Jump to content


Photo

About:blank malware keeps coming back !


  • Please log in to reply
1 reply to this topic

#1 mcloutier

mcloutier

    Member

  • New Member
  • Pip
  • 2 posts

Posted 15 July 2004 - 03:54 PM

I've been having real problems ever since I got this new laptop about a week ago...

My Internet Explorer home page keeps changing to About:blank but it isn't really blank, it is a search page. Sometimes it doesn't do anything else but sometimes it freezes my Internet connection and nothing works.... I tried everything I can think of. I ran Ad-aware, Spybot S&D and Symantec Anti-Virus with latest updates, it all found stuff which I removed, but the thing keeps coming back a few minutes later.

I also ran HiJackThis, CWShredder and even AboutBuster which was discussed on your site this morning. I also did everything mentioned in your FAQs. All of these remove the problem, but it ALWAYS keeps coming back a few minutes later.

I have to say I do have MS Java VM installed, which I need for a particular app that does not run with Java VM. But my version of MS JVM is the latest 5.0.3810

I also have BHODemon always running which tells me when the thing comes back, at which point I immediately go in and disable the .dll file that got posted in C:\Windows\System32. It's never the same file but always going to this folder.

By the way I also ran all Windows Critical Updates.

Here is my HiJackThis log, pls help me !

Logfile of HijackThis v1.98.0
Scan saved at 3:30:16 PM, on 2004-07-15
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\PMOffice Enterprise\PmoITray.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Documents and Settings\mcloutier\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: PmoITray.exe.lnk = C:\Program Files\PMOffice Enterprise\PmoITray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.hq.systemcorp.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.hq.systemcorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.hq.systemcorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.35.3 192.168.35.6
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.hq.systemcorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.35.3 192.168.35.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.35.3 192.168.35.6

#2 mcloutier

mcloutier

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 July 2004 - 01:11 PM

Hi everyone !

I had been waiting for a reply for almost a week, and decided to attack this, and I think I have found the source of it, on my machine at least... no about:blank for the last day, which is something I had not experienced since this thing started.

I used information from other threads, mostly the following posts:
-from joeb on July 6: http://forums.spywar...topic=7846&hl=#
-from DJ Barcode on July 19: http://forums.spywar...c=12609&st=180#

The problem was caused by a specific file located in C:\Windows\System32 with a size of 57,344 bytes (not Kb !). The fun part is that the file is not viewable from Windows (even if you have all view hidden files options) and its name seems to differ from one instance to the next. You can only view it when booting from a bootdisk and using software that allows to read/write NTFS partitions such as your hard drive. This will allow you to find the file but not to delete it, which needs to be done through Windows because there is Windows security applied to the file. Took me about 4h do get through all this... here's a summary of the steps I used:

1- create a DOS boot disk or boot cd that holds a version of NTFSPRO. Note that you need the full version of NTFSPRO with Read/Write capabilities.
2- boot into DOS from disk/cd
3- go to C:\windows\system32 and locate (using dos commands) the file which size is 57,344 bytes that is not visible from Windows. You'll notice probably 6 or 7 files of that exact size. All are regular system files that can be viewed from Windows Explorer, except one which is the problem file. It was named win.dll on my system.
4- once you have identified the problem file, rename it to something else (for example, crap.txt)
5- log back in to your workstation as you normally do (without the boot disk)
6- Locate the renamed file through Windows Explorer (now you'll see it)
7- Go to file Properties > Security > Advanced and make yourself the owner of the file, which then allows you to give yourself all read/write/delete permissions to the file and uncheck the read-only attribute
8- Now you can finally delete the problem file

I know getting through some of these steps may not be easy (like step 1 - finding NTFSPRO Full Version) but remember one thing: google

Be patient and don't give up, you can get through it !

By the way, even though no one had replied to my post or has explicitly helped me personally, I do want to thank this forum and all its contributor, because it did allow me to get rid of this evil thing...

Good luck to all !!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button