0

This ones a tough one.......
Ok, here's a rundown of the prob. I'll try to keep it short and in point form.
Norton detected a backdoor trojan on file \system32\wdm.dll. Norton could not repair this so I manually (or so I thought)fixed this prob through reg edit. Norton alert about wdm.dll stayed but could not find wdm.dll anywhere and a scan produced zero viruses. So I thought something wonky happened but problem was fixed. This was months ago. Next I have been dealing with this about::blank problem and when I researched this and followed a solution that suggested using the HJT and Advanced Process Manipulation(it did not work for me as there was no missing .dll file). So next I tried this:
----------------------------------------------------------------------
This was written by Mosaic 1, a security expert on another forum. Follow instuctions exactly. At the moment there is no easy way.

Get the latest CWShredder from this page. Do not run it yet:
CWShredder

Download TheKillbox from this link: here.
------------------
Sign off the internet.
Run CWShredder and press the fix Button to clean.
Stay off the internet!
Step Two:
Remove the reinstaller:
Go to start>Run and type regedit. Press enter.

Navigate to:
Open the registry and navigate here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Highlight Windows in the left pane.

Look in the right pane for this value:
AppInit_Dlls

You won't see any data there.

But if you right click on that and choose Modify Binary Data you will.

If nothing is there it should just show a few 0's.

But if they are hiding a dll they load to reinstall, it will show a path to it.


----------------------------
This is how one looks when there is only one file loading.
0000 00 00 3A 00 5C 00 77 00 ..:.\.w.
0008 69 00 6E 00 64 00 6F 00 i.n.d.o.
0010 77 00 73 00 5C 00 73 00 w.s.\.s.
0018 79 00 73 00 74 00 65 00 y.s.t.e.
0020 6D 00 33 00 32 00 5C 00 m.3.2.\.
0028 6D 00 73 00 6B 00 6B 00 m.s.k.k.
0030 67 00 2E 00 64 00 6C 00 g...d.l.
0038 6C 00 00 00 l...

Notice on the far right. You want to look there. It looks funny because all of the periods.

Look closely and you'll see the path and file name here was:
Windows\system32\mskkg.dll

This was the example. Yours will have its own file name. This is not the same file as you are seeing in your HijackThis log. Get its name the same as I just described.
--------------

Once you have the filename unzip TheKillBox and run it.

In the "Paste Full Path of File to Delete" box, copy and paste the following:

c:\windows\system32\filename Where filename is what you found as the filename in the appinit_dlls key in the registry.

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The c:\Windows\system32\filename listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot. Restart the Computer.

When you get back into Windows reset your Search and Home pages.

Look in the registry and remove the entry which should now be clearly visible and no longer hidden.


This last part and removing the AppInit_Dlls entry and its corresponding file is removing the reinstaller. So you do not get reinfected. Do not go on the internet until you have performed all of the steps.
------------------------------------------------------------------------
after trying this I discovered the hidden file was the wdm.dll file! After following the above process step by step I double checked in reg edit to find that under AppInit_DLL the value was still C:\Windows\System32\wdm.dll which apparently contains the backdoor.trojan that nortan cant fix. I have tried all this with system restore off. Another solution suggested using windows recovery console and using the attrib command to change the wdm file. As of now I do not have a hijacked web page but still have this wdm.dll backdoor.trojan problem which could mean that I will continue to experience the IE pain of about::blank. Under HJT I found something containing wdm.dll but could not destroy it. Has anyone ever encountered this before or have any idea how to help me. If so thanks much in advance.

2
Contributors
3
Replies
4
Views
13 Years
Discussion Span
Last Post by crunchie
0

Thank you so much... worked like a charm and I couldn't be happier.
One last thing.. I am no longer subscribed with norton but I still use the Anti-virus. Do you recommend AVPE anti-virus as a free one with updates?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.