Jump to content


Photo

about:blank keeps coming back


  • Please log in to reply
16 replies to this topic

#1 mmessmmess

mmessmmess

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 19 July 2004 - 05:30 PM

:scratchhead: I have tried everything to get rid of this crazy about:blank virus, but it keeps coming back. I have run hijack this, ad-aware, cws, norton av, and others in safe mode and with the restore function turned off, and it KEEPS COMING BACK! Aaaarggghhh! Please help. Here is my hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 6:26:02 PM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark Messier\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {DE2BCF2E-1F94-4607-A8CD-1E2F2C83F720} - C:\WINDOWS\System32\elgj.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7879.7251851852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?319

Thanks!!!!!!!

#2 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 19 July 2004 - 05:46 PM

Hello, mmessmmess and welcome to the forums.

Your version of Hijack this is outdated. Please download version 1.98.0 from either of the following links:
http://www.majorgeek...wnload3155.html
or
http://downloads.sub.../hijackthis.zip

1. Download and unzip about:buster. Extract it into its own folder.
http://www.downloads...AboutBuster.zip

2. Boot in Safe Mode
3. Run About:Buster while you are in Safe Mode.

4. Reboot and post a new Hijack This log.

#3 mmessmmess

mmessmmess

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 19 July 2004 - 06:50 PM

:oops: Thanks so much for your help!!!! I ran about:buster in safe mode, and here is the hijack file on reboot:

Logfile of HijackThis v1.98.0
Scan saved at 7:48:49 PM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Mark Messier\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {DE2BCF2E-1F94-4607-A8CD-1E2F2C83F720} - C:\WINDOWS\System32\elgj.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?319
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Filter: text/html - {E8B08D5D-D249-4AF2-8D97-718E1152699C} - C:\WINDOWS\System32\elgj.dll
O18 - Filter: text/plain - {E8B08D5D-D249-4AF2-8D97-718E1152699C} - C:\WINDOWS\System32\elgj.dll

#4 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 19 July 2004 - 07:21 PM

Mmessmmess,

Please print out my instructions for reference during the fix.

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Move HijackThis.exe into this folder. When you run HijackThis from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

Run Hijack This from it's new location and check the boxes next to these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {DE2BCF2E-1F94-4607-A8CD-1E2F2C83F720} - C:\WINDOWS\System32\elgj.dll (file missing)
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?319
O18 - Filter: text/html - {E8B08D5D-D249-4AF2-8D97-718E1152699C} - C:\WINDOWS\System32\elgj.dll
O18 - Filter: text/plain - {E8B08D5D-D249-4AF2-8D97-718E1152699C} - C:\WINDOWS\System32\elgj.dll

Make sure all browsers and windows (including this one) except for Hijack This are closed and hit "Fix Checked."

Reboot your computer into Safe Mode. Delete the following files/folders. Be sure to Show hidden files/folders.

Delete the following:

C:\WINDOWS\System32\elgj.dll <- this file

Reboot your computer and post a new Hijack This log.

#5 mmessmmess

mmessmmess

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 19 July 2004 - 07:45 PM

I did the steps you indicated, although I couldn't delete the elgj.dll file since it didn't exist on the c: drive (I did an advanced search and everything). This is the new Hijack This file:

Logfile of HijackThis v1.98.0
Scan saved at 8:42:15 PM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\devldr32.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

I am concerned the about:blank virus is still lurking somewhere. Is there anything else I need to do? Thanks, Gravy!

#6 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 19 July 2004 - 07:54 PM

Mmessmmess,

You appear to be clean, but About: Blank may be lurking somewhere. Try what is referred to as the "Time Travel Test." Set your computer clock ahead a few days, reboot and run Hijack This. Get a log and post it here. After you have posted the log, set the computer clock back to the correct date.

#7 mmessmmess

mmessmmess

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 19 July 2004 - 08:02 PM

I zoomed ahead a few days, and it's back. This is the new Hijack This file. I swear, this virus is the most persistent one I've encountered. I was clean ten minutes ago, now not.

Logfile of HijackThis v1.98.0
Scan saved at 8:58:44 PM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\devldr32.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MARKME~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8FA2752C-B9AB-406B-BAD5-8B0B1C26215E} - C:\WINDOWS\System32\khbabaa.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Filter: text/html - {50B3966A-5DC7-467E-A6EB-941BABFA5D74} - C:\WINDOWS\System32\khbabaa.dll
O18 - Filter: text/plain - {50B3966A-5DC7-467E-A6EB-941BABFA5D74} - C:\WINDOWS\System32\khbabaa.dll

Thanks again for helping....what next?

#8 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 19 July 2004 - 08:04 PM

Mmessmmess,

I will have to get back to you on this, I'm over my head here. I will work to get you the response you require.

Regards,
Gravylover5

#9 FuNkY CaPrIcOrN

FuNkY CaPrIcOrN

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 19 July 2004 - 08:07 PM

I have this same problem.Adaware will fix it but then it comes back a few days later.Or as soon as you reboot.

This about:blank virus is a tough cookie. :unsure:

Edited by FuNkY CaPrIcOrN, 19 July 2004 - 08:07 PM.


#10 mmessmmess

mmessmmess

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 19 July 2004 - 08:07 PM

Thanks. It looks like the about:blank virus continues to create new .dll files somehow. There must be a standard way to remove it, but I have not seen any successful stories yet on the net....

I will check back.

#11 jackgab

jackgab

    Member

  • New Member
  • Pip
  • 1 posts

Posted 19 July 2004 - 08:28 PM

Hi mmessmmess, I had the same problem like you, and i tryed everything that i could. then i downloaded Avast antiviruse program and it killed the about viruse.
Just go to the Avast web site and download the home edition.
Good luck. Jack.

#12 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 19 July 2004 - 08:56 PM

Mmessmmess,

I believe I have a solution for this problem. Try and bear with me, for it is quite extensive.

1. Double-click My Computer.
2. Click the Tools menu, and then click Folder Options.
3. Click the View tab.
4. Clear "Hide file extensions for known file types."
5. Under the "Hidden files" folder, select "Show hidden files and folders."
6. Clear "Hide protected operating system files."
7. Click Apply, and then click OK.

Now navigate to:
C:\WINDOWS\system32\dllcache\notepad.exe <--file and right click it.
Choose copy from the menu.
Now go back one folder to:
C:\WINDOWS\system32 <-- folder and click on an empty spot in the right hand pane. Then right click there and select copy from the menu.

Now go back another folder to:
C:\WINDOWS <-- folder and do the copy thing again.
(click on an empty spot in the right hand pane. Then right click there and select copy from the menu.)

Close Explorer.

Go to start > run > type notepad enter.

Now copy and paste the bold below into that notepad file:


Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt


From the top menu, select > save as > select the desktop to *save in*

name the file Appinit.bat

in the *save as type* box select *All Files*

Now click *save*

Go to your desktop and double click the Appinit.bat file you just created.

If it was done correctly...This will create a file on the desktop named windows.txt
Copy and paste the contents of that file into your next reply.

#13 mmessmmess

mmessmmess

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 19 July 2004 - 09:04 PM

;) Thanks Jackgab, but Avast works only temporarily for me. Avast scans and finds the virus, then says I'm clean, but then the about:blank is back in a couple of days. I have even cleaned out my hosts files, downloaded and run Norton Antivirus, CWS, and other recommended software programs.

I have also read several other people's posts who have said the same thing. They have wiped the HD and reloaded Windows. I just can't believe that that is the only solution.

There must be a specific file somewhere on our systems which is causing the reinfection.

#14 mmessmmess

mmessmmess

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 19 July 2004 - 09:21 PM

OK, here is the contents of the windows.txt file (it sure looks like a lot of gibberish to me!):

regf       Pugf hbin  nk, sY  @ x 0 @ S O  Windows sk x x        
     !
   !      #
   #  ?    
     ?   
    ?    
        vk @    fAppInit_DLLs?GC : \ W I N D O W S \ S y s t e m 3 2 \ w d m o i e b . d l l . d   vk  X   UDeviceNotSelectedTimeout1 5  (W9 0  ! vk  '   zGDIProcessHandleQuota"vk     Spooler2y e s    ( x   vk    =pswapdiskvk  h   RTransmissionRetryTimeout ( x    ` vk  '   O USERProcessHandleQuota_ p (   x p xR P C R T 4 . d l l C : \ W I N D O W S \ s y s t e m 3 2 \ R P C R T 4 . d l l (   w  wU S E R 3 2 . d l l C : \ W I N D O W S \ s y s t e m 3 2 \ U S E R 3 2 . d l l (   ~  ~G D I 3 2 . d l l C : \ W I N D O W S \ s y s t e m 3 2 \ G D I 3 2 . d l l

#15 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 19 July 2004 - 09:40 PM

Windows.txt reveals that the super hidden reinstalling file name is:
C:\WINDOWS\System32\wdmoieb.dll

Now we just need to nuke it.

The removal method is a tad different depending on your version of XP and your type of file structure.

Are you running XP Home or Pro and is your file system FAT32 or NTFS?
Look in My Computer. Right click the C drive and choose properties to find the File System .

I will give you instructions for each. Pick the one applicable to you.

........................................................................................................

Download the zipped file below to your desktop:
http://computercops....ownload&id=2028

Sign off the internet and stay off until all of these steps have been completed.

Extract (unzip) the batch file (hiving.bat) and run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box.

It is critical that you do not run it from the zipped folder. To extract (unzip) it.... right click the .zip file on your desktop and select *extract all files* Follow the extraction Wizard (keep clicking next) and by default the extracted (unzipped) hiving folder will be placed on your desktop. Open the hiving folder and inside will be a file named hiving.bat.

Double click on hiving.bat to run it and the reboot to safe mode (tap the F8 key at boot to enter safe mode).

After a reboot the super hidden nasty file will no longer be loaded and will be visible. This will end the constant reinstall of about:Blank.
..........................................................................................................

Once in safe mode the instructions will be the same for Home and Pro versions with NTFS file structure.

Like so....

Once in safe mode, Navigate to and right click this file and select properties:
C:\WINDOWS\System32\wdmoieb.dll <-- file

use the security tab on the file and take ownership.
How to take ownership of a file or folder in Windows XP

Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Then if that fails try to rename it again to different name+ext.

Ex:
wdmoieb.dll > baddie.txt
baddie.txt > badfile.111
Few times... Etc.

..............................................................................................

for FAT32 file structure:

Once you are in safe mode,
Right click on the file. Click Properties
from the menu.
Uncheck the Read Only box.
Delete the file.
..............................................................................................


Once you have successfully deleted C:\WINDOWS\System32\wdmoieb.dll please do these:

Navigate to:
C:\Documents and Settings\Mark Messier\Local Settings\Temp <-- folder...and delete the entire contents of the temp folder (select all files, but not the folder itself)
Then empty the recycle bin.

Reboot normally....

Immediately run AdAware:
Download the latest version of Ad-Aware at http://www.lavasoftu...pport/download/
After installing AAW, and before running the program, FIRST update the reference file following these instructions.
http://www.lavahelp....dref/index.html
Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."
(More info here... http://www.lavahelp....awaretweak.html )
Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:
Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"
Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

then these....
Get and run the newest version of CWShredder:
Download CWShredder:
http://www.spywarein.../CWShredder.exe
Double click and hit the ->fix button to fix all found problems
Reboot.

then Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Turn ON System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Next a full scan here and let it clean:
http://housecall.tre.../start_corp.asp
Reboot when done.

Finally go to Start > Run > type or paste:
sfc /scannow
enter and let it run. Have your XP cd handy.

Now reboot again and show us a fresh HijackThis log please.

Good luck.

#16 mmessmmess

mmessmmess

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 20 July 2004 - 01:02 AM

:scratchhead: OK, Gravy, here is the latest Hijack This file. I did the steps you outlined, and I even reloaded WIN XP Pro as part of "sfc /scannow". I seem clean now, but I definitely still had the About:Home virus just before reloading WIN XP.

Do you think the XP reinstall might have been the trick? How does the HJT file look?

Logfile of HijackThis v1.98.0
Scan saved at 2:02:04 AM, on 7/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

Thanks!

#17 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 20 July 2004 - 11:49 AM

Mmessmmess,

I notice that your OS/IE is not properly updated. Please go to http://v4.windowsupd.../en/default.asp and download all Critical Updates and Service packs.

After updating Windows, try the Time Travel Test and post a log from the test.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button