another clueless spyware victim!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by lulah93, May 18, 2005.

  1. lulah93

    lulah93 Private E-2

    Hi,
    Before I start I'd like to say, thankyou to all the people on this site who are genuinely here to help unknowledgable people like me!
    I'm having trouble removing the about:blank thing - I've tried the "read me first" steps which were very helpful, but it hasn't stopped it coming back. I've downloaded all the programmes on the list, and all of them seem to have worked except spyware blaster - whenever I click on this it says something about the data is damaged possibly due to a virus, please re-install. I've tried reinstalling but it keeps saying the same thing so I'm not sure what to do about that. I've done the the trend micro scan a couple of times (I've been trying to do this for a couple of days) and it's found some trojan start page viruses which I've managed to get rid of by using their virus encyclopedia. I've gone into the regedit thing and got rid of things under internet explorer and windows (the search uninstall thing, and anything that has about:blank or se.dll in the title). I've also deleted the bpgd file and se.dll files in safe mode several times - the bpgd doesn't come back, but se.dll is always back after restarting. I've just run it again and this time it's come up TROJ_PGE.DG (twice, but I've deleted one manually) and TROJ_PAG.IQ... the .DG I didn't delete is named se.dll.. this is exhausting!
    the security check says I'm at risk from hacker exposure (ping, ssh, http - status open; socks - stealth; the rest closed) and no known anti-virus, but I'm using avast.
    When I run ad aware it generally finds 10 new objects (most of the time it says browser hi jack, sometimes there are a couple of data miners in the results), if I quarantine them and then run ad aware again it still finds the ones I've just quarantined... I'm not sure if this is just the about:blank spyware on my comp. I installed something that tells me if the home page is trying to be changed and I can allow it or not, but when using IE it does it so much I have to go back to using firefox - I would just use this and ignore the IE problem but I've noticed a change in how fast web pages load, would this be just about:blank or could there be more spyware? Oh, I've tried running about:buster as well, but that doesn't get rid of it.
    I've also tried the hijack this thing, and checked all the about:blank files to fix them in that but of course they come back somehow... should I post my logfile?
    Thanks for any help people, this is giving me a major headache!

    :confused: Lulah.
     
    lulah93, May 18, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow the steps below:


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, May 18, 2005
    #2
  3. lulah93

    lulah93 Private E-2

    thanks, here it is.
     

    Attached Files:

    lulah93, May 18, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may have to disable Ad-aware and BROWSER HIJACK RETALIATOR 1.1.EXE (I do not know too much about this last program) before doing the below because they could stop the program from making the necessary fixes.

    Download this file: SpSeHjfix109

    Unzip it to your desktop or to a folder.

    Boot into Safe Mode

    Start SpSeHjfix, click on " Desinfecton starten" (the other button means close) then it will reboot and finish the cleaning.

    Run SpSeHjfix one more time.

    Reboot in Normal mode.

    Run HijackThis again and post a new log. Also post the log from SpSeHjfix, the log should be on your desktop or the same folder as SpSeHjfix.
     
    chaslang, May 18, 2005
    #4
  5. lulah93

    lulah93 Private E-2

    Hi,
    thanks for the info - I've run the programme you gave me and when it restarts I get the message

    C:\>
    C:\>
    All files in directory will be deleted!
    Are you sure? (Y/N)

    I did this both times I ran it (in safe mode)... I said no both times, and the about:blank isn't gone. I also tried to get the logfile from "spse..." but when I pressed the log button (several times) nothing happened. I've attatched the hijack this log though.
    After rebooting, the Browser Hijack Retalitator says something's trying to change my home page from about:blank to nothing (it normally has a web address there). It then says it's trying to do the same with my search page. If I say allow it just keeps coming up with no break in between and I have to say no and leave it as about:blank otherwise I can't use the computer. I do get quick glimpses of it saying res://C:\Windows.000\temp\se.dll/sp.html before about:blank comes up though.
    thanks for any help,

    Lulah.
     

    Attached Files:

    lulah93, May 19, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As I indicated in my previous message, the tools you already have installed may be making the cleanup difficult. You may need to uninstall or at a minium disable them as they appear to be blocking some fixes.


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\TEMP\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS.000\TEMP\se.dll


    Now empty your Recycle Bin.


    This next step may not work properly if you still have tools running to block these changes. You must allow these changes to occur.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, May 19, 2005
    #6
  7. lulah93

    lulah93 Private E-2

    Hi,
    thanks for all this help, but it still seems to be coming back! As soon as I restart it's there again... I uninstalled everything (at least I think I have) and ran it all disconnected from the internet, after shutting down zone alarm and stuff. Do you think this is why web pages run slow though? Cos otherwise I'll ignore it and just use firefox... but yeah, it's much slower than when my brother's comp is connected to broadband (the same connection we're swapping comps around). Does the about:blank programme seem to be the only spyware/virus?
    Again, thanks for all this, it must get boring telling people to do the same stuff all the time, but it's really appreciated :)

    Lulah.
     

    Attached Files:

    lulah93, May 19, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This about:blank hijacker may be the only remaining issue and you must get it removed. There will be times when you are going to need IE and this is not an item you want to leave hanging around.

    There is possibly a hidden file hanging around that we need to remove. Run the steps below and also answer a question. Are you familar with booting to a DOS prompt and do you know how to run DOS commands to change directories and delete files? It's okay if you are not familiar with this, but I need to know so I can write up a procedure according to your knowledge level.

    Please do the following:

    Download: "StartDreck", from here: http://www.niksoft.at/download/startdreck.htm
    Look to the bottom of that page and click the Download link. It should give your StartDreck217.zip

    Unzip to its own folder and start the program,
    Press 'Config'
    Press 'Unmark All'
    Check the following boxes only:
    Registry -> Run Keys
    System/drivers> Running processes
    Press 'Ok'
    Press 'Save' and select the location to save the log file
    (default is the same folder as the application)

    Please attach the log in this thread.
     
    Last edited: May 21, 2005
    chaslang, May 20, 2005
    #8
  9. lulah93

    lulah93 Private E-2

    No I don't know anything about DOS, sorry..
     

    Attached Files:

    lulah93, May 20, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We are going to have to boot to an MS DOS prompt to working on fixing this problem.
    You should print or write these instuctions down because you will be offline and not running Windows while doing this. Please read thru all of the steps first and ask any questions you may have before beginning. Make sure you understand all steps before starting

    Click Start and select Shutdown and in the window that comes up choose the one that says Restart the computer in MD-DOS mode.

    When it boots you will be at the command prompt (full screen) enter the below commands each followed by the enter key. Let me know if you have any problems or get any error messages during these steps (tell me the exact error message).

    Now in command prompt window do the following:
    cd C:\WINDOWS.000
    attrib -s -h -r WININOT.BAK
    del WININOT.BAK

    cd C:\WINDOWS.000\SYSTEM
    attrib -s -h -r FHCKNA.DLL
    del FHCKNA.DLL

    cd C:\WINDOWS.000\TEMP
    attrib -s -h -r se.dll
    del se.dll

    win

    After typing win and hitting enter your system will boot back to Windows. The very first thing you need to do after booting Windows is the following (make sure you do not run anything else):

    Run HijackThis and select the following lines and then click FIX
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\TEMP\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\TEMP\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {6EE2F663-C8A4-11D9-8E18-4445CE9F54BB} - C:\WINDOWS.000\SYSTEM\FHCKNA.DLL
    O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS.000\TEMP\SE.DLL,DllInstall
    O15 - Trusted Zone: http://*.windowsupdate.com
    O18 - Filter: text/html - {6EE2F662-C8A4-11D9-8E18-4445A1D3F120} - C:\WINDOWS.000\SYSTEM\FHCKNA.DLL
    O18 - Filter: text/plain - {6EE2F662-C8A4-11D9-8E18-4445A1D3F120} - C:\WINDOWS.000\SYSTEM\FHCKNA.DLL



    After clicking Fix, exit HJT.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot your PC again into normal mode and post a new HJT log. And tell us how things are working. And how all the steps went too.
     
    chaslang, May 21, 2005
    #10
  11. lulah93

    lulah93 Private E-2

    I can't quite believe it, but I think it may actually be gone... thankyou so much, not only have I got rid of the stupid thing but now know a bit more about preventing this from happening again after finding this site. :D
    here's the HJT log anyway, though I don't think you'll need it now.
    thankyou thankyou,
    Lulah.
     

    Attached Files:

    lulah93, May 22, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your log is clean. Now to help keep you clean you should make sure you have performed the equivalent of all the steps in the below thread:

    How to Protect yourself from malware!
     
    chaslang, May 22, 2005
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds