Assistance needed. About:Blank Problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Taos, Jul 4, 2004.

  1. Taos

    Taos Private E-2

    I have Ad-Awared, Spybotted, CWShredded and HiJack-This'd to no avail. I know that my problem .dll file is called Nlg.dll but all of my attempts to delete it have failed.

    Here is my HiJack-This Log.

    Logfile of HijackThis v1.98.0
    Scan saved at 4:28:26 PM, on 7/4/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\MATTHEW'S STUFF\WINAMP\WINAMP.EXE
    C:\MATTHEW'S STUFF\EXTRA\SYSTEM UTILITIES\HI JACK THIS MUTHA****ER\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.searchalot.com/netscape"); (C:\Program Files\Netscape\Users\default\prefs.js)
    N3 - Netscape 7: user_pref("browser.startup.homepage", " http://my.yahoo.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0wq1cnph.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_06.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0wq1cnph.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\2.BIN\MYBAR.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\MATTHE~1\EXTRA\SYSTEM~2\SPYBOT\SDHELPER.DLL
    O2 - BHO: (no name) - {8AED1F49-A064-4E80-B4A8-DAF6F85DA437} - C:\WINDOWS\SYSTEM\NLG.DLL
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\2.BIN\MYBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
    O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
    O4 - Startup: PowerReg Scheduler.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: PhoenixNet - {73d85280-8f1c-11d4-ad43-f4115b70c73d} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {AFCB9DB1-432B-11D2-B846-00A0C9DDB7DE} (SPCXpresso) - http://www.stocktalklive.com/livepage/x...es/xpp.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v15...ontrol.cab
    O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/php/iraqisolit...548728.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
    O16 - DPF: DigiChat Applet - http://host5.digichat.com/DigiChat/Digi...ent_IE.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me...Client.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_3...lashAX.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
    O18 - Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - (no file)
    O18 - Filter: text/html - {27A81CA6-3B2D-42F3-95B4-29D327934313} - C:\WINDOWS\SYSTEM\NLG.DLL
    O18 - Filter: text/plain - {27A81CA6-3B2D-42F3-95B4-29D327934313} - C:\WINDOWS\SYSTEM\NLG.DLL

    I know that the last two 018 lines should not be there and that the 2 R1 lines that end in about:blank should also not be there, I have deleted these 4 lines before and rebooted, however they re-appear. I know i'm missing something, can anyone lend me a hand?
     
    Taos, Jul 4, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may want to print these instructions because I'm going to have you disconnect from the Internet at a particular point.

    1) Make sure you have downloaded, installed, and updated Ad-aware to the current reference lists. But do not run it yet!

    2) Please download this tool called about:buster from: http://tools.zerosrealm.com/AboutBuster.zip
    Unzip it to your desktop but do not run yet.

    3) This step is very important! Disconnect from the Internet completely (i.e., drop analog modem connections, unplugged ethernet cables,...etc).

    4) Make sure at this point all Internet Explorer and Win Explorer sessions are shutdown. Do not open them again until instructed to.

    5) Now start Hijack this and have it fix ONLY the following lines (some of these are not related to about:blank but they need to be fixed anyway):

    O2 - BHO: (no name) - {8AED1F49-A064-4E80-B4A8-DAF6F85DA437} - C:\WINDOWS\SYSTEM\NLG.DLL
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
    O18 - Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - (no file)
    O18 - Filter: text/html - {27A81CA6-3B2D-42F3-95B4-29D327934313} - C:\WINDOWS\SYSTEM\NLG.DLL
    O18 - Filter: text/plain - {27A81CA6-3B2D-42F3-95B4-29D327934313} - C:\WINDOWS\SYSTEM\NLG.DLL

    Exit HijaakThis.

    6) Run about:buster and click start. Be patient, it takes awhile for this to go through all the files it has to look at. The faster your PC, the faster it gets done.

    7) Run HijaakThis again and fix the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


    8) Run a full scan with Ad-aware. Since I have you disconnected from the Internet, here's how to do a full scan: The following explains how to set Ad-aware's settings to perform a "Full Scan."

    In Ad-aware click the Gear to go to the Settings area. The following items should be on a green check, not on a red X.

    Under the Scanning button:

    - Scan within archives
    - Under Memory & Registry, Check EVERYTHING
    - In Check Drives & Folders, make sure all of your hard drives are selected

    Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)

    Under the Tweak button...

    Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

    In Scanning Engine:

    - Unload recognized processes during scanning
    - Include info about ignored objects in logfile, if detected in scan
    - Include basic Ad-aware settings in logfile
    - Include additional Ad-aware settings in logfile
    - Include used command line parameters in logfile

    In Cleaning Engine:

    - XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
    - Let Windows remove files in use at next reboot
    - UNCHECK: Automatically try to unregister objects prior to deletion

    Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.

    9) Restart your computer.

    10) Search your PC for the NLG.DLL file mentioned in step 5. Use the following method so that the search includes hidden file:
    Click Search and the Select "All files and folders"
    Enter the filename in the "All or part of the file name:" box, so enter NLG.DLL
    Now select "More advanced options"
    Make sure the following check boxes are checked:
    - Search system folders
    - Search hidden files and folders
    - Search subfolders

    Then click the Search button.

    If you find the file, delete all occurrences of it. If the above procedure has not yet deleted the file, we would expect it to be in C:\WINDOWS\System

    11) Reconnect to the internet now.

    12) Post a new HijaakThis log and let me know how things are working.
     
    Last edited: Jul 4, 2004
    chaslang, Jul 4, 2004
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds