About:blank again? Can U look at my HJT log please?

In the future, please do not post HJT logs unless they are requested. You also did not follow the guidelines for installing and running HJT. You have multiple browsers running and you are running HJT directly from the ZIP file. The steps below will help you to fix these problems.

You do not have an about:blank hijack problem.

You must follow the below steps:

- Look in Add/Remove programs for WareOut and uninstall if found.

- download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover
- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet. We will run it later.

- Now boot in safe mode, run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear)

- When abiremover finishes just reboot into normal and continue with the below steps.


Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

NOTE: Your OS & IE versions are way out of date and represent a major security risk. After we fix your current problems, you must get updated. More than likely this is one of the reasons you are so badly infected. We will continue with your fixes after you complete the above.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left -hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\winnt\dinst.exe
c:\winnt\system32\fecaer.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {DE637433-D2BD-D327-9106-06E8EB76C3B0} - 34763.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\winnt\dsr.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\winnt\System32\mblde.dll (file missing)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\winnt\AuroraHandler.dll (file missing)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\winnt\System32\mblde.dll (file missing)
O4 - HKLM\..\Run: [Dinst] C:\winnt\dinst.exe
O4 - HKLM\..\Run: [forces_elite] xwiz.exe
O4 - HKLM\..\Run: [ActionScr] SpyElim.exe
O4 - HKLM\..\Run: [hmmkhjr] c:\winnt\system32\fecaer.exe r
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [powerdll] PasswdMon.exe
O4 - HKCU\..\Run: [TRPT] pizda.exe
O4 - HKCU\..\Run: [Trayz] prcmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\WareOut <--- the whole folder
C:\winnt\dsr.dll
C:\winnt\dinst.exe
c:\winnt\system32\fecaer.exe
c:\winnt\system32\xwiz.exe
c:\winnt\system32\SpyElim.exe
C:\Program Files\WareOut
c:\winnt\system32\PasswdMon.exe
c:\winnt\system32\pizda.exe
c:\winnt\system32\prcmon.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

We will worry about and AV when we finish. Part of your problem keeps coming back because the malware is renaming itself upon power downs and or reboots. So after you post your log and I look at it to post a fix, it will no longer apply if you have rebooted or powered down at all because the malware has mutated. I will post another fix but it may or may not work if things have mutated again. This time make sure after posting your follow up HJT log that you do not reboot or shutdown your PC until you here back from me again. That way we can hopefully avoid this mutation problem.

Another reason it may be coming back is because your OS is so out of date, your AV is broken, and you have no firewall install. We may need to address this first if the problem persists. But don't do anything on your own yet. Just do what I request. I'll tell you when we need to any of these steps.

Also it is critical to remember that no browsers be open when using HJT. I see the below in your log:
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

Did you just install this Starware stuff? It was not in your previous log.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcDaemOVu3Ev6c1l/x+wpQ1rEJaMvIUUK37frRMnCJsQA9S4pDbbqvb/Yn0ePuoDFxjwZFtSbL2JqDDF2suzgd9p/fUSkobWClNgEFAR25YR3Fv8XMt0/HCEWJsrvI7SnreLy9hDUAbERyaTB44NCSrNz1DIcBLWXa3LjYlO/fqLG+Lt8OkUlakjM25mizQjuxR+8kMalH8ZW4=
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll

If you did just install it, do not do any more installation or make any changes unless I request them. It all confuses the work we are doing and could cause more problems. We may need to remove this program especially if you did not install it. It is considers to be on the "Open for debate" list of whether it is malware or not.

The file that mutated this time is c:\winnt\system32\dwnxhjk.exe if you do not see it when trying to do my below steps, see if you can identify the item that took its place and just substitute in the new name.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left -hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
c:\winnt\system32\dwnxhjk.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [kcpndpa] c:\winnt\system32\dwnxhjk.exe r

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\winnt\system32\dwnxhjk.exe

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

REMEMBER: DO NOT REBOOT OR POWER DOWN NOW!!

 

I still see IE in your log.
C:\Program Files\Internet Explorer\iexplore.exe

Your problem mutated again. And the Host line came back.

c:\winnt\system32\qnlcuz.exe
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [wwdqijx] c:\winnt\system32\qnlcuz.exe r


Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

We are going to need to get some other protection installed on your PC first. Let's start with a firewall.

Goto this thread: How to Protect yourself from malware!
And see step 3 and install one of the two free firewalls. After installing it make note of anything that you get popups on trying to get in or out of your PC. If you do not recognize it, do not allow it any access.

We really need to get some Windows Updates installed too since you are so out of date. I don't like doing them while there is still an infection but we sometimes have no choice. They will be quite large. Are you on dial-up, cable, or DSL?

After getting the firewall in place, post a new HJT log because a reboot may be needed and the problem may have changed.

 

No but why do you think it is not working?

Get that a firewall installed ASAP.

 

Okay, since Norton is not working properly and because the version you had also did have a firewall, yes I would uninstall it for now. Use AVG or Avast as shown in the How to Protect yourself from malware! thread.

 

Did you run Hoster yet? If not please do so.

 

Before or after posting the last HJT log. I ask because the O1 - Hosts line is still showing and it should not if Hoster was run and was able to fix the Hosts file.

 

That's better!

Now use Windows Explorer right now and tell me if you can see the below file:

c:\winnt\system32\mlsenb.exe

If so, look at the file date (sort the folder by date) and look for other similar dated files. Also look to see if there is anything with a similar name but with a different file extension. Like:
mlsenb.dat or mlsenb.ini

 

What about files having similar Date Created ?

 

See this: http://service1.symantec.com/SUPPORT/nip.nsf/docid/2004101207033236?Open&src=&docid=2003082915490436&nsf=nip.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

 

What dates are we talking about for the two files?

 

Wow that's strange. This malware has been on your PC that long!!

Okay! Your last HJT log still showed IE running. Are you still forgetting that it MUST be shut down before using HJT.
C:\Program Files\Internet Explorer\iexplore.exe
Goto the below file and right click on it and select rename:
c:\winnt\system32\mlsenb.exe
Rename is to mlsenb.xxx

If that works, continue with below. Otherwise stop and tell me.

Print or save these insrtuctions locally. Because I want you to remain physically disconnected (unplug your cable) and have NO BROWSERS running until I tell you to come back here and post a new log. Do not open any browsers at anytime in between.

Okay once you have done the above, continue.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left -hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
c:\winnt\system32\mlsenb.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [xbkkwst] c:\winnt\system32\mlsenb.exe r

After clicking Fix, exit HJT.

Now, immediately pull the power plug to your PC and wait a minute. (Yes you read that correctly! I want to avoid a graceful shutdown because that may be where the malware is respawning itself.) After waiting a minute, power back up and get a new HJT log with no browsers open. Now post the new log.

 

OKAY! It is important that I know that your were not running IE. That means something else is. (Part of the reason I'm requesting that you unplug the cable before continuing with the other steps.)

Continue from the Print or Save instructions!

 

Print or save these insrtuctions locally. Because I want you to remain physically disconnected (unplug your cable) and have NO BROWSERS running until I tell you to come back here and post a new log. Do not open any browsers at anytime in between.

This time we will not touch the process itself. We will just fix the O4 line then pull the power chord.

Please run HijackThis
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [jdviem] c:\winnt\system32\kqkdpd.exe r

After clicking Fix, exit HJT.

Now, immediately pull the power plug to your PC and wait a minute. (Yes you read that correctly! I want to avoid a graceful shutdown because that may be where the malware is respawning itself.)

After waiting a minute, power back up your PC in safe mode (DO NOT open any browsers and keep cable disconnected).

Look for and delete if found:
c:\winnt\system32\kqkdpd.exe

Now reboot into normal mode and reconnect your cable. Get a new HJT log with no browsers open. Now post the new log.

 

If the previous steps do not work then try what I'm posting here:

- First run CCleaner before doing the below.


- Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report. And tell me if you are still having any problems. This log could get quite large and you may need to compress it into a ZIP file to upload it.

Post this Ewido log.

After posting the Ewido log continue with the below:

Download the following tool and save it where you will be able to find it.

L2MeFix Tool

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Now reconnect and come back here and post as an attachment the l2mfix log.

 

Please run the below tool:

http://securityresponse.symantec.com/avcenter/FixBinet.exe

Let me know the results.

You have more baddies in there now.
O4 - HKLM\..\Run: [hclean32.exe] C:\winnt\System32\hclean32.exe
O4 - HKLM\..\Run: [dmfhs.exe] C:\winnt\System32\dmfhs.exe
O4 - HKLM\..\Run: [ccaubru] c:\winnt\system32\urzdmtn.exe r
O4 - HKLM\..\Run: [hgqhp.exe] C:\winnt\System32\hgqhp.exe

And the O1 Hosts line came back. Re-run the Hoster program now
And then post a new HJT log.

 

The below should not be running when using HJT:
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dave Farrar\Local Settings\Temporary Internet Files\Content.IE5\LXO94OW0\FixBinet[1].exe

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [hclean32.exe] C:\winnt\System32\hclean32.exe
O4 - HKLM\..\Run: [wvifphf] c:\winnt\system32\norlzl.exe r
O4 - HKLM\..\Run: [dmexd.exe] C:\winnt\System32\dmexd.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\winnt\System32\hgqhp.exe

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\winnt\System32\hclean32.exe
c:\winnt\system32\norlzl.exe
C:\winnt\System32\dmexd.exe
C:\winnt\System32\hgqhp.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Right now your log looks clean!

I have to always ask about seeing IE running everytime to be sure that you know it was not running by your hand. That way I know it is a malware symptom. A better way would be if you (and other users) add a comment when posting your HJT log saying "yes there are x number of iexplore.exe session shown running but I did not have any browsers opened when I did the scan"

Since your log is clean at the moment you need to go to the below and immediately start these steps. Do them in order. The first steps is Windows Update. Do not delay!!! Get your updates now.

How to Protect yourself from malware!

 

That is the place you need to go for Windows Updates!

How long did you wait? For your system it should have to install some new tools for downloading updates?

Is your Windows XP a valid version licensed to you?

 

Hmmmmm!

Let's try an intermdiate step and get to XP SP1a.

Try downloading it from the below link:

http://www.softpedia.com/get/System/OS-Enhancements/Windows-XP-Service-Pack-SP1a.shtml

 

There are no major problems indicated in your HJT log. I do suggest you fix the below items:


O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\winnt\inf\unregmp2.exe /FixUps
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\winnt\inf\unregmp2.exe /Fixups
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

However these should not have anything to do with why you cannot get online.

I would have to ask are you sure you gave IE and WMP permission thru Sygate's firewall?

Also one other item I would suggest since I have seen problems similiar to this in the past. And especially since you had problems using Windows Update which also was caused by it. My suggestion is to uninstall Norton Antivirus and see what happens.