New About:Blank virus?

Discussion in 'Malware Help (A Specialist Will Reply)' started by Oevern, Aug 23, 2005.

  1. Oevern

    Oevern Private E-2

    Hello, last week i noticed my homepage was being set to About:Blank. I thought perhaps it was just a mistake of mine, so i set the homepage to my original one. When i tired opening Internet Explorer again it crashed. IE won't open unless the homepage is About:Blank and if it DOES open, then it crashes before the page finishes loading. I've run every scan possible and followed the instructions on this forum, but the problem is still there. Ad-Aware and Spybot do not detect anything. CWShredder caught CWS.MSConfig, but it removed it. I thought that fixed the problem but IE still crashes. Was wondering if anyone else has had this problem.

    Would you guys like for me to post my HJT log?

    Any and all help will be appreciated. (I did run About:Buster, btw)
     
    Oevern, Aug 23, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why do you think this is a new About:Blank problem?


    If you ran ALL steps in the READ ME FIRST and still have a problem, make sure you have booted to normal mode and run the steps below exactly as written:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Aug 24, 2005
    #2
  3. Oevern

    Oevern Private E-2

    Here is the log. Sorry for the delay.
     

    Attached Files:

    Oevern, Aug 25, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First a question/comment! Why are you running without and antivirus application and without a real software firewall?

    You do not have an about:blank hijacker problem.

    You can fix these next two O9 lines but they are not causes of problems.
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)


    I personally suggest nothing be in the Trusted Zone. So I would fix these below 015 lines too unless you know for sure they are something you trust and it must also be absolutely necessary for them to be in the TZ.
    O15 - Trusted Zone: http://*.travelers.com
    O15 - Trusted Zone: http://*.travelerspc.com
    O15 - Trusted Zone: http://*.travelers.com (HKLM)
    O15 - Trusted Zone: http://*.travelerspc.com (HKLM)


    The below items I have questions on. Do you know what they are for?

    \Tropical\applied\WINTAM\Homebase.exe
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.08.43&unknown&unknown&http://www.scion.com/scionConfigApp/scion/viewsection.jsp?forceLoad=1
    O16 - DPF: {079C27EF-B83A-44F5-AEDB-0BB0FFB88CDC} (ebWebScan.MainApp) - https://www.ebridge-solutions.com/files/ebwebscan.CAB
    O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://sef.mlxchange.com/Control/MultiSelectComboBox.cab
    O16 - DPF: {6958D06D-6CBD-40EA-A6DA-5DB7C6C1B9C6} (eBridgeInstaller.Dialog) - https://www.ebridge-solutions.com/files/eBridgeInstaller.CAB
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://sef.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://sef.mlxchange.com/Control/IRCSharc.cab
    O16 - DPF: {A8BC5EDF-FB4E-4453-B759-4AF3281FDE02} (eBridge.Viewer) - https://www2.ebridge-solutions.com/files/eBridgeViewer.CAB


    I also suspect this wtbdsci32.dll file to not be valid. I do not have any information on it and as far as I know, it is not part of Windows Media Player. Do you have any information on it.
    O21 - SSODL: KB885492 - {A7744DB5-9903-0912-4CC0-7AEE94E09D87} - c:\program files\windows media player\wtbdsci32.dll


    Other than they above, I see no questionable lines or problems. You could try doing the below to see if it helps with your IE problems but your issue may not be malware:

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixIE.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixIE.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes
    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
     
    chaslang, Aug 25, 2005
    #4
  5. Oevern

    Oevern Private E-2

    Sorry about the delay again...got hit by hurricane Katrina.

    In response to your question/comment:
    This is a work computer and as far as i know...there was an antivirus and firewall program on there. Perhaps it was removed, but i can assure you that they will be replaced.

    As for the trusted zones, those need to be in place in order for that website to work.

    I will try to fix the problem using your guidelines, but as of now there is still no power in the office.

    I appreciate all of your help and hope to let you know how it went soon.

    Thanks!
     
    Oevern, Aug 30, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Let me know answers to my other questions too.

    Hope the hurricane did not cause too much damage!
     
    chaslang, Aug 30, 2005
    #6
  7. Oevern

    Oevern Private E-2

    Okay, lets see where to begin. I finally got power back in the office so i was able to do the things you told me to do. I thought it was working, but when i change my homepage to something other than about:blank, it did not allow me to open IE. Actually, it opens IE, but before it can load the homepage it crashes and asks me to send the report to Microsoft or whatever it is (never really stopped to read it).

    As for the list of things you asked me if i knew what they were...the only one i don't recognize is:

    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...jsp?forceLoad=1

    Other than that everything else is for work.

    "I also suspect this wtbdsci32.dll file to not be valid"

    I also do not know what the above .dll file is. Never seen it before.

    I hope that was enough information. I really have no clue what the problem is at this point...IE just doesn't want me to change my homepage! I know it's probably easier to just use FireFox, but i was hoping to fix this problem instead of just ignoring it.
     
    Oevern, Sep 1, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Were you able to use the registry patch that I gave you? Did you get a message that it as added in successfully?

    Okay run HJT and have it fix the two other unknowns:
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...jsp?forceLoad=1
    O21 - SSODL: KB885492 - {A7744DB5-9903-0912-4CC0-7AEE94E09D87} - c:\program files\windows media player\wtbdsci32.dll

    Then boot into safe mode and delete:
    c:\program files\windows media player\wtbdsci32.dll


    Now reboot in normal mode and post a new HJT log.
     
    chaslang, Sep 1, 2005
    #8
  9. Oevern

    Oevern Private E-2

    I was able to use the patch and it seemed to have fixed the problem, but really it only made IE stay open for a second or two longer than usual...then it crashed.

    I deleted the two unknowns and i deleted the .dll file.

    I haven't had a chance to re-install the anti-virus program nor have i installed the firewall program yet, so please don't kill me! :( The HJT log is below!
     

    Attached Files:

    Oevern, Sep 1, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is the below O17 line's IP address valid for you? Look who they belong to at the bottom.

    O17 - HKLM\System\CCS\Services\Tcpip\..\{116E9A21-2F73-4F5F-9C32-FEA2450B1AFB}: NameServer = 216.4.122.8,216.4.122.2


    Code:
     [url="http://samspade.org/t/whois?a=216.4.122.8;server=auto"][color=#0000ff]216.4.122.8[/color][/url] = [ [url="http://samspade.org/t/whois?a=ns2.cofs.com;server=auto"][color=#0000ff]ns2.cofs.com[/color][/url] ] 
  
 OrgName:	XO Communications 
 OrgID:	  XOXO 
 Address:	Corporate Headquarters 
 Address:	11111 Sunset Hills Road 
 City:	   Reston 
 StateProv:  VA 
 PostalCode: 20190-5339 
 Country:	US
     
    chaslang, Sep 1, 2005
    #10
  11. Oevern

    Oevern Private E-2

    Never seen that IP or address in my life. Should i go ahead and fix it?
     
    Oevern, Sep 2, 2005
    #11
  12. Oevern

    Oevern Private E-2

    Started up in safe mode, ran every scan again, and they found nothing...started up on normal mode, changed my homepage again, and it seems to be working. No idea why it decided to start working now, but it is.

    Thanks for all of the help. I really appreciate it.
     
    Oevern, Sep 2, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! Have HijackThis fix that line.

    Are you have any other problems now?
     
    chaslang, Sep 2, 2005
    #13
  14. Oevern

    Oevern Private E-2

    Problem fixed. Thanks for all of the help!!!!
     
    Oevern, Sep 6, 2005
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Sep 6, 2005
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds