About:blank hijacker

Discussion in 'Malware Help (A Specialist Will Reply)' started by shscomputerguy73, Jan 31, 2005.

  1. shscomputerguy73

    shscomputerguy73 Private E-2

    My friend has the about:blank hijacker and I used the tutorial to try and work my way through the hijackthis log but with no success. Any help would be greatly appreciated.
     
    shscomputerguy73, Jan 31, 2005
    #1
  2. baacbs

    baacbs Private E-2

    I have the same problem and feel I've tried all that people have suggested, have you figured anything out yet?
     
    baacbs, Jan 31, 2005
    #2
  3. TheOldThug

    TheOldThug First Sergeant

    Welcome

    Chaslang and PP have been able to get rid of about:blank. There is a special tool for it in the following tutorial.

    This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    Try this... you may find it's all you need. If not post your results and I am sure one of the PROS can help you. These guys are quite busy, as you can see by the number of posts, so hang in there. Good Luck!! :)

    TheOldThug
     
    TheOldThug, Jan 31, 2005
    #3
  4. shewolf

    shewolf Specialist

    1. What is your friends operating system?
    2. If you are absolutely sure that you have exhausted all of your options for the tutitorial DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal
    and I mean followed the tutitorial step by step even done the scan with aboutbuster then if you have done all that then please do the following..
    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    Now go ahead and attach your HJT (Hijackthis) log

    Please be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

    Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post

    After you post back please be patient as you can tell its extremely busy around here and one of the more experienced users will get with you as soon as they can.

    Best of luck to you and remember it is best to be specific about the problem as the more information available to us the more we can help you out quicker..
    sw:)
     
    shewolf, Jan 31, 2005
    #4
  5. shewolf

    shewolf Specialist

    It is best when dealing with your own issue to start a new thread so that you can receive idividual help as not everyone's problem is the same and what might be posted for shscomputerguy73 may not work for you to follow so it may cause you even more problems.

    But first and formost prior to posting you need to read the following tutitorial and complete all steps in that tutitorial.
    DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    So once you have completed the above tutitorial please post back with what you found and what is still happening etc.. but please start a thread of your own so we can concentrate on your problem alone in your thread.

    Please be patient and one of us will get with you as soon as we can as its very busy lately.
    Thanks for your patience and understanding.
    sw:)
     
    shewolf, Jan 31, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Shewolf,

    Please do not repeat telling the users something they have already been told to do. TheOldThug's post already requested that they follow the READ ME FIRST as required.

    Also HijackThis log should not be a posted unless they are still having problems so please re-phrase how you state this in the future. We do not want to look at logs for no reason at all.
     
    chaslang, Jan 31, 2005
    #6
  7. shewolf

    shewolf Specialist

    chaslang and TheOldThug
    I appologize I read his post several times and each time I missread it. To me it kept saying that he had tried the Read me first tutitorial and got no where.
    So again I apologize.
    sw:)
     
    shewolf, Jan 31, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem! It is easy to misread it.

    I read it like he was working thru the HJT tutorial. When he comes back I guess we will find out what he really meant.
     
    chaslang, Feb 1, 2005
    #8
  9. shscomputerguy73

    shscomputerguy73 Private E-2

    Thanks for the help shewolf. I have gone through twice and deleted anything that I did not recognize in HJT while following the tutorial. I have attached my HJT log to this message. I think it must be one or two files that I missed and that file must be the one that reloads it when I start up. Again thank you very much for the help.
     

    Attached Files:

    shscomputerguy73, Feb 1, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Can you explain why you did not both of the online scanners from the READ ME FIRST thread? You indicated you ran all the steps.

    Make sure you have system restore disabled (per the tutorial).
    Also make sure viewing of hidden files is enabled (per the tutorial).

    Make sure you have also downloaded (as per the READ ME FIRST) and have ready to use the following programs (do not run until told to):
    - CWShredder
    - Ad-Aware SE 1.05 with reference file SE1R26 25.01.2005
    - Spybot S&D 1.3.1 TX with current detections files from 2005-01-28

    Download the follow two programs:
    - Win98Fix.zip from http://www10.brinkster.com/expl0ite...last/pvtool.htm
    - StartDreck from http://www.niksoft.at/download/startdreck.htm

    Extract the Win98Fix.zip file contents into a folder named c:\win98fix (do not run yet)
    Extract the Startdreck.zip file contents into a folder named c:\startdreck
    1. Run startdreck.exe.
    2. Now we need to set some options: click on the Config button and then select the unmark all button
    3. Then put checkmarks in the following checkboxes: Under the Registry heading select the Run Keys checkbox.

      Under the System/Drivers heading select the Running Proccess checkbox.
    4. Make sure the save account info to log is check on the lower right and then click the OK button.
    5. Now your are back at the startup window for Startdreck. Look in the info you see in that window for the >>RunServicesOnce section. Now we are looking under RunServicesOnce for an entry that displays a DLL file in the c:\windows\system folder followed by a StreamingDeviceSetup. Here is an example (only an example your will probably have a different DLL filename):

      »RunServicesOnce
      **t=rundll32 C:\WINDOWS\SYSTEM\XYZ.DLL,StreamingDeviceSetup

      Note the XYZ.DLL could be anything. If you do not see this DLL just This is just an example. If this file does not exist skip to step 8 with CWShredder. If you do find this dll file write down the fullpath like C:\WINDOWS\SYSTEM\XYZ.DLL and save it. Please tell me if you locate a DLL file here.
    6. Now using Windows Explorer go to the c:\win98fix folder and double-click on the RunFix.reg file. When prompted about merging the information into your registry, click the Yes button.
    7. Now immediately reboot your computer in safe mode and then run Windows Explorer and look for the DLL file (C:\WINDOWS\SYSTEM\XYZ.DLL) from step 5 above and right click on it and then select Delete. Be sure to let me know if it will not delete or you cannot find it.
    8. Now make sure no browser windows (including this one) are open and run CWShredder and make sure you select the Fix button. Note whether it finds anything and when it finishes exit.
    9. Now run Ad-Aware SE followed by Spybot S&D and allow them to fix anything they find.
    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side.
    Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\SYSTEM\TLDYYVSF.EXE

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix, exit HJT.

    Now Run HijackThis and select the following lines (if they still exist) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL
    O2 - BHO: (no name) - {48334721-8B8A-4A75-828C-87B4E0D1929A} - C:\WINDOWS\SYSTEM\PHE.DLL
    O4 - HKLM\..\Run: [tgzusfay] C:\WINDOWS\SYSTEM\tldyyvsf.exe
    O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
    O18 - Filter: text/html - {0ACE0A6A-248D-4289-BB67-3D917C98D547} - C:\WINDOWS\SYSTEM\PHE.DLL
    O18 - Filter: text/plain - {0ACE0A6A-248D-4289-BB67-3D917C98D547} - C:\WINDOWS\SYSTEM\PHE.DLL


    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete if found (we may have already deleted it):
    C:\WINDOWS\BTGRAB.DLL
    C:\WINDOWS\SYSTEM\PHE.DLL
    C:\WINDOWS\SYSTEM\tldyyvsf.exe
    C:\WINDOWS\FARMMEXT.exe
    C:\WINDOWS\wupdt.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Let me know if you have any problems finding or deleting any of these files.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Feb 1, 2005
    #10
  11. shscomputerguy73

    shscomputerguy73 Private E-2

    Thanks alot I think I should be ok now.
     
    shscomputerguy73, Feb 2, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Does this mean you followed my directions and everything is working okay now?
    Did you find the DLL I was mentioning in step 5?

    You really should post a follow up HJT log to be sure.
     
    chaslang, Feb 3, 2005
    #12
  13. shscomputerguy73

    shscomputerguy73 Private E-2

    Sorry i'm not sure I will be able to tell u for a while, I'm a wrestler and had and all day tournament today and school work tomorrow. But thank you for the help, I'll be back if there are problems.
     
    shscomputerguy73, Feb 5, 2005
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
     
    chaslang, Feb 5, 2005
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds