9 replies to this topic

[Uncle Ian]

I'm trying to remove a very recently acquired infection of about:blank from a friend's W98 system without success. So far, I've run AdAware SE (with March 17 definitions) repeatedly in Safe Mode until it comes up clean. (65 critical objects on first scan, nothing on the second.) AdAware refuses to launch in normal mode, by the way. I've run TrojanHunter with current defs in both Safe and normal mode (it finds nothing.) I've done a scan with the trial version of SpySubtract (it finds nothing.) I've run CWShredder 2.13.0.0 (finds nothing.) I've run About:Buster following the instructions exactly; update it, two scans, reboot, two more scans and a reboot. After all this, the about:blank scourge persists. I then rebooted the system again, after which I used HJT to generate the following log. Your expert assistance would be very much appreciated. Regards, Ian. Logfile of HijackThis v1.99.1 Scan saved at 3:19:35 PM, on 3/17/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\NOVELL\CLIENT32\NWRECMSG.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe C:\NOVELL\CLIENT32\WM95.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATICWD32.EXE C:\WINDOWS\SYSTEM\ATITASK.EXE C:\WINDOWS\SYSTEM\DPMW32.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\WINFAX\WFXCTL32.EXE C:\PROGRAM FILES\NIKON\NKVIEW5\NKVMON.EXE C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\AWHOST32.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\Twunk_16.exe C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\se.dll/sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\se.dll/sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R3 - URLSearchHook: (no name) - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file) O2 - BHO: (no name) - {04370336-9540-11D9-AEDB-0050EA7CE618} - C:\WINDOWS\SYSTEM\CMGD.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiKey] Atitask.exe O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\SYSTEM\dpmw32.exe O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NORTON~1\vptray.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE" O4 - HKLM\..\Run: [sp] rundll32 C:\SE.DLL,DllInstall O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe O4 - HKLM\..\RunServices: [Workstation Scheduler] C:\novell\client32\wm95.exe O4 - HKLM\..\RunServices: [defwatch] c:\Program Files\Norton AntiVirus\defwatch.exe O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\NORTON~1\rtvscn95.exe O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\iowatch.exe O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe O4 - Startup: PowerReg Scheduler.exe O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\QBUpdate.exe O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O4 - Startup: PC Anywhere Host.lnk = C:\Program Files\Symantec\pcAnywhere\DATA\Muttluks.BHF O18 - Filter: text/html - {06538B83-96F6-11D9-AEDB-0050F5CF02EE} - C:\WINDOWS\SYSTEM\CMGD.DLL O18 - Filter: text/plain - {06538B83-96F6-11D9-AEDB-0050F5CF02EE} - C:\WINDOWS\SYSTEM\CMGD.DLL

[MrCharlie]

Welcome to the forum.

Download and unzip StartDreck at the link below

http://www.niksoft.a...=startdreck.zip


Run StartDrek.exe:
Click config (it's at the bottom)
Click Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
Click ok.

Post the log it makes and a fresh HJT log in your next reply, Thanks - MrC

[Uncle Ian]

Thanks very much for your reply, MrCharlie. I have just been informed that I won't be able to get access to that infected computer until this coming Wednesday afternoon, March 23. At that time I'll follow your directions, and will post the two logs. I won't let this unfortunate delay deter me from assisting my friend, and hope that it won't deter you from instructing me on how to do so. Many thanks, Ian.

[MrCharlie]

OK, after you do that, do this for me:

Download ThisCleaner into a folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.
Please post that log also, Thanks, MrC

[Uncle Ian]

Things are not going very well, MrCharlie. I did as you instructed- I ran StartDrek, checked only the three items you specified, and saved a log file. Then I closed StartDrek and ran HJT again, generating a new log. I unplugged the computer from the network and then ran SpSeHjfix and clicked on "Start Disinfection." Some desktop icons disappeared as it did its thing, and when it finally offered to restart the system I clicked OK. The computer reboots only as far as this error message: "Invalid system disk. Replace the disk and then press any key." It will not even let me boot into Safe Mode. It's a Dell 450 system and we have the original setup boot floppy and CD but I don't know what to do with them or if they are even required. Should I have reset StartDrek before shutting it down? How did I screw this up? This is my worst computer help nightmare- making things much worse for someone while trying to fix their problem. Your insights on this development are most welcome, and I thank you for keeping an eye on this thread. Regards, Ian.

[MrCharlie]

First make sure you don't have a floppy or cd in the computer, if so remove them/it and try again to boot up.
If no luck lets try a registry restore:

Reboot and hold the CTRL key down until you get the boot menu.
Choose Command prompt only.
At the A:\> type C: enter
At the C:\> type scanreg /restore and press enter
Choose a date before the problems started, enter
When done reboot, ctrl, alt, delete.

If you can't do that, put a windows boot disk (start disk) in your floppy and boot up.
Choose no cd-rom support
You should end up at C:\>
Type scanreg /restore
Choose a date before the problems started, enter
When done reboot, ctrl, alt, delete.

If you need a boot disk..
Download this file, put a blank formatted floppy in you A drive then double click on the file you just downloaded. This will make a boot disk.

http://www.mirrors.o...s1/boot98se.exe

There's also a help file on that floppy with some ideas on getting the computer to boot if needed.

Let me know. MrC

[Uncle Ian]

I think I give up, MrCharlie. Today I tried your suggestion about restoring the registry, but received error messages that I was entering an invalid command. I tried using "The Ultimate Boot Disk" and some of its options, none of which had any success (restoring registry, accessing Safe Mode.) Finally, I booted using an OnTrack emergency disk I'd made a couple of years ago on our old W98SE system, and set it to run its scandisk routine and automatically fix all errors. When I left the building, it was still running. By the way, the reason this whole process of recovering from about:blank seems to be so dragged out in my case is that I only have occasional access to the computer. It's in the office of a small business which keeps very irregular hours during the post-winter season. I thank you for your patience and your input, but I fear that this particular problem may require a re-install of W98. This is something which I have never done, which is why I've been pursuing every other available option. If you have any other ideas I'd be glad to hear them, but in the meantime I think I'd like to mark down this experience as a vote against using "SpSeHjfix" because the computer was at least functional until I used it. Regards, Ian.

[MrCharlie]

I'm sorry you have encountered problems during the procedure.
HiJackThis, StartDreck and SpSeHjfix are good programs and widely used, especially now with this infection spreading rapidly.

I tried to duplicate what you did on my 98 test machine but couldn't no matter which way I tried.
So I don't know what happened or what caused it, there's nothing in my instruction, which are clear and are still used today, that would cause the problem you are having.

That being said, all I could do now is help you to recover.

I gave you instructions on how to make a 98se windows bootdisk.

Put the boot disk in and turn on the computer, "choose no cd-rom support"
You will end up at the A:\> prompt
type DIR C: and press enter
You should see the files on the hard drive, if you don't then there's a problem with the drive

Get back to A:\> and
Type SYS C: and press enter
Wait a minute and you should get "system transfered"
If so, take out floppy and reboot ctrl, alt and delete.
See if that gets it going.
-----------------------------------------------------------
To restore the master boot record, use this command at C:\>
FDISK /MBR enter

To run scandisk use this command at C:\>
Type scandisk and press enter this will be a quick scan - then you should get a screen for a through scan which take a long time.

To restore the registry use this command:
C:\WINDOWS\COMMAND\SCANREG /RESTORE and press enter
You can pick a date to restore from before the problem.

scanreg /fix will fix the registry - it takes a while to run.

Let me know how you make out, MrC

[Uncle Ian]

Dear MrCharlie:

I think we both have to give up on this one. I've just spent another hour with the computer in question without success. That adds up to about five fruitless hours in total.

I have NO doubt whatsoever about the validity of all the instructions you've so patiently provided me with and I am very grateful for your assistance. I sincerely hope I never made you feel otherwise.

The DIR C: command DID reveal the contents of the hard drive.

The SYS C: command yeilded this message: "Bad command or file name." The FDISK /MBR command seemed to be successful.

The OnTrack rescue disk scandisk routine I ran yesterday had found no errors.

The C:\WINDOWS\COMMAND\SCANREG /RESTORE command yeilded this message: "Bad command or file name."

The scanreg /fix command also generated the "Bad command or file name" message.

I tried the commands on this MS page: http://support.micro...b/128730/EN-US/ and *most* of them also generated the "Bad command or file name" response. I note that on that page, a couple of caveats are mentioned regarding disk management and security software. Some of that stuff *may indeed* be installed, but the girls who got this Novelle VPN networked computer into this about:blank condition in the first place were unable to answer any questions about such matters. One of these girls BTW, before my first post, had DELETED all IE files/folders as a cure! Who knows what else they may have also tried. Many thanks, MrCharlie- I guess this one just wasn't meant to be.

Regards,
Uncle Ian, Toronto Canada.

[MrCharlie]

As this problem has been resolved the topic will be closed. If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)

The subject of the email must be "Reopen". Include your post username and details about why you need it reopened, with a valid link to your post.

Thanks, MrC