hello. i've seen an awful lot of help provided on this site and am hopeful i can be another saved computer user. i had the anti-virus gold and about:blank viruses (and perhaps others i'm unaware of), and was able to remove the anti-virus gold using adaware, cwshedder, killbox, etc. ive been unsuccessful at removing the .dll files for the about:blank issue. any help is much appreciated. here is my most recent highjackthis report. thanks in advance for the assistance.
-Matt
Logfile of HijackThis v1.99.1
Scan saved at 12:45:09 AM, on 7/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
You have some work to do here please once you start this
don't stop till all steps are done or this will not work.
PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING.
(Click on Print this topic in the upper RH corner.)
STEP 1:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here.
STEP 2:
Please download Trend Micro™ CWShredder™ here.
Save it to its own folder named CWShredder and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.
STEP 3:
Download AboutBuster from RubbeR DuckY here
Save it to its own folder named AboutBuster and place it at the root of your C:\drive along with HijackThis.
Double-click AboutBuster.exe and press Update to make sure you have the latest reference file version.
Don't run it yet, we will use it later.
STEP 4:
Download and install the latest version of Ad-Aware SE here
NOTE: If you are still using the older Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE.
Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Don't run it yet, we will use it later.
STEP 5:
Download the eScan Antivirus Toolkit here.
Save it to the desktop. This program is 10MB in size.
Don't run it yet, we will use it later.
STEP 6:
Download and install the Ewido Security Suite
NOTE: The Ewido Security Suite utility will not install on Windows 95, 98, ME, or NT. The minimum system requirements for Ewido Security Suite is: Windows 2000 or Windows XP.
1.) Download and install the Ewido Security Suite here
2.) Double-click on the new e Ewido shortcut on the desktop to open the program.
3.) On the upper LH side column, click on the Update button.
(This will update the program with all the latest signature files.)
Don't run it yet, we will use it later.
STEP 7:
If you are using Windows 2000 or XP, you must first STOP and DISABLE the rogue service:
There are different Display Names to look for:
* Workstation NetLogon Service
* Remote Procedure Call (RPC) Helper
* Remote Access Service
* Network Security Service (NSS)
Go to Start => Run and type "Services.msc" (without quotes) then click Ok.
1.) Scroll down and find one of the bad services described above such as: Remote Procedure Call (RPC) Helper
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.
STEP 8:
If you are using Windows 2000 or XP, copy the contents of the Quote Box below to Notepad. Name the file as cwsresfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.
STEP 9:
Please reboot into Safe Mode. For instructions click here
Get into Safe Mode using the F8 Key on your keyboard:
1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).
STEP 10:
From Safe Mode, double-click on cwshredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.
STEP 11:
From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe.
1.) Click Begin Removal and allow the program to run.
2.) After AboutBuster has finished click OK. It will now open a new page, click on the Protection tab and follow the instructions for protection on that page.
3.) Now click Exit and then click OK to the Logfile created dialog box.
STEP 12:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:
1.) Double-click on the mwav.exe file saved to the desktop. A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "1xx file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again.
STEP 13:
From Safe Mode, run the Ewido Security Suite.
NOTE: Windows 2000 and XP only.
1.) Double-click on the e Ewido shortcut on the desktop to open the program.
2.) On the upper LH side column, click on Scanner.
3.) Click the Settings button, under What to scan? click Scan every file, click OK.
4.) Click the Complete System Scan button.
5.) Have the program delete everything it finds.
STEP 14:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.
STEP 15:
From Safe Mode, double-click on the cwsresfix.reg you created earlier and when it prompts to merge say yes, and this will clear some registry entries left behind by the process. Now reboot the PC back into Normal Mode (Windows).
STEP 16:
Go to Start, Run, type in %temp% click OK.
Click Edit, Select All, click File, Delete, now click Yes to send items to Recycle Bin. Now empty Recycle Bin.
STEP 17:
This infection may delete the Windows shell.dll file and the control.exe file. Make sure you always perform a Windows search for these files after the cleanup. If you are using Windows 2000, or XP, go to Start, Search, For Files or Folders, and type in shell.dll.
For Windows 2000, it will be found here:
* C:\WINNT\System32
* C:\WINNT\System
For Windows XP, it will be found here:
* C:\Windows\System32
* C:\Windows\System
Now look for the control.exe file.
For Windows 2000 it will be found here:
* C:\WINNT\System32
For Windows XP it will be found here:
* C:\Windows\System32
If any of these files are missing in 2000 or XP, they can be replaced from the dllcache folder.
For Windows 2000, a replacement can be found here:
* C:\WINNT\System32\dllcache
For Windows XP, a replacement can be found here:
* C:\Windows\System32\dllcache
Now copy and paste the file(s) from the dllcache folder into the proper folder (shown above) according to your version of Windows.
The files shell.dll and control.exe can also be downloaded. They can be downloaded from here.
Once the file(s) are downloaded extract the file(s) and copy them into the proper folder (shown above) according to your version of Windows.
Now after all of that good god till us how it is & show new logfile.
I followed the instructions you put exactly but got stuck on step 10. When I rebooted in safe mode and attempted to run cwshredder.exe the computer went to blue screen. when i attempted to restart the computer (by turning it off, it went into some stuck mode where it sounded like the hard drive was spinning out of control. i was forced to unplug the machine. i have since restarted in normal mode and was going to attempt the process again, but figured i would check in first. One other note on the steps, in step 7, the only rogue service of the four listed i found was "NSS", is that ok? Also, the cwsresfix.reg file has one odd space on each line (should i delete that space or leave it the way it is?)
Well i tried to go through with the fix again, and i got the blue screen again with the cwshredder.exe program. then i tried again skipping that step and running the escan toolkit, and after unzipping the program it said internal error and was unable to run the program. here is the latest hjt report:
Logfile of HijackThis v1.99.1
Scan saved at 1:48:49 AM, on 7/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
I'm at a lost with this it's not happen till now so do this here
but first move HijackThis to a folder in C:\Drive like so C:\HJT
once you move HijackThis do this here
Please disable Microsoft AntiSpyware in Windows before using HJT. Right-click on the ORANGE icon located in the lower RH taskbar and click Shutdown Microsoft AntiSpyware, now click Yes to the Are You Sure? prompt.
& then lit't go on here
If you are using Windows 2000 or XP, you must first STOP and DISABLE the rogue service:
There are different Display Names to look for:
* Workstation NetLogon Service
* Remote Procedure Call (RPC) Helper
* Remote Access Service
* Network Security Service (NSS)
Go to Start => Run and type "Services.msc" (without quotes) then click Ok.
1.) Scroll down and find one of the bad services described above such as: Remote Procedure Call (RPC) Helper
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.
1.
Download CWShredder
Click check for updates, we will use it later in safe mode.
2.
Download aboutbuster 5
Unzip the file to its own folder (C:\AB), we will use it later in safe mode.
3.
Download HSFix
we will use it later in safe mode.
4.
Download Killbox
Choose save as to your desktop. Unzip the file. We will use it later.
5.
Take care: some files can be hidden, so first go to start > control panel > folder options > view (tab) > mark “show hidden files en extensions >OK
5a.
Print this advice for in safe mode there is no internetconnection. You better entirely PLUG OUT from the internet!!!
Reboot your pc into safe mode for all OS
6.
Close all windows and open HijackThis.
Click "scan only” in the main window
Put a check beside the lines below and choose “FIX checked”.
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
7.
Run CWShredder and choose fix
8.
Start About:Buster and press start, and then OK. The program will start scanning now.When it is done, reboot the pc.
After the reboot, starte About:Buster AGAIN and scan AGAIN.
9.
Dubbelclick HSfix.reg to merge the info to the registry.
10.
Start Killbox place a tick next to [x]delete on reboot.
Copy this whole list into the windows clipboard, all the Bolded below.
Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt if all the files have been put there, then click OK.
Exit Killbox and restart your PC.
The KillBox creates a folder called "!submit" in C:\ , after you are done you can delete the folder.
11.
Clean out temporary files:
Start | Run | type cleanmgr | OK
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Click OK to remove them.
Click Yes to confirm the deletion.
Reboot into normal mode.
Re: about:blank virus - please help
Re: about:blank virus - please help
