Jump to content

feeling blankety blank about "about:blank"


Recommended Posts

:D

I quit using explorer for Firefox, I have the aboutbuster, spybot and spyware blaster, done what was recommended and it still pops up as my listed homepage.........

I thrown out the cookies, tossed out false favorite files, emptied my cache and ran all of the programs once before shut down and once upon restart. followed the recommended advice on debugging the system. I will turn the system on, Explore will say it is clean and then freezes. When I open a new window, darn if that homepage isn't reset again.

I put hijackthis in and here is what I have, please tell me what to do. Thank you for your help in advance.....

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\system32\javatr32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\SYSTEM32\SOL.EXE

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINDOWS\system32\ntis.exe

C:\Documents and Settings\me\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FEDB5C70-C8D3-5CE0-5433-3BFBF961AF4B} - C:\WINDOWS\addes.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [javatr32.exe] C:\WINDOWS\system32\javatr32.exe

O4 - HKLM\..\RunOnce: [ntis.exe] C:\WINDOWS\system32\ntis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

O4 - Global Startup: Digital Line Detect.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: *.05p.com (HKLM)

O15 - Trusted Zone: *.awmdabest.com (HKLM)

O15 - Trusted Zone: *.blazefind.com (HKLM)

O15 - Trusted Zone: *.clickspring.net (HKLM)

O15 - Trusted Zone: *.flingstone.com (HKLM)

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.mt-download.com (HKLM)

O15 - Trusted Zone: *.my-internet.info (HKLM)

O15 - Trusted Zone: *.scoobidoo.com (HKLM)

O15 - Trusted Zone: *.searchbarcash.com (HKLM)

O15 - Trusted Zone: *.searchmiracle.com (HKLM)

O15 - Trusted Zone: *.slotch.com (HKLM)

O15 - Trusted Zone: *.static.topconverting.com (HKLM)

O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)

O15 - Trusted IP range: 206.161.125.149 (HKLM)

O17 - HKLM\System\CCS\Services\Tcpip\..\{E0E77FFE-6C31-4F09-BF95-38C03305B72E}: NameServer = 209.165.131.12 209.165.131.13

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel

Link to post
Share on other sites

Hi,

You have an About:Blank CWS Infection. Please follow the following directions carefully because this is a tough infection to remove.

The Fix:

Step#1:Getting Ready

(the reason Wordpad was chosen is that Notepad is sometimes deleted by this variant)

Please save these instructions to WordPad so that you have them accessible while following the steps. You also may want to print out these directions as the Internet will not be available.

After downloading the tools, you must disconnect from the internet totally, because staying connected while fixing will prevent the fix from working. Also please keep Internet Explorer and Outlook Express closed throughout as opening either will reinstall the infection.

To replace Internet Explorer to use during this fix, please use Internet Explorer once to download and install FireFox, to be used as your alternate browser throughout this fix.

Close Outlook Express and Internet Explorer for the duration of this fix

Read through all the instructions so that you can ask any questions now, before you disconnect from the Internet.

Please start by downloading the tools you will need to clean this infection with FireFox. If you have a problem or question with any please continue to follow the list step by step to the end and ask the questions when you are asked to reply. Just be sure to let us know what the problem was when you finally reply.

Step#2:Show All Hidden Files Very Important

Please download and open the following zip file. Double-click on the file inside the zip and when it asks you if you would like to merge the file into your registry, please answer yes. This will make sure all files are visible on your computer.

http://www.davehigham.zen.co.uk/downloads/xphidden.zip

Step#3:Download CWShredder Do Not Use Yet

1. Please Download the most recent version of CWShredder, from CWSInstall.exe

2. Check for Updates but please Do NOT use it yet

Step#4:Download About Buster Do Not Use Yet

1. Please download About:Buster from here: http://www.malwarebytes.biz/AboutBuster5.zip.

2. Once it is downloaded extract it to c:\aboutbuster.

3. Check to make sure it is up-to-date. Please Do NOT use it yet

Step#5:Download Registrar Lite Do Not Use Yet

Another program to download is Registrar Lite for use later: Please download Registrar Lite and install it to C:\Program Files\RegLite\ . This is a registry editor that is very easy to use. Caution should be exercised when editing the registry as it is very easy to render a Computer unbootable by deleting the wrong key

Step#6:Download Ewido Security Suite Only For Windows 2000 and XP Do Not Use Yet

  • Download and install Ewido security suite
  • Right Click on the “E” icon in your taskbar and open Ewido Security Suite then click “update” to get the most recent definitions for it to use.
  • When it prompts you to update, click the OK button.
  • download the updates and when they are finished installing, close the window
  • Please Do Not Use It Yet

Step#6:Download A Registry File to Remove Registry Entries Do Not Use Yet

  • Please download the following zip file to your desktop:
    HSfix
  • Double Click on HSfix.zip and it will unzip to a new folder it makes on your desktop, called HSfix
  • Do Not Use It Yet

Please disconnect from the Internet

Step#7:Stop The Running Processes

Press control-alt-delete to get into the task manager and end the following processes if they exist:

javatr32.exe

ntis.exe

Step9:

I now need you to delete the following files:

C:\WINDOWS\system32\xgwda.dll

C:\WINDOWS\addes.dll

C:\WINDOWS\system32\javatr32.exe

C:\WINDOWS\system32\ntis.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step#10:Cleaning With HijackThis

Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and click 'fix checked' button when ready (some may be gone after uninstalling some programs):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xgwda.dll/sp.html#12345

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {FEDB5C70-C8D3-5CE0-5433-3BFBF961AF4B} - C:\WINDOWS\addes.dll

O4 - HKLM\..\Run: [javatr32.exe] C:\WINDOWS\system32\javatr32.exe

O4 - HKLM\..\RunOnce: [ntis.exe] C:\WINDOWS\system32\ntis.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O15 - Trusted Zone: *.05p.com (HKLM)

O15 - Trusted Zone: *.awmdabest.com (HKLM)

O15 - Trusted Zone: *.blazefind.com (HKLM)

O15 - Trusted Zone: *.clickspring.net (HKLM)

O15 - Trusted Zone: *.flingstone.com (HKLM)

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.mt-download.com (HKLM)

O15 - Trusted Zone: *.my-internet.info (HKLM)

O15 - Trusted Zone: *.scoobidoo.com (HKLM)

O15 - Trusted Zone: *.searchbarcash.com (HKLM)

O15 - Trusted Zone: *.searchmiracle.com (HKLM)

O15 - Trusted Zone: *.slotch.com (HKLM)

O15 - Trusted Zone: *.static.topconverting.com (HKLM)

O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)

O15 - Trusted IP range: 206.161.125.149 (HKLM)

click "fix checked"

Step#10: Backup The Registry

In the next step we are going to remove a service that gets installed by this malware.

1. Open Registrar Lite and run it.

2. Copy and paste the bold text below into the address bar of Registrar Lite:(this is making a Registry backup for safety in case of error)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Go to File> Export and and save as (in the C:\Program Files\Registrar Lite (Reglite) folder):

1.) Winkey.reg (Save as type: regedit4 .reg type)

2.) Winkey.hiv (Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)

Step#11: Use the HSfix.reg file

  • Navigate to the HSfix folder on your Desktop
  • Then double-click on the HSfix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
  • if you have a popup from any of your protection programs asking if you want to make a change to the registry, say Yes or Accept it

Step#12:Fixing With CWShredder

  • CLOSE ALL WINDOWS except CWShredder
  • Run the program by clicking 'fix' and letting it fix all CWS remnants.

Step#13:Fixing With About Buster

This is the step where we will use About:Buster that you had downloaded previously.

  • Navigate to the c:\aboutbuster directory
  • double-click on aboutbuster.exe
  • When the tool opens press the OK button, then Start button, then the OK button
  • then finally the Yes button. It will start scanning your computer for files.
  • If it asks if you would like to do a second pass, allow it to do so.
  • Post the log file in your next reply

Step#14:Scan With Ewido Security Suite

  • Launch Ewido again
  • Click on Scanner>Complete System Scan.
  • Let the program scan your PC.
  • When the scan asks to clean files click OK.
  • When scan is completed, click Save report. to your desktop.
  • Post the report in your next reply.

Reboot your computer back to normal mode and

Reconnect To The Internet

Step#15:Scan and Post a New HJT log with other logs

  • Scan again with HijackThis.
  • Post your logs from HijackThis, About Buster, and Ewido Security Suite here in this thread with any questions or problems that you have run into.
  • There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.

Good Luck!

Danny

Link to post
Share on other sites

  • 3 weeks later...

Thank you Danny.

Your how-to was very clear and I got it. I succeded getting rid of that nasty malware despite the difficulties. I had noticed a dll whose name changed every time but could not eradicate it. It happened to be the file you call xgwda.dll. Its localisation was either /windows, either /windows/system32.

The file you call addes.dll was not resident on my system. Perheaps the former use of anti-spyware had destroyed it. No trace of javatr32.exe or ntis.exe, only javatr.exe and ntis32.exe.

I had to follow the procedure twice because I forgot to boot in safe mode and I realised it was necessary when I fall upon the line "reboot your computer back to normal mode". I would suggest you explicitely mention that necessity on top of the procedure.

I had already installed Firefox and used it regularly but had kept IE alive. I think I shall destroy it. It is a real threat for everybody using a PC.

Congratulations for that pretty good job.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.