about:blank and safe mode issues

If you have run ALL steps of the READ ME FIRST, follow the below steps:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message.(Do NOT copy/paste the log into your post).

 

First please give this a run avast! Virus Cleaner Tool
Let me know if it finds anything. I see what appears to be a W32/Bagle.bd @ MM virus

Do you actually use the MiniClip Toolbar stuff you installed?

 

Just in case the Avast scan does not find the W32/Bagle virus, I'm leaving it in the fix below. The problem file is the WinGO.exe file.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\PROGRA~1\WinGO\WinGO.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {7CE9CFD3-D22D-4C74-BB6F-47CF33399BBC} - C:\WINDOWS\System32\cmjn.dll
O4 - HKLM\..\Run: [WinGO] C:\PROGRA~1\WinGO\WinGO.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O18 - Filter: text/html - {85EFDCDA-94A0-4AEA-8846-32A5E0D9894C} - C:\WINDOWS\System32\cmjn.dll
O18 - Filter: text/plain - {85EFDCDA-94A0-4AEA-8846-32A5E0D9894C} - C:\WINDOWS\System32\cmjn.dll


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\PROGRA~1\WinGO\WinGO.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp <--- delete all files and sub-folders in this Temp folder (some may be denied - note which ones and tell me when you return)
C:\WINDOWS\System32\cmjn.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.
Tell me if you cannot find any of these.


Now:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working. I expect that the se.dll problem will reoccur.

 

You said "none of the programs existed" but the below is still in your log:

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall

Are sure you looked in the correct place? That is an abbrievated file name:

This: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll
is really: C:\Documents and Settings\Administrator\Local Settings\Temp\se.dll

Are you positive you have viewing of hidden files and folders and viewing of all extensions enabled? Check again for this file because it and some stuff that comes with it are the source of your problems.

Also I noticed iexplore.exe running in your HJT log. Did you forget that all browsers must be shut down before using HJT? Or is a piece of malware running iexplore.exe? It is CRITICAL that all browsers be closed when trying to fix problems using HJT. It can sometimes mean the difference between success or failure.

 

It may popup again! I believe that the se.dll is the symptom we see but there is a hidden process/DLL we need to disable to prevent it from loading/recreating se.dll again.

This is still in your HJT log, FIX it.
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall

So reboot and let's see what happens. Am I correct in assuming you deleted se.dll and the WinGo.EXE files?

 

OK! It's gone right now but I would be willing to bet that after a reboot and opening a browser and connecting to the internet that it will probably be back. If it does come back, please try to get the following info:

Locate the se.dll file again and note the date/time information for the file. Look for other files in the same folder with similar date/time info.

Also look in c:\windows and c:\windows\system32 for any files with similar date/time info. Post those file names back here. (do not try to simply delete these files until we are sure what they are and if not done properly they will just rename and respawn anyway).

Also look for the problem DLL like in message # 5 (C:\WINDOWS\System32\cmjn.dll
) to be back. The name will more than like change but you will see the DLL name in the O2 - BHO line and the O18 lines of the HijackThis log.

For what every DLL file name shows up, check its date/time too and look for other files with similar date/time info.

NOTE: you can sort Windows Explorer listings by Date to make this easier.

 

Rachel,

You're welcome.

Just let me know if it comes back and please try to get the info I requested if it does come back. Sometimes I have seen this problem take a few hours or a day or two and then it comes back.

But I hope you remain free from this problem.

 

Great! Thank you!

And make sure you have done the equivalent of all the steps in the below thread to help you avoid future problems:

How to Protect yourself from malware!

 

Jim,

Did you post here by mistake! I'll answer you questions in your thread.