about:blank + windows explorer errors

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by deanseguin, Oct 21, 2004.

  1. deanseguin

    deanseguin Private E-2

    hi,
    im hoping someone can help me. it looks like i have some sort of virus/spyware on my system. i continuously get the about:blank page when starting internet explorer. also, i cannot access windows explorer (control panel, my computer, my documents, etc.) windows explorer says there is a problem and shuts down.

    i have tried running adaware + updated plugin plvx2 cleaner, ccleaner, spysubtract, aboutbuster, hijackthis and cwshredder. i have also attempted to boot in safemode and try some free online scans with no luck.

    anyone? thanks, dean
    :rolleyes:
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
  3. deanseguin

    deanseguin Private E-2

    hi,

    okay, i ran hijack this with my browser off. i have attached a hijackthis txt file.

    thanks.
    dean
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not follow directions on where to put HijackThis and you have two sessions running. Move it to a proper non-temp directory of its own and do not run it from the ZIP file. Try putting it in c:\Program Files\HJT The below is what you have now.
    C:\Documents and Settings\USER 1\Local Settings\Temp\Temporary Directory 3 for hijackthis-1.zip\HijackThis.exe
    C:\Documents and Settings\USER 1\Local Settings\Temp\Temporary Directory 4 for hijackthis-1.zip\HijackThis.exe

    You must fix the above before continuing.
    Did you post your complete HJT log? Normally there are a load more lines after the O4 lines.

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
    Make sure you have downloaded About:Buster and extracted it to a place you can find it. We will run it later.
    http://majorgeeks.com/download4289.html

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} - C:\WINDOWS\System32\mspxs32.dll
    O3 - Toolbar: (no name) - {51608218-4AC0-4177-8A08-10AF3852EEA7} - (no file)
    O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe
    O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\mspxs32.dll
    C:\WINDOWS\System32\explorer32.exe
    Run About:Buster and the the log to a .txt file.
    Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  5. deanseguin

    deanseguin Private E-2

    Hi there,

    Okay, firstly, I moved the HJT program to its own folder.

    Secondly, I believe the reason then and now, that the HJT log seemed small is perhaps because I am usually running HJT in 'Safe Mode'. Now, the reason why I have been running it in safe mode is because I am only able to retrieve files from Windows Explorer in safe mode and not in normal mode. Therefore, I have had to run HJT from safe mode. Let me know if this is not satisfactory and if there is a way around it.

    I deleted all the lines you requested when I ran HJT. The only things I was unsuccesful in deleting was:
    C:\WINDOWS\System32\mspxs32.dll
    C:\WINDOWS\System32\explorer32.exe
    from windows explorer. I couldn't find them.

    I ran aboutbuster. I also used the tools function to reset web settings, delete cookies, etc.

    After rebooting in normal mode, I now have a different problem on my hands. I am now able to open up the main window in windows explorer, but as soon as I try to click on anything, it shuts down or freezes. Also, IE and other programs are freezing and non-responsive. It seems that IE is attempting to start up at msn.com tho rather than about:blank.

    I have posted my HJT for your perusal once again. Please let me know if there is anything else we can look at.

    Cheers,

    Dean
     

    Attached Files:

    Last edited by a moderator: Oct 24, 2004
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to run HijackThis from normal boot mode and save the log. Then post it back here. There is no reason why you need to retrieve files with Windows Explorer to post your log. Just boot normal, run HijackThis, do a scan, save the log to a .txt file. And come back here and post the log.

    You did not post you About:Buster log as I asked.
     
  7. deanseguin

    deanseguin Private E-2

    hi,
    okay, i have attached the HJT and AboutBuster logs that were performed from normal boot. thanks.

    dean
     

    Attached Files:

  8. Kodo

    Kodo SNATCHSQUATCH

    This HJT log looks clean to me.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It certainly is!

    Any problems remaining Dean?
     
  10. deanseguin

    deanseguin Private E-2

    Chaslang & Kodo,

    Yes, I am still having major problems. Since your last request of deleting all the files from HJT and About Buster, I am now not able to do certain things:

    I am not able to:

    Open IE, or it takes an extremely long time (3-5 minutes) to open a window, yet there is no page search or data transfer. Just a blank page with the "windows icon flag" flowing. This is from the desktop icon or bottom taskbar icon. When I put the mouse cursor over the icon and left click, it doesnt even turn shadowed.

    Also, I can't go to 'Start', left or right click, therefore, I cannot turn off my computer without simply turning the power off.

    I don't know if I deleted something wrong during HJT cleanup or what.

    All other programs on my desktop (photoshop, quark, etc) will open but usually freeze and become non-responsive.

    Any suggestions??

    Thanks so much.

    Dean
     
  11. deanseguin

    deanseguin Private E-2

    OK, yet another update to this problem. As I am typing away here on another computer across the room, I see the monitor at my computer all of a sudden pop up like 5 homepages of IE, WMP, START menu, etc. because of all of my attempts at opening them about 20 minutes ago. So, it appears that my computer is being extremely slow.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try temporarily disabling (one at a time) your firewall and then your virus application and tell me if you see an speed up.

    Also try hitting CTRL-ALT-DEL to bring up TaskManager then click Processes and look in the CPU column tell me which processes have the highest numbers in that column. System Idle should normally be the largest (90 to 99) when not actually doing anything.

    Did you put the below program on your PC?
    C:\PROGRA~1\GOLDEN~1\CDGHOS~1\MndlSvr.exe

    It is Goldensoft CD Ghost related - turns a computer into a 200X-speed CD-ROM tower. Working from the hard drive, users can simultaneously access as many as 23 virtual CD-ROM drives at a speed of 200X for true multitasking

    See if it is a problem.
     
    Last edited: Oct 26, 2004
  13. deanseguin

    deanseguin Private E-2

    chaslang -

    i attempted to disable my firewall and anti-virus programs one at a time to no avail.

    certain parts of my computer are so slow right now that when i do a control-alt-delete believe it or not, the box doesnt always pop up. im using mozilla firefox right now because my IE wont open (it probably will in 10 minutes from now) - the highest number in the CPU portion of processes is the system idle sitting around 95-96. otherwise, all others are at 00.

    im not sure what the goldensoft cd host program is, how can i use it? it was probably on the computer prior to me buying it.

    any other advice? this is very strange.

    dean
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What do you mean to no avail? Does that mean you could not disable them or that it did not help?

    Since you do not know what Goldensoft is, you should look in Add/Remove programs for an uninstall and uninstall it. If you cannot find an uninstall, do the following:

    Exit all browsers and any other programs.

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it (just wait for it to popup);
    C:\PROGRA~1\GOLDEN~1\CDGHOS~1\MndlSvr.exe

    then have HijackThis fix the below line:
    O4 - HKLM\..\Run: [Goldensoft_MndlSvr] C:\PROGRA~1\GOLDEN~1\CDGHOS~1\MndlSvr.exe

    Boot in safe mode and use Windows Explorer to delete:
    C:\PROGRA~1\GOLDEN~1\CDGHOS~1\MndlSvr.exe
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds