

6- Locate the renamed file through Windows Explorer (now you'll see it)

7- Go to file Properties > Security > Advanced and make yourself the owner of the file, which then allows you to give yourself all read/write/delete permissions to the file and uncheck the read-only attribute

8- Now you can finally delete the problem file

 

I know getting through some of these steps may not be easy (like step 1 - finding NTFSPRO Full Version) but remember one thing: google

 

Be patient and don't give up, you can get through it !

 

By the way, even though no one had replied to my post or has explicitly helped me personally, I do want to thank this forum and all its contributor, because it did allow me to get rid of this evil thing...

 

Good luck to all !!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0