spybot search-destroy,cant kill a virus

I got a computer off my sister and connected to the net,i downloaded avast,ewido and spybot search-destroy,after alot of difficullty because it obviously hadlots of viruses.iran them all and removed most off them,but its still has virus?i run avast it dosn`t find any thing,i then run spybot and it finds 5 entries so i remove them ,but run it again and there still there every time?i have no idea how to get rid of them.also it says my browser page is called ,"about blank"and if i try to change the home it wont highlight,and you cant enter an adrees in the addy box,am so frustrated it keeps seending messagesflying past saying you computer maybee infected, as if i dont no its dryving me nuts.has it hyjacked my browser and can i do anything ,im running windows xp HELPplease :cry:

Hi staniclayton,

Please download and run CWShredder:

http://www.intermute.com/spysubtract/cwshredder_download.html

Then try a scan with Ewido and Spybot in safe mode. (Tap F8 while rebooting.)

Ad-Aware would be worth trying at the same time.

http://www.download.com/3000-2144-10045910.html

If this doesn’t work, you’ll have to follow the manual instructions here:

http://www.pchell.com/support/aboutblank.shtml

Good luck!


Welcome to the forums, staniclayton! :slight_smile:

Please let us know if were able to follow Frank’s instructions, if you were successful, or if you need more help.


:slight_smile: Those 5 items that your Spybot scan(s) keep finding are a
fairly well known flaw in older versions of the program; it
probably means you have Spybot 1.3 or earlier. Either
uninstall that version and install their latest version 1.4 or
go to : http://www.majorgeeks.com/Spybot_-_Search_and_Destroy_DSO_Exploit_Fix_d4392.html to “fix”
the flaw . Any further info about Spybot should be directed to
THEIR Experts on THEIR forums at :
http://forums.spybot.info .
If Frank’s recommendations do NOT help, you should visit
those Spybot forums & ask for help .

Hi, staniclayton. You have an about:blank infection. By it’s nature it keeps reinstalling itself. It requires a special handling. I can help you with it, but I will need to see a HijackThis log first.

Click here to download HJTsetup.exe:
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the “Select Additional Tasks” dialogue.
Put a check by “Create a desktop icon” then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch HijackThis.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click “Save” to save the log file and then the log will open in Notepad.
Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

We can take it from there :slight_smile:

doc_esb

Check this out About:Blank Homepage Hijacker Removal Instructions and Help

Logfile of HijackThis v1.99.1
Scan saved at 13:41:29, on 13/02/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {1C2E2A69-E4F8-B309-A6BC-70A9AC10DBFD} - (no file)
O2 - BHO: (no name) - {1EB77D8F-DC5A-7E55-59FC-844CAE64FC70} - (no file)
O2 - BHO: (no name) - {241F4AD4-BEDA-EE12-A99D-3A6CB9B33A5F} - (no file)
O2 - BHO: (no name) - {27C69AB9-7058-A173-08CD-4881744A47E8} - (no file)
O2 - BHO: (no name) - {31C94FA3-13E4-1D4B-B350-6A09F9B4EDDA} - (no file)
O2 - BHO: (no name) - {70B6D242-A76A-A3E8-4E2F-D03FF4541BA9} - (no file)
O2 - BHO: (no name) - {786B4BBD-2875-0E73-6FA4-33EBB3208A2D} - (no file)
O2 - BHO: (no name) - {7D52FC72-76A8-77EF-270D-8A1A8EA30F96} - (no file)
O2 - BHO: (no name) - {A19A66EB-CF29-CC81-77FC-5375D97AE8AD} - (no file)
O2 - BHO: (no name) - {A8D30C47-4510-9BB5-0432-574064529B27} - (no file)
O2 - BHO: (no name) - {A9E6449F-9343-AB84-AD4D-BB624005A22A} - (no file)
O2 - BHO: (no name) - {D249D817-722E-0E58-A372-0C213DCEDBA7} - (no file)
O2 - BHO: (no name) - {D3E658EA-D131-DCCF-DC18-81C5D9AD1C73} - (no file)
O2 - BHO: (no name) - {D82288C4-27D9-EACA-FB1E-9D7DB067AC72} - (no file)
O2 - BHO: (no name) - {E299E38F-A5EB-7A8D-9ABD-20615EA0FEC2} - (no file)
O2 - BHO: (no name) - {E3BCE414-E67C-A5E2-B041-270AA8258696} - (no file)
O2 - BHO: (no name) - {E8D62ACA-CF32-E7DB-57E6-D6B08BECF4C9} - (no file)
O2 - BHO: (no name) - {EAF521EB-5513-475B-B2B3-4D4B1195A1B0} - (no file)
O2 - BHO: (no name) - {F477C3A3-BBD5-3B78-AB78-7F0E35C51A6A} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM..\Run: [15.tmp] C:\DOCUME~1\hayley\LOCALS~1\Temp\15.tmp.exe
O4 - HKLM..\Run: [15.tmp.exe] C:\DOCUME~1\hayley\LOCALS~1\Temp\15.tmp.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [BDMCon] “C:\Program Files\Softwin\BitDefender8\bdmcon.exe”
O4 - HKLM..\Run: [BDNewsAgent] “C:\Program Files\Softwin\BitDefender8\bdnagent.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip..{CF486D73-CCDB-4B64-8C20-24A1CA111FD0}: NameServer = 194.72.9.34 194.72.0.114
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

by the way i run cw shredder and it got another infection,but the the spt bot still couldnt remove ten entries , so iwent and deleted the temp intenet files manual and it the nworked plus ewido then found another 36 entries with were downloaders mostly! i removed them and things are a ok except the “about blank” problem ive followed the avie and posted the results of tthe scan under my originall help , thanks for the help it invaluble! ;D

Your OS is so far out of date current SP2 with further updates, as a result of that you will also be running an out of date browser IE6 which can’t be fully updated untill you have XP SP2 installed. These Service Packs and security updates fix many security vulnerabilities that are being exploited, this will make it much harder to get your system clean with so many vulnerabilities.

See this link for an on-line analysis of your log http://hijackthis.de/logfiles/6887ddbf701ff4ca9387b168dd67003f.html.

I suggest you fix all the BHO entries as a start and check all the nasty, possibly nasty and unknown entries. You can use the paperclip icon to upload suspect files to be scanned or use google to search for info on the file names.

i ran the hijack this and removed all the entries with the security warnings in front of them it ,removed the r1 entery but i ticked all the bho entries and ehen i scanned again they seem to be still there ,i also whent and downloaded the updates from the link given wich it seemed to do but itt still wont let me change the homepage .? wat else can i do, will hijack this allways remove the files or do myou have to do it manually ? thanks ???

Logfile of HijackThis v1.99.1
Scan saved at 17:18:09, on 13/02/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {1C2E2A69-E4F8-B309-A6BC-70A9AC10DBFD} - (no file)
O2 - BHO: (no name) - {1EB77D8F-DC5A-7E55-59FC-844CAE64FC70} - (no file)
O2 - BHO: (no name) - {241F4AD4-BEDA-EE12-A99D-3A6CB9B33A5F} - (no file)
O2 - BHO: (no name) - {27C69AB9-7058-A173-08CD-4881744A47E8} - (no file)
O2 - BHO: (no name) - {31C94FA3-13E4-1D4B-B350-6A09F9B4EDDA} - (no file)
O2 - BHO: (no name) - {70B6D242-A76A-A3E8-4E2F-D03FF4541BA9} - (no file)
O2 - BHO: (no name) - {786B4BBD-2875-0E73-6FA4-33EBB3208A2D} - (no file)
O2 - BHO: (no name) - {7D52FC72-76A8-77EF-270D-8A1A8EA30F96} - (no file)
O2 - BHO: (no name) - {A19A66EB-CF29-CC81-77FC-5375D97AE8AD} - (no file)
O2 - BHO: (no name) - {A8D30C47-4510-9BB5-0432-574064529B27} - (no file)
O2 - BHO: (no name) - {A9E6449F-9343-AB84-AD4D-BB624005A22A} - (no file)
O2 - BHO: (no name) - {D249D817-722E-0E58-A372-0C213DCEDBA7} - (no file)
O2 - BHO: (no name) - {D3E658EA-D131-DCCF-DC18-81C5D9AD1C73} - (no file)
O2 - BHO: (no name) - {D82288C4-27D9-EACA-FB1E-9D7DB067AC72} - (no file)
O2 - BHO: (no name) - {E299E38F-A5EB-7A8D-9ABD-20615EA0FEC2} - (no file)
O2 - BHO: (no name) - {E3BCE414-E67C-A5E2-B041-270AA8258696} - (no file)
O2 - BHO: (no name) - {E8D62ACA-CF32-E7DB-57E6-D6B08BECF4C9} - (no file)
O2 - BHO: (no name) - {EAF521EB-5513-475B-B2B3-4D4B1195A1B0} - (no file)
O2 - BHO: (no name) - {F477C3A3-BBD5-3B78-AB78-7F0E35C51A6A} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [BDMCon] “C:\Program Files\Softwin\BitDefender8\bdmcon.exe”
O4 - HKLM..\Run: [BDNewsAgent] “C:\Program Files\Softwin\BitDefender8\bdnagent.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139846724944
O17 - HKLM\System\CCS\Services\Tcpip..{CF486D73-CCDB-4B64-8C20-24A1CA111FD0}: NameServer = 194.72.9.34 194.72.0.114
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

???

has any thing changed im lost about blank has gone but it still wont let me change my home page im lost ???

Hi staniclayton. I understand your confusion. This is a very devious type of malware and requires a specific handling. That’s why it has not gone away yet despite the things that you’ve already tried. I am reviewing your latest HijackThis log now. I will be back shortly with specific instructions. Please do not do anything else to the computer in the meantime as that will make the job much more difficult. If we do this thing properly, we can get the pc cleaned up. :slight_smile:

doc_esb

Also please take note of my comments on your OS, with so many vulnerabilities unpatched by the latest service packs and security updates, I’m afraid you will be fighting an uphill battle.

I also notice BitDefender installed, is this the on-demand or resident scanner version ? Two resident AVs aren’t advised as they can cause conflict.

Yes, Thanks DavidR. I agree totally. I noticed that as well. These Service Packs must be installed and one of the antivirus programs needs to go. I would advise the same once the system is clean.

Doc_esb

OK staniclayton,
please follow these instructions carefully and if you have any questions along the way, feel free to stop and ask, but once you’ve disconnected from the net, go to another computer and ask.

Go here and download About:Buster.
Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the aboutbuster.exe icon and then click on the Update button to check for new updates. If any updates exist, please install them. Do not run it yet.

Now, download Pocket killbox from here. Leave it on the desktop for now. We may need it later.

Next, download CleanUp! from here. Save it to your desktop. Don’t run it yet.

Open CWShredder and click the “Check for Update” button. Download the updates if it says a new version is available. Then exit the program; you will run it later.

You will need to update Ewido to the latest definition files.

* On the left-hand side of the main screen click the Update button.
* Click on Start. The update will start and a progress bar will show the updates being installed.

Once finished updating, close Ewido. Do NOT run it yet.

Print out the following instructions or copy them to Wordpad as you will not have internet access for a bit.

Now, please close all browsers and physically pull the cord to your internet connection and remain disconnected for the remainder of the fix. Do NOT open up Internet Explorer or Outlook Express again until the fix is complete. The infection will attempt to reinstall itself if you do.

Now let’s set Windows to show all files:

To enable the viewing of Hidden files follow these steps:

  1. Close all programs so that you are at your desktop.
  2. Double-click on the “My Computer” icon.
  3. Select the “Tools” menu and click “Folder Options”.
  4. After the new window appears select the “View” tab.
  5. Put a checkmark in the checkbox labeled “Display the contents of system folders”.
  6. Under the Hidden files and folders section select the radio button labeled “Show hidden files and folders”.
  7. Remove the checkmark from the checkbox labeled “Hide file extensions for known file types”.
  8. Remove the checkmark from the checkbox labeled “Hide protected operating system files”.
  9. Press the “Apply” button and then the “OK” button and shutdown My Computer.
  10. Now your computer is configured to show all hidden files.

Because XP will not always show you hidden files and folders by default,
Go to Start > Search and under “More advanced search options”.
Make sure there is a check by “Search System Folders” and “Search hidden files and folders” and “Search system subfolders”

Reboot the computer into Safe Mode. (If you’re not sure how to do this, click this link):
http://www.bleepingcomputer.com/tutorials/tutorial61.htm

Now it’s time to run the AboutBuster program on the desktop.

Double-click on it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Please save the log so I can view it later. Then exit the program.

Now open up CWShredder. Press “Fix” > “OK” and when it’s done scanning, press “Next” > “Exit”.

Now open up HijackThis again and click on “Do a system scan only”.
When it finishes, put a check before the following lines:
[b]

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {1C2E2A69-E4F8-B309-A6BC-70A9AC10DBFD} - (no file)
O2 - BHO: (no name) - {1EB77D8F-DC5A-7E55-59FC-844CAE64FC70} - (no file)
O2 - BHO: (no name) - {241F4AD4-BEDA-EE12-A99D-3A6CB9B33A5F} - (no file)
O2 - BHO: (no name) - {27C69AB9-7058-A173-08CD-4881744A47E8} - (no file)
O2 - BHO: (no name) - {31C94FA3-13E4-1D4B-B350-6A09F9B4EDDA} - (no file)
O2 - BHO: (no name) - {70B6D242-A76A-A3E8-4E2F-D03FF4541BA9} - (no file)
O2 - BHO: (no name) - {786B4BBD-2875-0E73-6FA4-33EBB3208A2D} - (no file)
O2 - BHO: (no name) - {7D52FC72-76A8-77EF-270D-8A1A8EA30F96} - (no file)
O2 - BHO: (no name) - {A19A66EB-CF29-CC81-77FC-5375D97AE8AD} - (no file)
O2 - BHO: (no name) - {A8D30C47-4510-9BB5-0432-574064529B27} - (no file)
O2 - BHO: (no name) - {A9E6449F-9343-AB84-AD4D-BB624005A22A} - (no file)
O2 - BHO: (no name) - {D249D817-722E-0E58-A372-0C213DCEDBA7} - (no file)
O2 - BHO: (no name) - {D3E658EA-D131-DCCF-DC18-81C5D9AD1C73} - (no file)
O2 - BHO: (no name) - {D82288C4-27D9-EACA-FB1E-9D7DB067AC72} - (no file)
O2 - BHO: (no name) - {E299E38F-A5EB-7A8D-9ABD-20615EA0FEC2} - (no file)
O2 - BHO: (no name) - {E3BCE414-E67C-A5E2-B041-270AA8258696} - (no file)
O2 - BHO: (no name) - {E8D62ACA-CF32-E7DB-57E6-D6B08BECF4C9} - (no file)
O2 - BHO: (no name) - {EAF521EB-5513-475B-B2B3-4D4B1195A1B0} - (no file)
O2 - BHO: (no name) - {F477C3A3-BBD5-3B78-AB78-7F0E35C51A6A} - (no file)

O4 - HKLM..\Run: [15.tmp] C:\DOCUME~1\hayley\LOCALS~1\Temp\15.tmp.exe

O4 - HKLM..\Run: [15.tmp.exe] C:\DOCUME~1\hayley\LOCALS~1\Temp\15.tmp.exe

O4 - HKLM..\Run: [BDMCon] “C:\Program Files\Softwin\BitDefender8\bdmcon.exe”

O4 - HKLM..\Run: [BDNewsAgent] “C:\Program Files\Softwin\BitDefender8\bdnagent.exe”
[/b]

Then make sure ALL windows are closed except HijackThis and hit the “Fix checked” button.

Next, using Window’s explorer and/or search function, navigate to and delete the file listed in bold below if it is found to exist. Delete ONLY the part in bold.

C:\DOCUME~1\hayley\LOCALS~1\Temp[b]15.tmp.exe[/b]

If unable to delete files above in safe mode please use KillBox that you downloaded earlier:
[*] Open KillBox
[*]Highlight the list of names to delete then CTRL-C to copy and then Paste all files into the box “Full Path of File to Delete” . C:\WINDOWS\System32\xxxxx.dll
[*]Choose Delete on Reboot.
[*]Click the “Delete File” button which looks like a stop sign.
[*]Click “Yes” at the Delete on Reboot prompt.
[*]If you get a “PendingFileRenameOperations Registry Data has been Removed by External Process!” message then just restart manually.

Now run the CleanUp! program that you downloaded:
Double-click on the icon.
Hit the “CleanUp!” button.
When the report window indicates that it has finished, hit the “Close” button. It’s that simple.

Let’s get an ewido Security Suite scan now. It will probably take a while, so please be patient.

Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

Open the program

Click on scanner

Click on Settings

* Under "How to scan" all boxes should be selected
* Under "Possibly unwanted software" all boxes should be selected
* Under "What to scan" select scan every file
* Click OK

Click on Complete system scan

Let the program scan the machine

If ewido finds anything, it will pop up a notification. Have it fix the entry and check “Perform action with all infections.”

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.

Click Save report

Save the report to your desktop

Exit ewido

Now restart the computer back into Normal Mode.

Run a fresh HijackThis scan and save the log.

Reconnect to the internet and post the logs from AboutBuster, ewido, and THE LATEST HijackThis log back to this same thread.

There will still be some finishing touches to do, so please stay in touch.

:wink:

doc_esb

i removed bitdefender and installed ad-aware and ran that after deleting the enteries in the hijack this ,and the ad aware got watver it eas ive now gotmy homepage back ,thanks a lot you lot much appreciated!!
;D

Nice work staniclayton. Glad to be of help. I would continue with DavidR’s advice now and get those service packs for XP and IE installed now – VERY IMPORTANT. Without them you run a serious risk of further infection.

Also, the AboutBlank infection is notorious for deleting the following legitimate files from Windows:

[*] control.exe

[*] rundll32.exe

[*] wmplayer.exe

[*] msconfig.exe

[*] notepad.exe

[*] shell.dll

[*] SDHelper.dll (If you have SpybotS&D)

If any are missing or not working properly then you can download new copies from
Merijn’s Files and following the instructions at that site to have them where they belong for your OS.[list]

You will also want to clean out your System Restore.
Doing this will remove all your restore points, and any infections that might be hanging in there.

Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the “Turn off System Restore” or “Turn off System Restore on all drives”.
Click Apply.
Click Yes to do this.
Click OK.
Then Restart your computer.

After you have restarted, turn System Restore back on:
Click Start.
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Uncheck the “Turn off System Restore” or “Turn off System Restore on all drives” check box.
Click Apply, and then click OK.

Then create a new restore point once you have System Restore back on.
To create a new System Restore Point, click Start → All Programs → Accessories → System Tools → System Restore.
When the System Restore Utility opens, click “Create a Restore Point” then click Next.
Enter a name for this Restore Point, and click Create.

Best to you.

doc_esb