about:blank trojan

Unknown

Hi

Can anyone help with this about:blank trojan , it changes my homepage to about:blank (a search page) also if I try to download an exe. or zip. it refers to another search page (making it difficult to download fix programs). If I hit reply in email it pastes the search page into the email (deletable but very annoying).
I have noticed a few people having problems with this trojan!

I have tried most things to delete it:
CWShredder
HijackThis
SpyBot
Adaware

Here is my current HijackThis Log:

Logfile of HijackThis v1.97.3
Scan saved at 23:44:13, on 03/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Labtec\Wireless Mouse\MOUSE32A.EXE
C:\program files\dotEncrypt\sealmon.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\CConnect\CConnect.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\paul\My Documents\Fix tools\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bmoab.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bmoab.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bmoab.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bmoab.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bmoab.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bmoab.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: {AB040101-8AA1-11D2-8DD1-00104BB5EAD6} - - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {38E8B490-2486-46F8-8CC9-633DD61BC08B} - (no file)
O2 - BHO: (no name) - {B6298919-7154-4C37-A218-AB0E154E3443} - C:\WINDOWS\System32\bmoab.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Labtec\Wireless Mouse\MOUSE32A.EXE
O4 - HKLM\..\Run: [sealmon] c:\program files\dotEncrypt\sealmon.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: SWFDecompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://portal.som.cranfield.ac.uk/msc/Portal/resources/msddsc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37757.3122222222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://sc.communities.msn.com/controls/chat/msnchat4.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14

PLEASE HELP
Paul
:ukflag:

Straight_Man

Try getting rid of the all the R1 and R0's, the R3, and answer one question for me.... Are you running an old Norton Antivirus???? If not, kill anything with NavNT in its listing.

The R2's are a biut more Problemattic, I would kill all but the AcroIEHelper.ocx one and get anewer Acrobat reader and then uninstall teh old Acrobat reader also if you can, Paul.

I have never seen slserv.exe or wanmpsvc.exe on a box I have worked on, either.

If you do not work with Macromedia Flash media development, get rid of the SWFDecompiler, this is not a Flash player, this is a Flash debugger that IE deos not need to play Flash files. Problem is, I do not see anything here that could USE it....

Ok, anyone know of good uses for either of these???

O4 - HKLM\..\Run: [sealmon] c:\program files\dotEncrypt\sealmon.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

This one, Paul, I would move to the Disabled Startup Items folder, it does not belong in XP, and I have not seen it in a 2000 box:

O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe

These two I would simply trash:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

Ditto thesse two:

O9 - Extra button: SWFDecompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)

This set below is either a DNS hijack by domain renaming puls a DNS server substitution or a server being run with anonymous domaining being used. Myself, I would get rid of these unless you KNEW you needed them.

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14

any other thoughts here, folks???

John D.

Kwitko

Reboot into safe mode and delete the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bmoab.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bmoab.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about_:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bmoab.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about_:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bmoab.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bmoab.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bmoab.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
R3 - URLSearchHook: {AB040101-8AA1-11D2-8DD1-00104BB5EAD6} - - (no file)
O2 - BHO: (no name) - {38E8B490-2486-46F8-8CC9-633DD61BC08B} - (no file)
O2 - BHO: (no name) - {B6298919-7154-4C37-A218-AB0E154E3443} - C:\WINDOWS\System32\bmoab.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll might be a trojan
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k can be removed to save resources
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" can be remove to save resources if you don't use MSN Messenger
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe can be removed to save resources
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe can be removed to save resources
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe can be removed to save resources
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE can be removed to save resources
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com

Unless these belong to your ISP, I'd remove them.
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14

duskmonkey

Thanks Guys I will give these a go and get back to you

By the way the Norton Anti Virus is Corporate edition v7.51.847

duskmonkey

Sorted, so far so good.

Re started in safe mode and run HijackThis, deleted the R's and O's and just to be sure run CWShredder (results=clean), SpyBot (results=clean), and Adaware (results=2 files and 1 Registry, not associated to the Trojan though).

Thanks again guys
Paul

duskmonkey

Ok, it's back !!!!

I have re booted a couple of times and now it is goin back to the same about:blank search engine.

What next?

Dexter

Can you post a fresh HJT log?

Dexter...

duskmonkey

Ok hi everyone, I have tried a few different ways suggested by people on forums, which are only temporary.
It comes down to a dll file being re activated within system32, at the moment the file that keeps appearing is called iuctl.dll
This will then activate another dll (which changes name everytime) within system32 which is causing the problems. At present it is called lpnddaa.dll
I can delete both or move them etc but the iuctl.dll will keep coming back.

I recently have tried this suggestion from RaveDeNoir (not sure which forum)


About:Blank now homepage. Need to remove?Heres How
About:Blank is now you Homepage, it’s part of HomeOldSp, and you want it gone. Here's How to rid yourself of the monster forever.
Curtsy of RaveDeNoir (Yahoo ID)

SO... You have gotten yourself stuck with About:Blank as your home page. It's part of a "Trojan" virus/mail-spy-ad-ware program. You've gone to 100s of forums and nothing has helped. Trust me I've been where you are. But through my combined research of those '100 forums plus' and my own handy work I have found your answer.

Where to begin?

No place is good to be honest... as easy as it will be, it's going to be a pain.

Step#0 - - Pre-Kill Measures
Copy and paste this advice to a Text File and save! (But still
read the whole thing before you do Anything!)

Step#1 - - Things to Download and Update
Download all of these and get Updates for everything you can
IE 6
AdAware 6
SpyBot (1.1 is best I find then update)
SpySweeper
HiJackThis
KillBox (YOU need this program!)
CWShredder (with at least one new entry after cwsearchx before the line)

Okay Now you have tools - - Hopefully!!!

Step#2 - - The problem Boils
With all your updates and programs installed or unzipped, heres what to do.
-Boot into Safe Mode.
-Run AdAware 6
-Delete Everything it finds, Don't question any entry just delete them all.
-Run AdAware 6 again, Yes Again, You might be surprised to find it
will find more. In fact three times wouldn't hurt. Delete everything again.
-Run SpySweeper
-Delete Everything!
-It might mess some programs up... BUT, to bad for you, you have, I
feel, the nastiest trojan ever, and you want it gone, and don't want to
reformat, SO DO IT! Just Delete all that it finds, and reinstall what you
have to later, that is if anything.
-Run SpyBot
-Once again SELECT ALL and delete every Entry!

Step#3 - - Time to get Dirty!
So you've done what any average person would do. But this has gone way past the average problem. You need to do some sniffing and use your brain. Each infection of this monster is different; While actually the same.

-First thing to Know!
-C:\Windows(or whatever)\system32 ... This is where the file is doing
its most harm!
-Your file will look something like (Just an example - -hjlkimg.dll). So
basically you won't know what to really look for. Best way to find it
is... arrange your files by Date CREATED with Details menu; Not
modified but Created. To get date created right click on the Details
Bar and choose Date Created.
-If you still can't find the "monster dll" don't worry. Because! Hopefully! AdAware got
rid of it.

-Second thing to Know
-In SpyBot under Tools you can See all your Browsers Pages and BHO's.
These are the ones in the Registry. Don't Know what BHO's are don't
worry (neither do I really). So skip worrying. This is really your
solution to getting rid of this problem. TRUST ME!

-First Thing to do now that you know all this.
-Run HiJackThis
-Whatever it finds with the HomeOldsp name, or jkhlkj.dll (again
an example of the evil file not the one you may have) , or
about:blank, or the word search, or any thing with BHO in front
of it... DELETE(fix)! That means delete all BHO files.
-To make sure you deleted all the BHO files Run SpyBot and go to
Tools and look under the BHO section, it should now be empty!

-Second Thing
-Run CWShredder and let it do its thing then Exit.

Step#4 - - The Heart of the Beast!
It's time to go DEEP! Time to enter the Windows Registry.
[Press/Click] START
[Press/Click] RUN
When the Box Opens
[Type] RegEdit [Press Enter]

The Registry is Open now.
Click your way to the following location.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

-There you will find the "value" AppInit_Dlls
-Right Click on this value and select Modify Binary Data
-Here you will see a new "dll" (not the one you have deleted with everything else) embeded in the code, it will look something like dfsflkjis.dll or comaedas.dll, (whatever), point is ... "THAT IS A NEW dll" that's going to be loaded into the system32 folder (and start the whole mess over), now that the old ones been deleted.
-This is the Heart Folks!
-This is the one thing none of the programs were stopping.
-But Yes we have our final trick/"Program" to play....

-Run KillBox (YOU need this program!) And follow these steps to a T.
1-Open KillBox
2-Type C:\Windows\system32\ into the bar.
3-After ...system32\ type the name of the DLL you found in the
"AppInit_Dlls" data in the registry.
4-Click the "Action" button(Do NOT press 'delete/kill file') and
choose "Delete on Reboot".
5-A second screen will pop up - - Click "File" then click "Add File", this
will add the file imbedded in AppInit_Dlls.
6-After the name is loaded into the second screen. Press "Action" then
press "Process and Reboot". Allow the computer to reboot.

Step#5 - - After Grabbing the heart.
This is part 7- of KillBox
-Go back to the registry and back to...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

...and DELETE the entire AppInit_Dlls value (and yes you should see that new dll in the value, but what's Great is... It didn't get loaded into the system!)

Step#6 - - THE END
You are now clean!

Final words of advice, tighten your browsers security, run spy/ad checks regularly, get good anti virus software, and ad blockers "like google has", and a firewall is always great too.

Thanks to everyone for the hints they gave me along the way.
This is for everyone that added to making this posting what it is today.
I wish you all the best of luck
-RaveDeNoir

Yahoo IMs to RaveDeNoir

This all works apart from the last part when I go to the AppInit_Dlls there is nothing but "0000 0" under modify binary data, no dll !

Therefore it keeps coming back.

Here is the most recent HJT scan:

Logfile of HijackThis v1.97.3
Scan saved at 16:12:04, on 08/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Labtec\Wireless Mouse\MOUSE32A.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\CConnect\CConnect.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\paul\My Documents\Fix tools\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lpnddaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lpnddaa.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lpnddaa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lpnddaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lpnddaa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lpnddaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: {AB040101-8AA1-11D2-8DD1-00104BB5EAD6} - - (no file)
O2 - BHO: (no name) - {DFE5B17C-27B7-42D5-A6F3-0FCA310B7E26} - C:\WINDOWS\System32\lpnddaa.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Labtec\Wireless Mouse\MOUSE32A.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: SWFDecompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

This is one pesky Trojan, HELP !!
Thanks, Paul
:ukflag:

duskmonkey

Anyone out there?

:ukflag:

Dexter

This "about:blank" guy is getting to be a pain in the ass, as it is showing variants, and the Reg fix is not working for everyone anymore. We'll have to keep hunting on this one. Sorry we don't have an easy answer for you offhand.

Dexter...

Kwitko

I found this thread over at Spywareinfo where people have had success uninstalling this beast. In a nutshell, at the part where you look in the AppInit_Dlls for the offending DLL, you need to use a program called Reglite, which is mentioned in that thread. Once the DLL has been identified, you can either use recovery mode to delete the DLL or if your drive is formatted with FAT instead of NTFS, booting with a Win9x boot floppy and delete the file that way.

Good luck, keep us posted on your progress.

profdlp

Mr. Kwitko wrote:

...if your drive is formatted with FAT instead of NTFS, booting with a Win9x boot floppy and delete the file that way...

Great find!

Even if it's NTFS, you may be able to delete it from a bootable floppy by using the NTFS Reader for DOS.

Good luck!

primesuspect

Prof: That doesn't work, because it's read only. Only the pay version enables writes to NTFS volumes.

profdlp

primesuspect wrote:

Prof: That doesn't work, because it's read only. Only the pay version enables writes to NTFS volumes.

So...pay for it.

...prof didn't know that...sorry...

BAK

I just eliminated this trojan on one of our systems at work. If you have access to another computer this will work for you. After you have written down the exact file names (I have found that there are two DLL files in the system 32 folder, one is the original file and the other is the current active file.), you can remove your hard drive and install it as a slave in another system. Then, you can cut the files from sysytem32 folder on the hard drive and paste them on a floppy. Reinstall your hard drive and run adaware 6.0 to remove any remaining traces of the virus.

dodo

BAK, could you explain more? what files are you putting on the floppy, and why?

~dodo

BAK

dodo wrote:

BAK, could you explain more? what files are you putting on the floppy, and why?

~dodo

The files that you identify in your system32 folder as the about:blank trojan are the ones that need to be cut from the hard drive and pasted to the floppy. One of the files will have the current date for "date created" the other file will have the date that your system was infected as the "date created". Both files are DLL files. The names will vary, as the virus changes the name each time it is copied. Find the file in your systen32 folder with the current date and then look for another file with a recent date (around the time you noticed a problem) that is the exact file size. The files cannot be deleted (not even in safe mode), but can be cut and pasted if the hard drive is a slave in another system. After the files are removed Ad-aware will find and remove traces of the virus from your registry.

Mancabus

Actually I have had success deleting dll's by doing the following.

First make sure file extensions are not being hidden, in windows explorer do a tools -> folder options -> view, then uncheck the box 'hide extensions for known file types'.

Next find the offending dll, then rename it without the .dll extension to something like 111111.

Upon reboot the file will now be deleteable.

However, the pointers to the bad files, with original filenames, will still exist in the registry no matter which method you use.

I have a customer with the same problem, and I have to say this is the most ricockulous piece of trash I have ever come across. But with this thread I have some more things to try to get it off the system.

BAK

Mancabus wrote:

Actually I have had success deleting dll's by doing the following.

First make sure file extensions are not being hidden, in windows explorer do a tools -> folder options -> view, then uncheck the box 'hide extensions for known file types'.

Next find the offending dll, then rename it without the .dll extension to something like 111111.

Upon reboot the file will now be deleteable.

However, the pointers to the bad files, with original filenames, will still exist in the registry no matter which method you use.

I have a customer with the same problem, and I have to say this is the most ricockulous piece of trash I have ever come across. But with this thread I have some more things to try to get it off the system.

The files for the about:blank trojan are hidden. However, renaming the file does not work because it simply create a new file with a different name. You cannot even unhide the file in the properties dialogue box. I went through all of the suggestions I could find on how to remove this virus and unfortunately none of them worked. The only way that I could get rid of the files (without formatting the hard drive and reinstalling everything) was using another computer to remove them.

jlk

First, let me say thanks to all the contributors here about this bastard of a trojan. I sympathize because I have spent the last two days trying to get rid of it. All the posters here led me to finally purge this nasty thing from my system.. What I did....Use CWShredder, Adaware (6) I think although when I downloaded it, it was called spyassassin, Spybot, Spyhunter, and Killbox. Ran all the programs and got everything registering clean. Went to my browser again and of course got the about:blank serch engine up again.. Closed that and went to killbox again and ran scan. A BHO entry identifying the offending dll file then came up. In my case it was labeled dmpfk.dll. Surprisingly when I did a file search for it and it came up my computer allowed me to delete it. This surprised me because of the previous posts where others were not able to delete it. Then I went to regedit and did a search/find of that dll. It came up in a subfile you wouldn't see unless you were specifically looking for it, I think it was called procserv32 or something like that. It had one other entry with the value "apartment" which is known to be associated with trojan viruses. I deleated the whole file and now appear to be clean even after boot. Hopes this info helps. Good luck. JLK

JGK150

Dang, I was gonna suggest this link if your problem was Win98 Based

http://www.short-media.com/forum/showthread.php?t=13743

profdlp

JGK150 wrote:

Dang, I was gonna suggest this link if your problem was Win98 Based

http://www.short-media.com/forum/showthread.php?t=13743

There may still be hope:

vanagon45 wrote:

Just a quick note to possibly state the obvious. If attempting this solution on Windows XP, I believe all references to C:\Windows\System would need to be changed to C:\Windows\System32, and the reference to runme9x for PrcView would be simply runme.

Give it a shot.

Adashi

Hi all.

If any of you still trying to fight the M.F., then try to delete the browser helper object from explorer in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
You may find some keys there like {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}, depends on how many trojans you have and what you oreviously installed.
Search for each of them in the registry & check what are they. If you don't know - delete the dll file it points to, the keys from the registry & from Browser Helper Objects.
That's all fokes