Jump to content


Photo

Help with Backdoor.Trojan (about:blank) removal


  • Please log in to reply
5 replies to this topic

#1 ImperialFleet

ImperialFleet

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 July 2004 - 09:31 AM

Hi, I've been combatting this about:blank problem since June 20th to no avail. I found another thread in this forum that is my exact situation:
http://forums.spywar...topic=16332&hl=

In short my system is setup like this (with all of the latest security versions/patches):
W2K Pro
Symantec AntiVirus Corporate Edition
Ad Aware
HJT
About:Buster

I'm not sure how ejosh87 from the above linked thread was able to miracualously delete the culprit dll. My dll is called winc.dll and when I try to delete it from the file system, access is denied. Same from the command prompt, even if I try del winc.dll -F. If I reboot and go into safe mode, the winc.dll file is gone because it cleans up after itself during shutdown..WTF? I have deleted the key from the registry that points to the dll but that doesn't help.

What I want to know is how everyone is mysteriously deleting this dll in safe mode but I cannot? For security purposes I have my system delete the pagefile everytime before restart/shutdown. I could try setting it to not remove the pagefile and see if the dll stays after a reboot into safe mode. About:Buster works great but it gets into a viscious loop of stopping/restarting explorer.exe in an attempt to delete the winc.dll, when it cannot delete the winc.dll it tries over and over until I have to power cycle the PC.

All suggestions are appreciated. I am at work now and the PC in question is at home. I won't be able to post any logs for this until 9pm EDT tonight.

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 20 July 2004 - 10:14 AM

Can you please download HijackThis from this link, install it into C:\HJT. Run it, click on scan, save log and please post your entire log here for analysis.

Thank you.

#3 beauspeakeasy

beauspeakeasy

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 20 July 2004 - 11:01 AM

the free AVG software found the backdoor trojan on mine and fixed a lot of startup problems. good luck

#4 ImperialFleet

ImperialFleet

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 July 2004 - 11:15 AM

Thanks guys. I'll post my HJT log when I get home tonight.

#5 ImperialFleet

ImperialFleet

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 July 2004 - 08:26 PM

okay, here's the log

Logfile of HijackThis v1.98.0
Scan saved at 8:24:58 PM, on 7/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\cisvc.exe
D:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\svchost.exe
D:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\DirectCD\DIRECTCD.EXE
D:\PROGRA~1\Navnt\vptray.exe
D:\Program Files\Winamp\Winampa.exe
D:\Program Files\SETI@home\SETI@home.exe
D:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LOGON.BAT
O4 - Startup: Microsoft Office Shortcut Bar.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.82.221.10...etzip/RdxIE.cab
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.o...scriptPrint.CAB
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft...nloads/outc.cab
O20 - AppInit_DLLs: C:\WINNT\system32\winc.dll

Edited by ImperialFleet, 20 July 2004 - 08:26 PM.


#6 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 July 2004 - 09:45 AM

  • Download reglite
  • install "Reglite" and run it, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ into the address bar.
  • Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file; then this is the hidden file you need to get rid off. ( Should contain the winc.dll file)
  • You should not be able to delete this file if you try to clear the value field, IMPORTANT: take note of the path and name of the .dll file. Write it down so you do not forget it.
  • Rename the Folder "Windows" (This is a purple "highlighted" folder in the left hand window) to NOTWINDOWS. Simply click on the folder, click on "Edit" in the menu bar and select "Rename".
  • Click AppInit_DLLs again and clear the value containing the .dll and ok it. This should have removed the .dll
  • Rename the windows folder back to its original name "Windows".
  • Run SpyBot, Ad-Aware and CWShredder
  • Check the following three links for instructions on downloading and running the applications listed:
  • Next step will be to remove this dll file so make sure you have it noted down.
  • Procedure 1
    • Download KillBox
    • Unzip and start the application
    • Paste in the dir <path and name of dll as found in the appinit value box> e.g. C:\Windows\System32\nameofdll.dll
    • Menu Select Action => Delete on Reboot
    • Select File => Add file <It should add the path automatically>
    • <Same Window> Select Action => Process and Reboot
  • Procedure 2 (If Procedure 1 did not work)
    • Click "Start" => "Run" and type in "cmd" (Without the quotations) and click on "Okay".
    • This will open a command window I will assume you have a basic knowledge of DOS if you have any problems at this point just write back I will outline the commands.
    • Type in dir <path and name of dll as found in the appinit value box> and press "Enter". You should see the name of the file listed.
    • Go to the system32 folder (This is where the .dll file will typically reside) and type attrib -R "nameofdll".dll
    • Carry out Procedure 1 again
  • Restart your computer in safemode (How do I boot into "Safe" mode?)
  • Open cmd window again as before
  • Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.
  • While in safe mode, run the 3 ad-removal programs again, just to make sure all traces are gone.
  • Boot up your PC as normal and post a new HijackThis log into this message for further review.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button