About Blank KO-ed Internet

Hi -

I have a P4, 3.4GHz PC with 2.0 GB of RAM running Windows XP Pro SP2. I rarely use it to connect to the internet, but yesterday I did and I couldn't connect to any websites with Mozilla. I opened IE and it took me to a blank page with the address of About:Blank. I've followed all the steps in the new Read & Run me first sticky - and I haven't found anything obvious (no viruses or adware was found by any of the scans). I can still only get to certain websites in Safe Mode with Networking, but no websites seem to work in Normal Windows mode.

I was just about to go through Chaslang's "About Blank and HSA Hijacker - Simplified Removal" method, but I noticed it tells me to post the About Buster logs and a Hijack This log at the end of the treatment. Before I did this, I wanted to get someone's okay over at MG to do so. Let me know if it's okay to post those logs once I create them - thanks!

- albionmoon

 

Yes, if you have the AB hijacker then procede with that thread and post your results here.

 

Thanks -

I'm attaching my bitdefender log, the two About Buster logs (one done in normal windows, the second done in safe mode) and my Hijack This log. According to HSR remover it removed 8 items.

Take care -
Albionmoon

 

Please see the below thread on how to install and run Spy Sweeper.

Running Spy Sweeper...

 

Okay, will do - should I reboot into normal windows? The Chaslang instructions said to stay there because of possible mutations on reboot.

Thanks -
albionmoon

 

sorry, by "stay there", I meant in safe mode - which is where I currently am on the problem machine.

thanks -
albionmoon

 

Yes you can reboot to normal windows, it didnt appear per your logs that you had the AB/HSA infections.

 

Thanks -
I am starting the SpySweep program now - glad to hear you don't think I have AB or HSA - I'll post the new logs when the scan finishes. I wonder why the webpage was set to About:Blank when I started IE the other day...
-albionmoon

 

Hmmm -

Strange. I did the spyscan and it found what it thought was "potentially rootkit-masked files" - over 1,600 of them. So, though I was worried about removing them (they all seemed to have something to do with my Avid system), I hit remove. Now Spy Sweeper seems to be frozen. I can't access task manager through cntl-alt-del, though I can access other programs. I'm afraid to shut down Spy Sweeper, in case it's doing something, but I also think it's probably stuck. Any ideas on what I should do?

- albionmoon

 

I'm pretty worried about what I should do here. At some point I feel that I need to shut down the computer - but do you think that will cause problems if SpySweep is still doing something? Please let me know your opinion. Thanks -
albionmoon

 

Let Spy Sweeper try to remove those detections, if it sits there for 10 minutes or longer manually shut the computer down and run another sweeper from Safe Mode.

The "potentially rootkit-masked files" detection does not signify a good thing. After you complete the Spy Sweeper scan procede with the below...

Please download Blacklight to its own folder...

F-Secure Blacklight

After download is complete, double click to run the program. Click "Accept" to procede. Then click SCAN to begin scanning your system.

Once the scan is complete it will attempt to clean the found infections. There should be a log in the folder that you ran the program from, attach this log to your next post and then follow the below.

Please see the below thread on how to run WinPfind and attach the log.

• Running WinPfind by OldTimer

 

Thanks - it's been sitting there for over a half hour, so I'll shut it down and try removal in Safe. thanks -
albionmoon

 

Okay, run the other steps as well, run F-Secure first then WinPFind, but let Spy Sweeper complete its removal before you do any of that.

 

Sorry BJgarrick - I'm not sure I see the steps for F-Secure and WinPFind in the guides I've been following - can you give me a link to the methods you're talking about?

thanks -
albionmoon

 

See post #11, I must have added it before you saw it.

 

Sorry I haven't gotten back to you yet - I needed to do some things for work. I will try the methods you suggested soon. One question I have though - since these files that SpySweeper found were all Avid files - an editing program I use for work - I'm a bit scared of deleting them and potentially knocking out my Avid. I know you probably can't tell, but is there any way SpySweeper could've gotten a false positive? Would it be okay to not deal with this issue for a few days while I work on a project, or does it need to be taken care of immediately? I'm sorry to ask such fuzzy questions, but I'm at a point for work where I really can't jepordize not being able to use my system for a few days.

thanks -
albionmoon

 

These detections by Spy Sweeper usually indicate a serious infection known as "rootkit" which are is a serious threat. That's why I requested F-Secure's tool to confirm they are gone. These have the potential to steal personal information such as passwords, bank account numbers, etc; this is why they need to be removed ASAP.

I don't see a problem removing them with SS, make sure you run F-Secure to remove any leftovers. It's up to you whether you remove them now or wait but I would go ahead and remove them just in case you do have these infections.

 

Okay - thanks again for all your help. I think I have to hold off for a few days - I've unplugged the ethernet cable from my computer and, like I mentioned, I almost never use that machine for the internet anyway. I'll check my internet computer with SpySweep to see if it finds anything scary in the meantime. I am taking this very seriously, but I'm just really frightened that Spysweeper might delete files I need for my editing system.

take care -
albionmoon

 

Okay, keep me informed, I will check back tomorrow sometime.

 

I did a new SpySweep in Safe Mode - and the results came back with more "trace" files found of the suspected rootkit. However, it really seems like these files are just ones that windows isn't accessing because they're mostly media files for the Avid. If I delete these files, I think that footage will be erased from my hard drives, potentially setting back a lot of work. I'm attaching Spysweeper log (sorry if it's a little bit bigger than most logs - I guess it's a combined log from the scan I did yesterday too - I had to zip it because as a text file it was close to 600KB) so you can take a look and maybe you can let me know what you think. Is it possible for a rootkit to name files that so specifically match real working files on my system? Or is it that these files are corrupted by the rootkit? Just trying to figure out whether I should delete them or if it's possible that SpySweeper is giving me a false positive. Thanks -
albionmoon

 

Run this again to make sure, download Blacklight to its own folder...

F-Secure Blacklight

After download is complete, double click to run the program. Click "Accept" to procede. Then click SCAN to begin scanning your system.

Once the scan is complete it will attempt to clean the found infections. There should be a log in the folder that you ran the program from, attach this log to your next post along with a fresh HJT log.

 

Okay -
I ran F Black Light and WinPFind (both in normal windows mode - and both before I let SpySweeper clean any of those trace files). I've attached the logs for both. F Black Light didn't find any rootkit problems and the log looks pretty slim. I'm also attaching a new HJT log as you requested. Thanks for all your help - hopefully we're getting closer.

 

Before we start the fix, run the below!

Please see the below thread on how to install and run Ewido Security Suite.

• Running Ewido Security Suite ...

 

Bjgarrick -

Okay, I did the ewidos scan in safe mode as per the Chaslang thread and it found no infections. I have attached the log. You do realize that I didn't use the fix feature on SpySweeper, right? I don't know if I was clear about that before. I ran SpySweeper before Blacklight, etc...but I did not clear the items that SpySweeper found. Since Blacklight didn't find a rootkit, do you think that means those files that SpySweeper found were a false positive? Either way, let me know what you'd like me to do next. Thanks for your help -

albionmoon

 

No, they are not false positives, go back and update the definitions and run another sweep. Then fix all found infections and attach the new log with a fresh HJT log.

 

Okay -

Well, I'm trying to clean using SpySweeper, but the trouble is now that I've selected remove, the program just seems to be sitting there. (I ran the program in Safe Mode) For about the first 45 minutes, the cursor was an hourglass, but since then it's back to normal cursor. However, I can't select any menu items or minimize SpySweeper. I was able to go into task manager. It shows that SpySweeper is running (it does not say "Not Responding") however when I go to the Processes tab SpySweeper doesn't seem to be using much CPU (if any) though it does have a constant 36,672 K of memory usage. It's been going like this for at least an hour with no change. I'm not sure if I should let it keep going, or try rebooting in Normal Windows mode and scan again. Any suggestions?

thanks -
albionmoon

 

Okay - don't worry about the last post, after a couple more hours I decided to end the application with Task Manager and rebooted into Normal Windows. I am currently doing the SpySweeper scan again and will see if it lets me remove/quarantine those files.

- albionmoon

 

Well, in Windows Normal Mode I still have the same problem. SpySweeper does the scan, finds all the potential rootkit trace files but freezes when I try to remove them. I'm not sure if it's working on trying to remove them or if it's just stuck for some reason. In Normal Windows I cannot bring up the task manager (if you recall the same thing happened way down in post #12). I'll let it sit for a little while longer, but I don't know if SpySweeper is able to remove those trace files.

- albionmoon

 

As I run the SpySweeper (I'm trying again to see if I can get it to remove) I notice that the trouble seems to stem from something named "ose.exe" Having googled it, I see that this is sometimes a legitimate MS application, however, the version I have of it is sitting on a media drive (drive V in my case) rather than on the drive with the OS. I've also noticed this app in other people's HJT logs posted around the web. Is this what you're concerned with? Does this application corrupt these other media files that come up as "trace" files? Just trying to see what it could all mean.

- albionmoon

 

Bjgarrick -
Sorry for all the posts, but I figured I probably wouldn't hear from you until late. I tried one more time to have SpySweeper remove those trace files. I let it sit up there for over three and a half hours, but still no movement. I don't know why SpySweeper can't seem to do it. As a test, I tried to have it remove 1 file (of the 2206) and that seemed to work - however, when I re-scanned I saw that file again, so I'm not sure it really removed it. But removal one at a time doesn't seem to be an option. If you can advise me what to do next, I'd appreciate it - though I'm going out of town for awhile after tomorrow, so I'm not sure we'll get this resolved before my SpySweeper trial version runs out.

Thanks for all your help so far -
albionmoon

 

Please follow the below steps...

1. Please download and unzip Rootkit Revealer to your desktop.
   
   
2. Please leave the defaults set as they are to:
   • Hide NTFS Metadata Files: this option is on by default
   • Scan Registry: this option is on by default.
   
   
3. Launch rootkit revealer on the system and press the Scan button.
   
   
4. RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
   
   
5. The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
   
   
6. Please attach the the log here in this thread to your next post.

 

I did the scan, but the log was actually very short and the scan didn't seem to take that long. There is only one discrepency found. I have attached the log. Don't know if I'll hear from you until tonight in which case I'll be away for awhile, but please let me know what you think I should do next and I'll take care of it when I return.

Thanks -
albionmoon

 

Very weird SS is detecting those entries and nothing else is picking them up, not even the tools for it.

Are you having any current problems?

 

Sorry about the long delay - I was out of town. I booted up the computer today and connected the ethernet cable for the first time since I started having these issues and things seem to be back to normal. I can browse to different pages without any problems. But were there things in my HJT log that you thought were causes for concern? It seemed like you were ready to go through a cleaning proceedure before we used the Ewido suite and the Rootkit revealer. Obviously, I'm not complaining that things are working, it just seems like things are still up in the air.

Either way, thanks for your help -

albionmoon

 

Since it has been a while, I would like to check a current HJT log and a fresh log from blacklight and rootkit revealer to confirm you are clean.

Download the updated tools and attach the logs.

Rootkit Revealer 1.7

F-Secure Blacklight

 

Alright -

I've done the FBlacklight and Rootkit Revealer scans (both in normal windows mode) and both came out clean. I attached the FBlacklight log, but the Rootkit Revealer log was a 0 bit file, so it won't upload (and it's blank anyway). Also have included new HJT log. Let me know what you think when you get a chance - thanks -
albionmoon

 

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

Again, make sure ALL browser windows are closed when you click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate SEFQYV - Sysinternals - www.sysinternals.com and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

And Click OK.

After you complete the above, REBOOT and let me know how things are running.

 

Okay -

I've gone through your instructions and things are the same as yesterday in that I can go to webpages on mozilla just fine. I just tried using IE and the home page was still a blank page with the address about:blank - don't know why. However, I am able to browse to other pages in IE. I haven't tried resetting the home page since I wanted to hear your thoughts about that.

AdAware found 10 Negligible objects (stuff like last office documents, files that were burned with nero, etc...) I cleaned them.

S&D found three things which it always finds - Update Disable Notify, Antivirus Disable Notify and Firewall Disable Notify. I usually have these turned off in windows and these values show up in S&D. Normally, I ignore them in S&D, but this time for thoroughness sake, I cleaned them.

cleanmgr - there wasn't much there to clean, but there was 4.2 megs worth of stuff in "compress old files". Since you didn't list it, I left it alone and just cleaned the temp, internet temp and recycle bin.

Where should we go from here?
- albionmoon

 

Run a Bit Defender scan and attach a log from this scan.

 

Okay, I'll do it. BTW, I ran the AdAware and S&D scans in normal windows mode. Should I have done them from Safe Mode? Should the bitdefender scan be done in Safe with Networking?

thanks -
albionmoon

 

It's ok for those programs, I would prefer the Bit Defender scan be ran in Safe Mode.

 

I did the bit defender scan in safe mode with networking - nothing was found (see attached log). However, after I did the scan, I couldn't use either browser (IE or Moz) to go to any sites - including Majorgeeks - so it seems like after awhile in Safe Mode (and perhaps normal mode too - just haven't left a browser up for an hour) that I can no longer get to other sites, even though I can initially on boot up. Any ideas?
-albionmoon

 

What do you mean by you cant go to any sites? Why can't you? What does it do?

 

Sorry, I'll clarify. When I would type in an address in the browser and hit enter, the browser just sits there and then times out. Again, when I first boot up, I'm able to get to sites. When this problem first manifested, I couldn't get to any sites in Normal Mode and I could only get to sites in Safe Mode for awhile. After awhile (like say, after the time it takes to do on online scan) I will have this problem going to any other sites until reboot. And, like I mentioned, in IE I come up with that About:Blank website (which is just a blank page). Have I described this adequately?

- albionmoon

 

You have no signs of this hijacker though, I dont see why it's there.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file iefix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the iefix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

After you complete the above, reboot and see if your homepage is still the same.

 

Also, Generate a StartupList log using HijackThis.
Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

 

Did the iefix.reg and rebooted but IE homepage still came up as about:blank. I generated the HJT startup list and have attached it. Let me know what you find. Thanks -

albionmoon

 

Download About:Buster 6.0

Get any updates if available then REBOOT into Safe Mode. Run a scan and attach the log to your next post.

 

I ran the About Buster 6.0 scan twice (as suggested by the program) but nothing was found. I've attached the log. What next?
-albionmoon

 

Download CWShredder and save to your desktop.

Also, download HSFIX and save to your desktop.

Unzip the contents of HSfix.zip (HSfix.reg) to your desktop.

Double-click on HSfix.reg
When it asks you to merge the information to the registry click "Yes".

Start CWShredder
Click "Fix" to remove the CWS infection.

After you complete the above, reboot and let me know how things are shaping up.