about:blank help please

hi there
i have a hidden dll on my registery somewhere and i dont know how to remove it.
i have done a scan with reglite and there follows a copy of the log, help need to identify and take me step by step through a procedure that will get my PC back to normal. thanking you in advance.

• Edit by bjgarrick: Inline HJT log removed. READ & RUN ME sticky not followed.

 

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

Before starting these instructions, look in Add/Remove Programs and uninstall Logitech Desktop Messenger.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy Log - only for Windows XP, 2K, & NT users
• AVG Antispyware Log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
• Bitdefender Log - from step 6
• Panda Scan Log - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis Log

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

hi bjgarrick, sorry i did not follow your procedure. i am in the process of still doing this and will hopefully will post some logs as and when they are finished, i have found it very troublesome maintaining an internet connection to download the CCounter. cheers for now and thankyou for your assistance so far. ptc

 

hi BjG , i can not load the Bitdefender Scanner from the website, it is asking for an ActiveX Control... "BitDefender OnlineScanner v8" from softwin, is this safe to do, if not what will be the next step, as your instructions specifically say to run bitdefender first and panda second.
ptc

 

hi just managed to get biddefender to work, by allowing the activeX to be uploaded, after following instructions on their website. ptc:major

 

hi bjGarrick

i have finally worked throught the sticky thread, it has taken all day.
have attacted the following logs

Bitdefender.txt
Activescan.txt
Counterspy.txt

will be making a second addition with some extra attachemnts, best wishes ptc

 

hi bjGarrich, here are the extra attachments.

i have had some difficulty in finding any tabs when in CCounter to locate the log.

i have completed on the steps in the sticky thread, will be having a look at alternative have done ad-aware and now doing ewido anit spyware, problem with pop ups still there, though i have not been able to change my opening internet explorer page to one i want and the about:blank is no longer there.

will be in touch no doubt as still needin your kind assistance. ptc

 

First I need you to do a few things, go into Add/Remove Programs and uninstall Logitech Desktop Messenger.

Now we need to relocate and rename HJT.

This needs to be relocated to C:\Program Files\HJT and renamed to analyzethis.exe. Once you have completed this, attach a fresh log.

Next, run the below...

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Once you complete the above, you need to run ShowNew & GetRunKey as stated from the READ ME.

When you have completed the above, you should attach the following new logs.

• ShowNew Log
• GetRunKey Log
• HijackThis Log

 

Thursday. hi bjB
i have completed the instructions, logic already deleted, have changed the name of hijack-this to analyse.exe and is located in programmes.
i have uploaded HostXpert and followed the instructions.
once i have clicked refresh MS hosts etc an error message apprears
Error. Cannot create file C:\WINDOWS\system32\drivers\ETC\hosts
and so i have not been able to precede.

i have attached the additional logs as requested., will hear from you soon i hope.
2 problems are still there, pops ups for Security Alert and Windows Explorer crashes when i do a search for file on my computer, need to do this as i have uploaded so many different things i can not remmeber where they are.....PTC :major

 

Before running Hoster you much close all antispy and antivirus programs you have running.

Also if you have ran by the steps they should be where you ran them.

The logs I need are fresh logs from GetRunKey, ShowNew and HijackThis.

 

Hi BJGarrick
i have exited the spyware in the systems tray, spybot, and 2 others
i have run hoster and the same error message is coming up, as per before. i am sorry that i do not know what to do next, look forwart to your suggestions.

i was in one of the scan programmes yesterday, and it is trojan which is in my computer and doing the popups from the systems tray, it was in quarrantine and i have now emptyied this quarrantine box and i did not write down the extact name, nor could i copy it from the quartine box to include in a note pad txt.

Is it safe for me to go on line to my personal email, ebay user and paypal yet? if you havent guessed i am an ebayer dealer.
best wishes ptc:major

 

You're still now following my instructions. See the threads below and attach the logs. Also attach a fresh HijackThis Log.

• Using GetRunKey
• Using ShowNew

 

hi there BJGarrich

please find attached the new logs for the above.
As an extra task, i have closed all the anitvirus software and redownloaded HostXpert and then run this programme, it comes up with the same fault as before, i just thought i would try this again.
There is another fault on the PC which has been there right from introduction of the trojan, when i search for items on my PC using explorer, the virus causes to crash and closes the programme, just thought i would let you know about this one too.
look forward to hearing from you, as i am still in need of your kind help. ptc:major

 

hi just downloaded AGV and it has found a trojan

Trojan horse Generic7.QKV
which is now in quarantine, so good news, will see if any other orgininal problems are present, would still like to hear from you, many thanks so far. ptc

 

Before we begin, does any of the below information look familiar?

 

Also, before we process, please uninstall Ewido, CounterSpy or anything else you installed during the READ & RUN ME or anything you have installed up to this point. You can leave your AntiVirus if you're going to keep AVG.

 

hi the only informaton that is familiar is that tiscali is my broadband provider, i do not recognise anything else, never seen or have heard of ripe, who is query mail server......

Yesterday, 3 items showed up on my PC in places that i have not put them, something called "Thumbs.db"
it was in 2 folders i use to process images and resize them to a larger magnification using the software Resizer. i have not been able to open them and do not know what they are....they are databases files and the only database on my PC is within TurboLister (ebay software for listing items for sale)

i have unistalled Ewido and CounterSpy and nothing else.
Ran AGV first today instead of last as i did yesterday, and it found half a dozen trojans all now in qurantine, couldnt find a log to save as a txt file so have been unable to provide a copy. best wishes ptc:major

 

The "Thumbs.db" are legit files, they are databases that contain the small images displayed when you view a folder in "thumbnail" view. It does not hurt anything to delete them.

Please attach new logs from GetRunKey, ShowNew & HijackThis.

 

Many thanks, i less worry.
i have attached the new logs as specified.

Just a note, when i logged into paypal and ebay before the virus infection, the space where the internet address is typed would go green, showing me it was a secure site to access. Now when i do the same, it does not turn green. Does this tell us anything?

best wishes ptc:major

 

First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:
Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Step 3:
Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Step 4:
Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Step 5: Begin here after rebooting from Step 4!
Next Reset Web Settings & Default Security Settings

Note for IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


Step 6:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 7:
After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Stunning work, thankyou so much BJ Garrick, please find attached below the logs requested. Can i reupload adaware and spybot please?

 

here is the 4th file to be attached hijackthis log.txt, best wishes ptc:major

 

hi, just to let you know everything is back to normal, if normal is OK, thankyou so much, you have done me a great service, top marks major geeks you have done it again, wow wee, stunning, what more can i say and a big thankyou to BJGarrick

in the registry log i could not find the following, it was not there to tick, so thought i would let you know.
O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - (no file)
best wishes ptc:major

 

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger, the log (avenger.txt) and C:\avenger.
8. If we had you download any registry patches like fixme.reg, fixme1.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!