bshort1023
asked on
Cannot get rid of about:blank
My (bosses) homepage keeps redirecting to about:blank. I have run hijackthis, cwshredder, adaware, spybot (all updated before running). I can get it to go away but it always comes back. I get very little time on his PC to troubleshoot and it always comes back when I'm not around so I can't pinpoint if it is coming back on it's own which would lead me to believe that it is somewhere on his PC or if he keeps hitting infected websites or popups. I have been trying to infect my own PC so that I can troubleshoot better but I have had no luck.
HELP!
HELP!
Make backup of registry
and Check these registry entries
HKEY_CURRENT_USER\Software \Microsoft \Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software \Microsoft \Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software \Microsoft \Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\In ternet Explorer\SearchURL
HKCU\Software\Microsoft\In ternet Explorer\Main\Default_Page _URL
HKCU\Software\Microsoft\In ternet Explorer\Main\Default_Sear ch_URL
HKCU\Software\Microsoft\In ternet Explorer\Search\SearchAssi stant
HKCU\Software\Microsoft\In ternet Explorer\Search\CustomizeS earch
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Internet Explorer\Main\Search Bar
and Check these registry entries
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKEY_LOCAL_MACHINE\Softwar
Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there.Reboot the machine and check if it still comes back..
Also check this page http://www.spywareinfo.com/~merijn/cwschronicles.html (variant 35)
goto Startup tab
Disable all the applications there.Reboot the machine and check if it still comes back..
Also check this page http://www.spywareinfo.com/~merijn/cwschronicles.html (variant 35)
You may also want to install any of these pop-up blockers and check if it would work
Pop-up blocker:
---------------
http://home.rochester.rr.com/artcfox/Pop-Down/
http://www.panicware.com/product_psfree.html
http://zdnet.search.com/search?channel=56&cat=279tag=st.zd.sr.srch.zdnet&q=popup+killer
http://12ghosts.com/ghosts/popup.htm
http://www.webwasher.com/client/home/index.html?lang=de_EN
http://www.adsgone.com/download.asp
http://www.synergeticsoft.com/products/
Google toolbar: http://toolbar.google.com
Also if nothing works you may think of repairing or reinstalling the IE ..
Post back with results..
Pop-up blocker:
---------------
http://home.rochester.rr.com/artcfox/Pop-Down/
http://www.panicware.com/product_psfree.html
http://zdnet.search.com/search?channel=56&cat=279tag=st.zd.sr.srch.zdnet&q=popup+killer
http://12ghosts.com/ghosts/popup.htm
http://www.webwasher.com/client/home/index.html?lang=de_EN
http://www.adsgone.com/download.asp
http://www.synergeticsoft.com/products/
Google toolbar: http://toolbar.google.com
Also if nothing works you may think of repairing or reinstalling the IE ..
Post back with results..
ASKER
Sorry, forgot to mention, Win2k sp4. I believe msconfig is XP only. Also it seems to be only on one profile.
download it here http://www.techadvice.com/win2000/m/msconfig_w2k.htm
also check these registry entries as msconfig checks these
HKEY_CURRENT_USER\Software \Microsoft \Windows\C urrentVers ion\Run
HKEY_CURRENT_USER\Software \Microsoft \Windows\C urrentVers ion\RunOnc e
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows\ CurrentVer sion\Run
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows\ CurrentVer sion\RunOn ce
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows\ CurrentVer sion\RunOn ceEx
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows\ CurrentVer sion\RunSe rvices
also check these registry entries as msconfig checks these
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
ASKER
Where will I find the HiJackThis log? In the local folder I created for HiJackThis I see a file with no extension, a dll and an inf.
Once you finish running hijackthis , many entries will be listed.
Below that click on save log and save it as a text file. then copy that and paste it here
Below that click on save log and save it as a text file. then copy that and paste it here
tell your boss to stop looking at the porn sites ;)
IE > Tools > Internet Options > 'Use Blank' causes this.
Is your boss expecting something else as a homepage ? Does it say 'about:blank' in IE > Tools > Internet Options ?
Are you sure he's not using something like Web Washer or History Killer to cover his tracks ?
This doesn't seem anything out of the ordinary to me. If he had malware or was surfing dodgy sites, then his homepage would be set to something a lot more interesting and devious than about:blank, eg www.ifantasiseaboutmonkeys.com or something ?
Is your boss expecting something else as a homepage ? Does it say 'about:blank' in IE > Tools > Internet Options ?
Are you sure he's not using something like Web Washer or History Killer to cover his tracks ?
This doesn't seem anything out of the ordinary to me. If he had malware or was surfing dodgy sites, then his homepage would be set to something a lot more interesting and devious than about:blank, eg www.ifantasiseaboutmonkeys.com or something ?
ASKER
He may very well be surfing porn sites but he's not going to tell me that. I have now seen him go into internet options and change the homepage to msn.com. Close IE and open it back up and about:blank is back. Sometimes it comes right back sometimes it takes a while. Although the address bar reads about:blank the actual page is a shopping/search page. I believe it is one of the CoolWebSearch pages. I am very surprised that CWShredder dows not resolve this issue.
OK. The HijackThis log will be the only way for us to tell you how to remove this. There's going to be a dodgy entry in there somewhere that's hijacking your browser.
Probably best to send him an email to tell him how to do this so this can be resolved quickly. It's not too tricky to use - just install HiJackThis, run it, DON'T TICK ANYTHING, and generate a log file. Post it up here and we can tell you which boxes need ticking to rescue IE !!
Probably best to send him an email to tell him how to do this so this can be resolved quickly. It's not too tricky to use - just install HiJackThis, run it, DON'T TICK ANYTHING, and generate a log file. Post it up here and we can tell you which boxes need ticking to rescue IE !!
ASKER
Logfile of HijackThis v1.97.7
Scan saved at 7:29:52 AM, on 4/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\Program Files\Olympus\DeviceDetect or\DM1Serv ice.exe
C:\WINNT\System32\svchost. exe
C:\Program Files\Network Associates\Common Framework\FrameworkService .exe
C:\Program Files\Network Associates\VirusScan\Mcshi eld.exe
C:\Program Files\Network Associates\VirusScan\VsTsk Mgr.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\Program Files\SurfControl\Web Filter\schedservice.exe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\system32\svchost. exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTA T.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Olympus\DeviceDetect or\DevDtct 2.exe
C:\Program Files\SurfControl\Web Filter\sctaskbar.exe
S:\MSOffice2K\PFiles\MSOff ice\Office \OUTLOOK.E XE
C:\Program Files\Common Files\System\MAPI\1033\nt\ MAPISP32.E XE
C:\PROGRA~1\WINZIP\winzip3 2.exe
C:\HiJackThis\HijackThis.e xe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\WINNT\system32\le een.dll/sp .html (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = res://C:\WINNT\system32\le een.dll/sp .html (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = res://C:\WINNT\system32\le een.dll/sp .html (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\WINNT\system32\le een.dll/sp .html (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = res://C:\WINNT\system32\le een.dll/sp .html (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = res://C:\WINNT\system32\le een.dll/sp .html (obfuscated)
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {3B18DFA1-50CE-40D7-9D36-7 B0F70626CD 9} - C:\WINNT\system32\leeen.dl l
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\system32\msdxm.oc x
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA T.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - Startup: Microsoft Outlook.lnk = MSOffice2K\PFiles\MSOffice \Office\OU TLOOK.EXE
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetect or\DevDtct 2.exe
O4 - Global Startup: Display Web Filter Icon in System Tray.lnk = C:\Program Files\SurfControl\Web Filter\sctaskbar.exe
O16 - DPF: NetCharts - http://10.1.1.10:8090/surf/NetCharts/classes/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B 518BB6A408 C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-0 0105A1F0D6 8} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/reader/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38084.2438541667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
Here's the catch, I can remove everything having to do with leeen.dll from here and even delete leeen.dll (from safemode) and it comes back later but with a different name (i.e. nfci.dll). Something is creating these dll's.
Scan saved at 7:29:52 AM, on 4/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\Olympus\DeviceDetect
C:\WINNT\System32\svchost.
C:\Program Files\Network Associates\Common Framework\FrameworkService
C:\Program Files\Network Associates\VirusScan\Mcshi
C:\Program Files\Network Associates\VirusScan\VsTsk
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\Program Files\SurfControl\Web Filter\schedservice.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTA
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Olympus\DeviceDetect
C:\Program Files\SurfControl\Web Filter\sctaskbar.exe
S:\MSOffice2K\PFiles\MSOff
C:\Program Files\Common Files\System\MAPI\1033\nt\
C:\PROGRA~1\WINZIP\winzip3
C:\HiJackThis\HijackThis.e
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {3B18DFA1-50CE-40D7-9D36-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - Startup: Microsoft Outlook.lnk = MSOffice2K\PFiles\MSOffice
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetect
O4 - Global Startup: Display Web Filter Icon in System Tray.lnk = C:\Program Files\SurfControl\Web Filter\sctaskbar.exe
O16 - DPF: NetCharts - http://10.1.1.10:8090/surf/NetCharts/classes/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {90C9629E-CD32-11D3-BBFB-0
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
Here's the catch, I can remove everything having to do with leeen.dll from here and even delete leeen.dll (from safemode) and it comes back later but with a different name (i.e. nfci.dll). Something is creating these dll's.
Fortunately, there's an easy fix for this:
1) Close all browser entries
2) Use HiJackThis to remove all the leeen.dll entries
3) Reboot into safe mode following the instructions here. http://service1.symantec.com/SUPPORT/ts...2409420406 & navigate to & delete C:\WINDOWS\System32\leeen. dll
..or whatever leeen.dll has decided to call itself again.. ;)
1) Close all browser entries
2) Use HiJackThis to remove all the leeen.dll entries
3) Reboot into safe mode following the instructions here. http://service1.symantec.com/SUPPORT/ts...2409420406 & navigate to & delete C:\WINDOWS\System32\leeen.
..or whatever leeen.dll has decided to call itself again.. ;)
ASKER
Your link does not go to a good page, but I have deleted that dll from safe mode. It still comes back (in another form) later on.
Found a file in system32 this morning called "load.exe". Wasn't sure what this was. I checked a few other Win2k PC's and did not find it on those. I renamed it to "load.bad" and rebooted (I was waiting for it to crash) and so far it has been fine.
I won't believe this is fixed until it goes a few days at least without the problem.
Found a file in system32 this morning called "load.exe". Wasn't sure what this was. I checked a few other Win2k PC's and did not find it on those. I renamed it to "load.bad" and rebooted (I was waiting for it to crash) and so far it has been fine.
I won't believe this is fixed until it goes a few days at least without the problem.
based on the load.exe file, that sounds like a variant of the nimda virus... also found the troj.doal virus (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DOAL.A&VSect=T) that could be related to the load.exe file, however, the symptoms do not sound like what is occuring here. I would recommend going to www.antivirus.com and running their online scanner (Housecall) to see if it picks up any viruses. Odds are, it will most likely find something. If it finds any viruses, you should be able to do a search for the virus name listed via the online scanner in Trends virus encyclopedia and follow the cleaning directions from there.
Hope this helps...
Hope this helps...
see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.E for the information related to the nimda virus...
and while I am at it... http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.A is the original strain of the virus, could be what is hitting the pc also....
There appear to be at least two viruses / browser hijacks on his system !!
Don't worry about the link that didn't work - it was just instructions on how to get into safe mode, which you've done anyway...
Don't worry about the link that didn't work - it was just instructions on how to get into safe mode, which you've done anyway...
ASKER
I have already run McAfee's latest dat files and have come up with nothing new. When this whole thing started it did find something called Adware-CWS and quarantined it.
With auditing turned on an entry gets created in the Event Viewer that shows the new dll being created.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/19/2004
Time: 3:49:49 PM
User: (User name removed)
Computer: (Computer name removed)
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINNT\system32\hhhinn.d ll
New Handle ID: 1532
Operation ID: {0,595673}
Process ID: 1512
Primary User Name: XXX
Primary Domain: XXX
Primary Logon ID: XXX
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes
Privileges -
As I am writing this I am running another virus scan (McAfee) on the c: drive and it has found Adware-SearchX which I see jhas just been discovered in the latest dat release as a "potentially unwanted program". The stranger part is that they are in the hijack-this folder on the c: drive. They are backup-long string of #'s.dll. It also found all of the old .dll's that my boss keeps renaming as xxx.bad (instead of xxx.dll).
I'll clean these out and see what happens.
With auditing turned on an entry gets created in the Event Viewer that shows the new dll being created.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/19/2004
Time: 3:49:49 PM
User: (User name removed)
Computer: (Computer name removed)
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINNT\system32\hhhinn.d
New Handle ID: 1532
Operation ID: {0,595673}
Process ID: 1512
Primary User Name: XXX
Primary Domain: XXX
Primary Logon ID: XXX
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes
Privileges -
As I am writing this I am running another virus scan (McAfee) on the c: drive and it has found Adware-SearchX which I see jhas just been discovered in the latest dat release as a "potentially unwanted program". The stranger part is that they are in the hijack-this folder on the c: drive. They are backup-long string of #'s.dll. It also found all of the old .dll's that my boss keeps renaming as xxx.bad (instead of xxx.dll).
I'll clean these out and see what happens.
The thing is, some viruses will prevent anti-virus programs from detecting them, which is why your scans are running clean.
I recommend you download and run Stinger from NAI.
http://vil.nai.com/vil/stinger/
This will go beyond standard AV programs (especially if they themselves are infected) and run a scan regardless.
I recommend you download and run Stinger from NAI.
http://vil.nai.com/vil/stinger/
This will go beyond standard AV programs (especially if they themselves are infected) and run a scan regardless.
ASKER
Stinger didn't find anything.
Regular McAfee found all of the offending dll's and deleted them (from Safe Mode) but they came back again.
We may be at the point to frag this machine and re-install the OS.
Regular McAfee found all of the offending dll's and deleted them (from Safe Mode) but they came back again.
We may be at the point to frag this machine and re-install the OS.
>> I am very surprised that CWShredder dows not resolve this issue.
The same tool solved the issue here http:Q_20950237.html
Not sure if you had updated the tool after installing and then tried .. post back
The same tool solved the issue here http:Q_20950237.html
Not sure if you had updated the tool after installing and then tried .. post back
Runnning stinger in safe mode will get rid of most known nasty viruses.
However, as none of this is picking up anything, it's quite possible this machine is infected by a root-kit or back door of some sort that is masking itself by modifiying file headers to make it look like there have been no file changes.
Could even be that the av program itself has been compromised, and just keeps putting things back.
I think a reinstall would be a good idea !
We never did a netstat -an to see whether or not there are open ports trying to propogate this virus ?
However, as none of this is picking up anything, it's quite possible this machine is infected by a root-kit or back door of some sort that is masking itself by modifiying file headers to make it look like there have been no file changes.
Could even be that the av program itself has been compromised, and just keeps putting things back.
I think a reinstall would be a good idea !
We never did a netstat -an to see whether or not there are open ports trying to propogate this virus ?
depending on the nature of the virus too, I have seen viruses int he past that have dropped themselves via code that is buried in actual code on the computer (ie HTML, Javascript, etc) that reexecutes the virus whenever one of those pages with code is run.. possible that it could be returning this way...
www.nai.com is the only one that I have noticed with the Adware-SearchX virus listed. Both Norton and Trend do not have it listed. Try doing a virus scan from here - http://housecall.trendmicro.com/ and see if it detects it under any other name. I know trend usually gives directions for manually cleaning up most viruses. Worth a shot, however, I would problably just to a reinstall myself by this point ;)
www.nai.com is the only one that I have noticed with the Adware-SearchX virus listed. Both Norton and Trend do not have it listed. Try doing a virus scan from here - http://housecall.trendmicro.com/ and see if it detects it under any other name. I know trend usually gives directions for manually cleaning up most viruses. Worth a shot, however, I would problably just to a reinstall myself by this point ;)
Hey Everyone!
I did all previous steps to solve this problem; nothing seemed to work, after a few days I will get the virus again.
Finally I found the proper way to get rid of this virus.
The key is to find the hidden DLL, since there are two, one will be modifying your internet explorer pages and resetting them to about: blank, the other is hidden and loaded at all times, first you need this program:
http://www.resplendence.com/download/reglite.exe
Open reglite and paste this value in the address bar:
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Windows\ \AppInit_D LLs
Then double click:
AppInit_DLLs
You should be able to see a file with this address:
C:\Windows\System32\"Hidde n".dll
Clean your system with all the previous anti-virus programs.
Then in to the windows console (Windows set up option) go to C:\Windows\System32, there modify the file by using the Attrib command, otherwise you won't be able to erase it, another way you could, is to change the name of the file.
Reboot your system and open reglite again, go back to the same key:
AppInit_DLLs,
Now delete the value.
That should do the trick
I did all previous steps to solve this problem; nothing seemed to work, after a few days I will get the virus again.
Finally I found the proper way to get rid of this virus.
The key is to find the hidden DLL, since there are two, one will be modifying your internet explorer pages and resetting them to about: blank, the other is hidden and loaded at all times, first you need this program:
http://www.resplendence.com/download/reglite.exe
Open reglite and paste this value in the address bar:
HKEY_LOCAL_MACHINE\SOFTWAR
Then double click:
AppInit_DLLs
You should be able to see a file with this address:
C:\Windows\System32\"Hidde
Clean your system with all the previous anti-virus programs.
Then in to the windows console (Windows set up option) go to C:\Windows\System32, there modify the file by using the Attrib command, otherwise you won't be able to erase it, another way you could, is to change the name of the file.
Reboot your system and open reglite again, go back to the same key:
AppInit_DLLs,
Now delete the value.
That should do the trick
Hi:
Here is the solution, I think :
http://www.spywareinfo.com/forums/index.php?showtopic=43492
rsdn
Here is the solution, I think :
http://www.spywareinfo.com/forums/index.php?showtopic=43492
rsdn
ASKER
Thanks for the reglite rsdn and dcobian. Unfortunately I already wiped the PC that was infected so I have no way to test. I had another PC with similar (not exact) issues and I ran reglite. Under AppInit_dlls is NVDESK32.dll. This appears to be from NVIDIA which is the video card he has. I shouldn't delete that should I? What exactly gets put into AppInit_dlls?
-B
-B
What is the status of this question, as it has been ages since the last post? If you have any questions on how to properly close a question, assistance can be found at https://www.experts-exchange.com/help.jsp#hs5
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: dcobian{http:#10980022}
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
Tolomir
EE Cleanup Volunteer
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: dcobian{http:#10980022}
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
Tolomir
EE Cleanup Volunteer
as the user posted that they wiped their PC clean and had no way to test any further recommendations, it is my belief that this post should be Close/Refunded instead of awarding points...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
After installing them, First Update them and then run
Spyware/Adware removal tools:
--------------------------
What is spyware : http://www.spychecker.com/spyware.html
SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml
Ad-aware : http://www.webattack.com/download/dladaware.shtml
CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
HijackThis : http://www.spychecker.com/program/hijackthis.html
SpywareBlaster :http://www.webattack.com/download/dlspywareblaster.shtml
SpywareGuard :http://www.webattack.com/download/dlspywareguard.shtml
SpySites :http://www.webattack.com/download/dlspysites.shtml
Keylogger Hunter :http://www.webattack.com/download/dlklhunter.shtml
BHODemon : http://www.spywareinfo.com/downloads/bhod/
Browser Hijack Blaster : http://www.wilderssecurity.net/bhblaster.html
Other spyware removal instructions:
http://www.spywareinfo.com/~merijn/cwschronicles.html
http://www.pchell.com/support/click2findnow.shtml