This was written by Mosaic 1, a security expert on another forum. Follow instuctions exactly. At the moment there is no easy way.
Get the latest CWShredder from this page. Do not run it yet:
CWShredderDownload TheKillbox from this link: here.
------------------
Sign off the internet.
Run CWShredder and press the fix Button to clean.
Stay off the internet!
Step Two:
Remove the reinstaller:
Go to start>Run and type regedit. Press enter.Navigate to:
Open the registry and navigate here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Highlight Windows in the left pane.Look in the right pane for this value:
AppInit_DllsYou won't see any data there.
But if you right click on that and choose Modify Binary Data you will.
If nothing is there it should just show a few 0's.
But if they are hiding a dll they load to reinstall, it will show a path to it.
----------------------------
This is how one looks when there is only one file loading.
0000 00 00 3A 00 5C 00 77 00 ..:.\.w.
0008 69 00 6E 00 64 00 6F 00 i.n.d.o.
0010 77 00 73 00 5C 00 73 00 w.s.\.s.
0018 79 00 73 00 74 00 65 00 y.s.t.e.
0020 6D 00 33 00 32 00 5C 00 m.3.2.\.
0028 6D 00 73 00 6B 00 6B 00 m.s.k.k.
0030 67 00 2E 00 64 00 6C 00 g...d.l.
0038 6C 00 00 00 l...Notice on the far right. You want to look there. It looks funny because all of the periods.
Look closely and you'll see the path and file name here was:
Windows\system32\mskkg.dllThis was the example. Yours will have its own file name. This is not the same file as you are seeing in your HijackThis log. Get its name the same as I just described.
--------------Once you have the filename unzip TheKillBox and run it.
In the "Paste Full Path of File to Delete" box, copy and paste the following:
c:\windows\system32\filename Where filename is what you found as the filename in the appinit_dlls key in the registry.
Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The c:\Windows\system32\filename listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot. Restart the Computer.
When you get back into Windows reset your Search and Home pages.
Look in the registry and remove the entry which should now be clearly visible and no longer hidden.
This last part and removing the AppInit_Dlls entry and its corresponding file is removing the reinstaller. So you do not get reinfected. Do not go on the internet until you have performed all of the steps.
--------------------------------
I have or possibly had the ABOUT:BLANK malware problem. I took a lot of actions getting rid of the malware BHO dll that puts the the keys in the register and loads the SP.HTML page but I could not figure out how to find the malware dll that installs the BHO dll until I saw your post. I thought this was the solution so I traced your path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows and guess what I don't have a windows under current version. I said oh well and searched the register for appinit_dll keys and guess what-- it has none. Do you have any idea how I could have this malware problem but without the indicators you describe. Earlier today this problem struck--I could not open the Iexplorer and than suddenly it opened at least 10 Iexplorer windows and my firewall router started to blink so fast I thought it was going to bounce off the table. I unplugged it. After unplugginig and rebooting I took all the Hijackthis and Adware actions to clean out all possible register entries and delete the DHO dll. I plugged back in the router and have been working okay since then (8 hr's ago). I am wondering that by unplugging and re-plugging my router the router will assign new local IP addresess on my LAN and this prevents the Malware from accessing the computer which had the malware problem. Any ideas on this or any other way I can find the hidden malware dll.
