about:blank probs w/ safe mode and trend micro

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by apopanax, Feb 10, 2005.

  1. apopanax

    apopanax Private E-2

    XP user on a dell
    intel celeron processor
    498 mhz, 320 mb of RAM

    I have been hijacked by about:blank. initially ran ad-aware, and spycatcher to no avail and it appears i have about 4 times as many files overall than i did before these failed fixes.

    thrilled to find your site. i am following the steps in "read me first before asking for support" i have completed steps 1-4 (completely). i am having probs with step 5. i rebooted in safe mode. when i tried to get back online, nothing happened. (i am on dial-up w/ a 56k modem) i checked my internet settings and found that "never dial a connection" was selected. i could not alter the settings. so i rebooted and tried to proceed in regular mode. when i
    clicked on the link for the trend micro scan, the page start coming up but after a inordinately long wait i get the box asking if i want to download their scan program. i clicked yes and IE then encounters a problem and has to shut down. i tried 3 times in the wee hours this morning and then gave up and went to bed. i just tried it again and am still having IE close. so i am stumped. i thought about skipping that step but since i read in another post that running these programs without being in safe mode was a waste of time........here i am, asking for help. i hope i am not doing this prematurely and i appreciate your time.
     
    apopanax, Feb 10, 2005
    #1
  2. yukon98

    yukon98 Specialist

    yukon98, Feb 10, 2005
    #2
  3. justin cider

    justin cider Private E-2

    hi, 'antivir personal edition' corrected my about blank problem. about blank was supported by the holax trojan virus.
     
    justin cider, Feb 10, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    True about:blank hijacks (that does not include the Holax Trojan which is easily detected and fixed) are not repairable by any program out there. CWShredder will do nothing for it although sometimes it does detect a CWS problem. The majority of these hijacks require the combination of some software tools and some manual manipulation. The starting point is to get your system into a known state. Thus my instructions below:

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Feb 11, 2005
    #4
  5. apopanax

    apopanax Private E-2

    :rolleyes: I think I may be ready to give up and format the hard drive and reinstall XP.
    I have two questions tho.
    -if i reformat the HD and do a clean reinstall will the definently eradicate about:blank/ home search?
    -i have several music,picture(.jpg, .tiff, and psd), and written documents files i want to save. if i open a writable CD folder and drag those files in & scan them with antiviral/antispyware programs before burning them to cd, can i put the files back on my computer without reinfecting myself? if so, what should i scan with?
     
    apopanax, Feb 11, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are giving upi to easily! You have not even followed my instructions. I have fixed probably a few hundred of the these.

    Yes you can backup your data and reformat and get rid of the problem. But you will then be out of date with all system updates and configurations you have tweak. You also will have not protections in place and could more than likely just get reinfected again like you did this time.

    Let's try to fix it first and get your system better protected to help avoid problems like this.

    As an aid to working around this problem you can download and use Mozilla FireFox in place of Internet Explorer. It is recommened that you do this anyway in the long run. But that will not remove the malware from your PC. We still need to do that.

    Follow my previous instructions and get me the HijackThis log.
     
    chaslang, Feb 12, 2005
    #6
  7. apopanax

    apopanax Private E-2

    i attempted to do all the steps. first i tried to take justin's advice for the antivir program but when i tried to install it said there was a damaged file. i downloaded it again but got the same result. so i went back to the READ ME FIRST...still couldnt get back online in safe mode, tried numerous times to run the trend micro and symantec scan in reg. mode. trend micro kept shutting browser down and symantec was unable to install the activeX controls required to do the scan. so i rebooted in safe mode and ran the other programs as instructed but when i tried about:buster it stopped after scanning 65% of my files. eight hours later it had only scanned 69%. HSremove also appeared to stop for several hours after reporting that it found no ADS. so i reset my homepage,rebooted in normal mode, and opened IE right back to the HOME SEARCH page. then went to the GENERIC SOLUTION suggested if i hadn't gotten rid of about:blank. i just ran hijack this and read the the info on interpreting it and decided i'd rather format the hard drive and reinstall XP if it would work. after receiving your most recent reply, i redownloaded about:buster and got the same results when i ran it, i.e it stopped at 66%. in case it matters the files it was scanning were in the system32 folder, it slowed @ parachute.dat and stopped on pathping.exe. i then reran HSremove and this time it finished scanning. The good news is that homesearch appears to be gone. i had sorta thought hs and about:blank were the same because it says about:blank in the address bar and home search was the page that appeared. now it still says about:blank but the page is completely blank. i have downloaded all the programs in your "genneric sol.." but i got lost trying to figure out my hijack this file which i reran just a minute ago and will now attempt to post. thanks so much for your support. the fact that there are folks like you who are willing to help is all that keeps me from going into a red rage that other people commit themselves to things like jacking my computer.
     

    Attached Files:

    apopanax, Feb 14, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your problems are not gone! You log shows these:


    C:\WINDOWS\system32\iens.exe
    C:\WINDOWS\iepp32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ntrol.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ntrol.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ntrol.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ntrol.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ntrol.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ntrol.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {1F3EA21C-F800-4535-B35B-675591E8741E} - C:\WINDOWS\winex.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKLM\..\Run: [iepp32.exe] C:\WINDOWS\iepp32.exe
    O4 - HKLM\..\RunOnce: [iens.exe] C:\WINDOWS\system32\iens.exe

    Let's try the below procedure:
    Make sure system restore is disabled and viewing of hidden files is enabled.
    Hopefully things have not mutated since you posted your log. If you have problems finding the stuff I indicated below, you will need to post a new log and then DO NOT REBOOT. These infections spread and mutate during reboots.
    Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 23.

    You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

    Okay, unplug your internet connection and exit browsers now!!!!

    You then need to use TaskManager (CTRL-ALT-DEL) and select Processes and End the below process(if still showing up):
    C:\WINDOWS\system32\iens.exe
    C:\WINDOWS\iepp32.exe

    Now run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ntrol.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ntrol.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ntrol.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ntrol.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ntrol.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ntrol.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {1F3EA21C-F800-4535-B35B-675591E8741E} - C:\WINDOWS\winex.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKLM\..\Run: [iepp32.exe] C:\WINDOWS\iepp32.exe
    O4 - HKLM\..\RunOnce: [iens.exe] C:\WINDOWS\system32\iens.exe

    Then exit HJT after clicking FIX

    Run Windows Explorer and look for and try to delete:
    C:\WINDOWS\ntrol.dll
    C:\WINDOWS\winex.dll
    C:\WINDOWS\system32\iens.exe
    C:\WINDOWS\iepp32.exe

    If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

    - Run about:Buster and save the log to ab1.log (make sure you let it do the second scan). If it hangs again, continue to the next step and tell me when you come back.

    - NOW PULL THE POWER PLUG TO YOUR PC! I do not want you to power down the normal way.

    - After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

    - Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following:
    Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin
    And Click OK.

    - Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)! If AB still hangs, just continue (but still do the immediate reboot that follows in the next step).

    - Immediately reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

    - Plug your cable to the internet back in now.

    - Open and close a couple of IE sessions and then with IE closed get a new HJT log.

    - Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

    Let me know anything else that you notice.
     
    chaslang, Feb 14, 2005
    #8
  9. apopanax

    apopanax Private E-2

    i am in the middle of the procedure outlined in the last post. the afflicted pc is offline as directed and i am posting from a laptop.
    my latest hj-this log shows that the files have indeed mutated, but between the old and new logs and your advice on the files, it was pretty easy to tell what was what. (i hope)
    basically, all the R0 & R1 files containg ntrol.dll moved from the windows folder into the system 32 folder and say ejjkg.dll instead of ntrol. all the other files stayed the same and i removed them as instructed.
    now i am lookin windows explorer, i found iepp32.exe and ntol 32. but not the other two sites. i figured there would be an ejjkg instead of an ntrol; but i found both and deleted them. my question is about a few other files in the windows folder that look suspiciously similar. one is jliqp which is the precursor to ntrol and the only other one i know was a mutation of the infection. then there are a few others that are five letters.dll and are 66.5 kb plus were created in the last month. these are threats if i dont find and delete all of them, right?

    also , i did a searck for winex as "all or part of the file name" and it didn't come up. then i searched for it as "a word or phrase.." and found it but could not delete because it "cannot read from source file or disk"

    i know i was supposed to post all this AFTER i finished, but since i had access to a separate computer ,i thought i thought i'd check with you before finishing thanks.
     
    apopanax, Feb 15, 2005
    #9
  10. apopanax

    apopanax Private E-2

    :D please disregard my last post. i got into playing spider solitaire awhile back and developed a hypnotic response to it and other boring, time-consuming computer activities. so i was nodding off repeatedly as i wrote that and i feel the need to explain because my last post was complete gibberish.
    but all that aside. chaslang, you are my hero. i never got about:buster to run all the way through but after finishing all the other steps you advise, my browser came up with hsremove as the homepage and it said "if you are seeing this{your computer is free of..} or something like that. other than buster, the only snag i hit was not being able to find C:\WINDOWS\winex.dll. i did a searck for winex as "all or part of the file name" and it didn't come up. then i searched for it as "a word or phrase.." and found it but could not delete because "cannot read from source file or disk"
    in the last HJT scan i ran before clicking "fix", i noticed a few things about how the files mutated. of the files you listed to be fixed, only the RO and R1 files changed from
    one scan to the next. The filename was always five letters and always at the end of each line was the #28129. the location went from the windows folder then into the system 32 file then appeared in the windows folder again. thankyou for your help and encouragement. when i first looked at the HJT log, it was so overwhelming i was ready to wipe out my hard drive. but tonite when i printed my logfile and saw that the files had mutated, i was able to identify the bad files without re-posting my log. there were also several files in the windows folder that were dll's with 5 letters in the file name. of these, the ones i deleted all were 66.5 k anywat thanks again. i'll let you know in a few days how things are goin.
     

    Attached Files:

    apopanax, Feb 16, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download the lastest HJT: HijackThis 1.99.1
    and use it from now on.


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\sdkgd.exe (file missing)

    After clicking Fix, exit HJT.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.


    For those other files you are concerned about. Start by moving them out of the current directories and into a c:\junk\windows or c:\junk\windows\system32 folder (so you can remember where they came from). That way you will find out if you need them and can recover if necessary. After a while you should be able to decide if you can delete them permanently.
     
    chaslang, Feb 16, 2005
    #11
  12. apopanax

    apopanax Private E-2

    arrgh! i downloaded HJT 1.99.1 (which i think was what i was using before) and fixed the three files you specified. then i rebooted and opened Internet Explorer. once again about:blank was in the address bar. what happened? does the hsremove screen just hide the homepage hijack?
    what next? should i just run through all the steps again?
    i'm attaching the HJT log i obtained after clicking "fix" and rebooting. the Network Security System thing seems to keep coming back so i thought i should mention that when i initially found it on the processes list it was already stopped but i did disable it as instructed. before running every subsequent removal i have checked it again and although it's always stopped, it always goes back to auto and i have to disable it again.
    in regards to those other files i was concerned about, i deleted them before i got your answer. luckily, all my programs are running fine.
     

    Attached Files:

    apopanax, Feb 19, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! You only had HJT 1.99.0 before and that is what you still have. Please download the new version from the link I gave you. Why did you post a log from safe mode? I requested normal boot mode. We almost never use safe mode logs.

    Why are you saying you are hijacked? There are no signs of a hijacker other than the O23 line? Try using the new HJT and let's see what happens.

    Also try the below! Maybe that is why you think you are hijacked:

    Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
     
    chaslang, Feb 19, 2005
    #13
  14. apopanax

    apopanax Private E-2

    before i posted last time, i followed the link in your last post and downloaded it again. the
    zipped folder is hijackthis-1.zip as opposed to just hijackthis.zip so the new didn't replace the old and therefore i guess i must have run the wrong one. i'm gonna erase the old stuff right now and download it again..............

    as to why i ran it in safe mode:
    {
     
    apopanax, Feb 20, 2005
    #14
  15. apopanax

    apopanax Private E-2

    okay i ran the new HJT log. rebooted and now i'm posting my log. also, i opened internet explorer and it brought me right to majorgeeks.com like it was supposed to. thanks.
     

    Attached Files:

    apopanax, Feb 20, 2005
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First a question, one is notepad running? Are you running it before doing a scan with HJT for some reason? Or is it loading for some reason at startup? I'm referring to this line:

    C:\WINDOWS\system32\NOTEPAD.EXE

    Problem: Did you forget to have HijackThis fix the below line. Try fixing it again! Make sure all browsers are shutdown before fixing.
    O23 - Service: Network Security Service (NSS) (?%AF夶À¨) - Unknown owner - C:\WINDOWS\sdkgd.exe (file missing)

    Then reboot and get a new HijackThis log and post it.

    Question:
    Did you buy SpyCatcher or is that a demo that you are running? Do you find it to be good?
     
    chaslang, Feb 20, 2005
    #16
  17. apopanax

    apopanax Private E-2

    re: notepad, i guess i must have had it open. i may have been looking at the hijackthis log. don't really know.

    re: O23 - Service: Network Security Service (NSS) (?%AF夶À¨) - Unknown owner - C:\WINDOWS\sdkgd.exe (file missing)

    no, i didn't forget. it just won't go away. just to be sure, after i read your post, i shut the browser, ran HJT again, checked and fixed that line, rebooted, and ran hjt again. (log attached is from the latest scan)

    re: spycatcher, i really have no oppinion on it. i'm running a demo which i downloaded when i got about:blank but before i found majorgeeks.com. it didn't fix a:b of course. but i guess that doesn't mean much either way.
     

    Attached Files:

    apopanax, Feb 23, 2005
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:

    Network Security Service (NSS)

    If that does not work try entering the short name: ?%AF夶À¨

    Then reboot and let's see if the service is truly gone.
     
    chaslang, Feb 23, 2005
    #18
  19. apopanax

    apopanax Private E-2

    i did as you said. i think it worked, but i'm attaching the HJT log i ran after the reboot, just to be sure.
     

    Attached Files:

    apopanax, Feb 26, 2005
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Feb 26, 2005
    #20
  21. apopanax

    apopanax Private E-2

    allllriiightt!
     
    apopanax, Feb 27, 2005
    #21
  22. apopanax

    apopanax Private E-2

    wanted to let you know, i took all of your advice on preventing future infections. it seems like my system is quite a bit slower with zonealarm on it. is that to be expected?
    also, i'm on myspace.com and i keep getting a message that says "additional plug-ins needed to view all of the content on this page." and it's true that i'm not seeing everything. should i click to donload the plugins? it occured to me that what i don't see may just be pop-ups due to my improved security.
     
    apopanax, Mar 4, 2005
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Any firewall will add to using up system resources and the process of protecting you does not come for free. It you were to go and uninstall all the protection programs (antivirus, spyware blocker, firewall...etc) your PC would fly. That is until you got infected with something a few minutes later.

    If many cases firewall definitely slow startup as they load but some slower PC we insufficient memory there may also be an impact. If ZoneAlarm seems to causing you to much grief, download the free version of Sygate. The unplug your cable to the internet and uninstall ZoneAlarm. Then reboot and install and configure Sygate. Now reconnect your cable.

    See if that helps. Sysgate is typically less resource hungry than ZoneAlarm.

    As far as the problem with myspace.com, your ZoneAlarm setting are probably set how you want them and changing them for myspace.com may open the doors for other bad sites to mess you up. Unless you know first hand what the plugins are that they want to download and what they are used for and you are sure they are safe, do not download them.
     
    chaslang, Mar 4, 2005
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds