Hey, i run hijackthis and removed what i've been told before .. and it works great untill i reboot my computer, it's all back !

Anyways, after running HijackThis and removing the files, i also run adware and i also run cwshredder, everything seems to work great .. i also delete all of my cookies and clear ie 6's history !

As soon as i reboot, About:Blank is set back as my homepage.

anyways here's what i get after running hijackthis ...

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Free Surfer\fs20.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\SIMONG~1\LOCALS~1\Temp\Rar$EX00.422\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ecmdca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ecmdca.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ecmdca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ecmdca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ecmdca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ecmdca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {CF960536-98BA-40AD-A2E2-1BC8763B6920} - C:\WINDOWS\System32\ecmdca.dll
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -


Any help would be great ! Thanks

This was written by Mosaic 1, a security expert on another forum. Follow instuctions exactly. At the moment there is no easy way.

Get the latest CWShredder from this page. Do not run it yet:
CWShredder

Download TheKillbox from this link: here.
------------------
Sign off the internet.
Run CWShredder and press the fix Button to clean.


Stay off the internet!
Step Two:
Remove the reinstaller:
Go to start>Run and type regedit. Press enter.

Navigate to:
Open the registry and navigate here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Highlight Windows in the left pane.

Look in the right pane for this value:
AppInit_Dlls

You won't see any data there.

But if you right click on that and choose Modify Binary Data you will.

If nothing is there it should just show a few 0's.

But if they are hiding a dll they load to reinstall, it will show a path to it.


----------------------------
This is how one looks when there is only one file loading.
0000 00 00 3A 00 5C 00 77 00 ..:.\.w.
0008 69 00 6E 00 64 00 6F 00 i.n.d.o.
0010 77 00 73 00 5C 00 73 00 w.s.\.s.
0018 79 00 73 00 74 00 65 00 y.s.t.e.
0020 6D 00 33 00 32 00 5C 00 m.3.2.\.
0028 6D 00 73 00 6B 00 6B 00 m.s.k.k.
0030 67 00 2E 00 64 00 6C 00 g...d.l.
0038 6C 00 00 00 l...

Notice on the far right. You want to look there. It looks funny because all of the periods.

Look closely and you'll see the path and file name here was:
Windows\system32\mskkg.dll

This was the example. Yours will have its own file name. This is not the same file as you are seeing in your HijackThis log. Get its name the same as I just described.
--------------

Once you have the filename unzip TheKillBox and run it.

In the "Paste Full Path of File to Delete" box, copy and paste the following:

c:\windows\system32\filename Where filename is what you found as the filename in the appinit_dlls key in the registry.

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The c:\Windows\system32\filename listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot. Restart the Computer.

When you get back into Windows reset your Search and Home pages.

Look in the registry and remove the entry which should now be clearly visible and no longer hidden.


This last part and removing the AppInit_Dlls entry and its corresponding file is removing the reinstaller. So you do not get reinfected. Do not go on the internet until you have performed all of the steps.
--------------------------------

Hey Crunchie !

Thanks a lot -- i did what you told me and i rebooted my computer and it's now set to whatever i wanted !

Thanks again, this experience was just soo damn frustrating !!
Anyways take care buddy !

Thanx to Mosaic1. Cheers.

I figured I would drop a short note, as none of the above referenced suggestions would help me this go around. Between Norton Antivirus & Firewall, CWShredder, Spybot Search & Destroy, and Hijack This (all good programs) I could not fix this problem this time. My homepage would still revert back to the about:blank search page no matter what I did! After fooling around with my computer for nearly 4 hours, I finally fixed it by logging in as the administrator under safe mode and running the CWShredder, man that program is awesome (thanks merjin)!. Normally, my anti-virus would pick up everything under safe mode, or CWShredder would normally pick up everything in regular Windows operation, but not this time, my home page would still revert back to the about:blank. So I guess the virus coming in would effect even at the administrator level.

Anyway, hope that helps someone. I swear these viruses are getting more and more nasty! They seem to start spoofing or blocking themselves from being detected by my anti-virus and even start controlling it, like keeping my Live update from working and stopping from detecting viruses as well! It's getting harder and harder to stop the attacks! Thinking about getting a Mac instead!! LOL. Either that or stay away from the porn sites!!!

Thinking about getting a Mac instead!!

Bah! - just install Linux on your PC. :mrgreen:

Actually, just switching to a browser other than IE will protect you from a lot of this stuff if you need to stick with Windows.

Hi, my homepage has been set to About:blank and everytime i tried to fix the problem with CWShredder, it comes back everytime I restart the computer.

Splitting out your post to it's own thread so that you can recieve better assistance :)

http://www.daniweb.com/techtalkforums/thread6943.html

about:blank trojan removed!
(aka HomeOldSP hijacker)

I tried most adware programs to no avail.
The wicked pest kept returning.
Now I am happy to report that there is a cure:
Adware Away.
It is as easy as pie to use.
The about:blank trojan was killed in minutes.

Click "more" on Adware Away's menu.
Icons with names of various hijackers are displayed.
Click on those bothering you, and they're gone!!

In fact it also trashed
CoolWebSearch, Lycos SideSearch and IstBar -
trojans I didn't even know I had. All I can say,
"Adware Away is FANTASTIC".

www.AdwareAway.com

Now I am happy to report that there is a cure:
Adware Away.

Which is, unfortunatley, only a 5-day trial; after that you have to buy it. Funny that you'll find no mention of the fact that the trial is a download unless you dig to the bottom of their FAQ... :rolleyes:

I have or possibly had the ABOUT:BLANK malware problem. I took a lot of actions getting rid of the malware BHO dll that puts the the keys in the register and loads the SP.HTML page but I could not figure out how to find the malware dll that installs the BHO dll until I saw your post. I thought this was the solution so I traced your path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows and guess what I don't have a windows under current version. I said oh well and searched the register for appinit_dll keys and guess what-- it has none. Do you have any idea how I could have this malware problem but without the indicators you describe. Earlier today this problem struck--I could not open the Iexplorer and than suddenly it opened at least 10 Iexplorer windows and my firewall router started to blink so fast I thought it was going to bounce off the table. I unplugged it. After unplugginig and rebooting I took all the Hijackthis and Adware actions to clean out all possible register entries and delete the DHO dll. I plugged back in the router and have been working okay since then (8 hr's ago). I am wondering that by unplugging and re-plugging my router the router will assign new local IP addresess on my LAN and this prevents the Malware from accessing the computer which had the malware problem. Any ideas on this or any other way I can find the hidden malware dll.

Have split out your post to it's own thread.

This was written by Mosaic 1, a security expert on another forum. Follow instuctions exactly. At the moment there is no easy way.

Get the latest CWShredder from this page. Do not run it yet:
CWShredder

Download TheKillbox from this link: here.
------------------
Sign off the internet.
Run CWShredder and press the fix Button to clean.


Stay off the internet!
Step Two:
Remove the reinstaller:
Go to start>Run and type regedit. Press enter.

Navigate to:
Open the registry and navigate here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Highlight Windows in the left pane.

Look in the right pane for this value:
AppInit_Dlls

You won't see any data there.

But if you right click on that and choose Modify Binary Data you will.

If nothing is there it should just show a few 0's.

But if they are hiding a dll they load to reinstall, it will show a path to it.


----------------------------
This is how one looks when there is only one file loading.
0000 00 00 3A 00 5C 00 77 00 ..:.\.w.
0008 69 00 6E 00 64 00 6F 00 i.n.d.o.
0010 77 00 73 00 5C 00 73 00 w.s.\.s.
0018 79 00 73 00 74 00 65 00 y.s.t.e.
0020 6D 00 33 00 32 00 5C 00 m.3.2.\.
0028 6D 00 73 00 6B 00 6B 00 m.s.k.k.
0030 67 00 2E 00 64 00 6C 00 g...d.l.
0038 6C 00 00 00 l...

Notice on the far right. You want to look there. It looks funny because all of the periods.

Look closely and you'll see the path and file name here was:
Windows\system32\mskkg.dll

This was the example. Yours will have its own file name. This is not the same file as you are seeing in your HijackThis log. Get its name the same as I just described.
--------------

Once you have the filename unzip TheKillBox and run it.

In the "Paste Full Path of File to Delete" box, copy and paste the following:

c:\windows\system32\filename Where filename is what you found as the filename in the appinit_dlls key in the registry.

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The c:\Windows\system32\filename listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot. Restart the Computer.

When you get back into Windows reset your Search and Home pages.

Look in the registry and remove the entry which should now be clearly visible and no longer hidden.


This last part and removing the AppInit_Dlls entry and its corresponding file is removing the reinstaller. So you do not get reinfected. Do not go on the internet until you have performed all of the steps.
--------------------------------

Ok, I'm having the problem too. Im not good with computers AT ALL. but I managed to get up to the part with the "few 0's." I just dont know what to do from there. Like I said, computers arent my best area so any help would be welcomed with open arms.

Ok, I'm having the problem too. Im not good with computers AT ALL. but I managed to get up to the part with the "few 0's." I just dont know what to do from there. Like I said, computers arent my best area so any help would be welcomed with open arms.

Try this instead, it's a newer fix.

Download dllfix from the following link.
http://tools.zerosrealm.com/dllfix.exe

Create a folder on your desktop, doubleclick on the dllfix and install it into the folder you just created.
1.Run start.bat and press option 1. 'output.txt' will be created in the folder. Post the results of the log here.

Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop & not directly on your hard drive).
If you have anything disabled in MsConfig, please re-enable it/them.
Start HJT & with all browser windows closed, press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

Start your own thread when you have done the above plz.

Your links to http://download.broadbandmedic.com/VbStuff/KillBox.zip arent working i get an error 400 :evil:

also the link to http://tools.zerosrealm.com/dllfix.exe isnt working either this page cannot be displayed yada yada :evil:

i am a member and i understand its possible to send programs over the daniweb so could u do so to me i can recieve emails from all parties

also u can send it over hotmail as i have around 250mb of space on there :eek:

i really like smileys :cheesy:

Hello The Unreal Wolf,

I don't know if you noticed, but this thread is almost a year old; a lot can change in that amount of time.

The Killbox is now called the Pocket Killbox, and can be downloaded here. I can't find a working link to DLLFix anywhere; my guess is that it isn't in use anymore. In any event, programs such as those are dangerous to use without having an expert give you directions that are specific to your particular infection.

If you need help, you should do the following:

Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded, follow these instructions to install and run the program:


Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log in a new thread of your own in this forum.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

As the member who originally started this thread has not responded for (exactly) 1 year, the thread is consided abandonded and is being locked.

If the original poster would like this thread re-activated, please PM a moderator. All other members should start their own threads for their questions.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.