Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dreaded about:blank


  • This topic is locked This topic is locked
6 replies to this topic

#1 kagai

kagai

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 09 June 2005 - 12:58 PM

I have gone through dozens of threads all over the internet and followed all of the advice, but I still have a problem with about:blank (when I open IE the Home Page is set to http://xysearch.biz?wmid=3305). I have downloaded HJT, Killbox, AdAware, Spybot, Reglite, CWShredder, all to no avail. Please help me get rid of this junk! Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 1:59:47 PM, on 6/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
C:\WINNT\runservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\KillBox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hammacher.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hammacher.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hammacher.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:19 AM

Posted 09 June 2005 - 11:46 PM

Hello kagai and welcome to the BC forums. After reviewing your log I see no signs of viruses or malware at this time. The log is clean.

This log is unaturally small. There are no browser settings and no auto-run entries. It also appears to be part of a company network. have you checked with the Network Administrator to see if it is a network issue? I would start there and see what they say.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 kagai

kagai
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 10 June 2005 - 09:33 AM

Thanks for the reply. As I work in the IT department, I know it is not a network issue.

Something is going on with this computer. I can't change the home page, if I check properties on the IE icon the home page is about:blank, and if I open IE and go through Tools/Options the home page is the xysearch.biz link. Also, the favorites keep repopulating with 2 porn site links. Any suggestions?

#4 kagai

kagai
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 10 June 2005 - 11:39 AM

I think I found the culprit, but I am having a maddening time removing it. I ran Ad-Aware again and it found TGBRFV_5.dll. It couldn't delete it, so AdAware asked if I wanted it removed upon reboot and I chose yes. When it starts its scan, after rebooting, I get the Shutdown Error (something like C:\winnt\system32\services.exe aborted due to error code 0) and the computer restarts. I have booted into Safe Mode with the same results. I downloaded shutdown.exe and placed it into my WINNT folder, but whenever I try to use it (shutdown -a, shutdown /a) the shutdown continues and does not abort which prevents me from removing this file. Any suggestions on a workaround for deleting the TGBRFV_5.dll file? When I look in the system32 folder, I can't find the file, but that is where AdAware says it is located. I have changed settings to view hidden and system files, is there something else that I a missing that will allow me to see this dll? Or, a utility that will let me target this one file?

I've also used Killbox to delete the file, but it never deletes.

Edited by kagai, 10 June 2005 - 12:52 PM.


#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:19 AM

Posted 10 June 2005 - 01:43 PM

Hi kagai. Ok, let's try this.

Step #1

Download Pocket Killbox and unzip it to your desktop.

Double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
C:\Windows\system32\tgbrfv_.exe
C:\Windows\system32\TGBRFV_5.dll

[/list]
  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now.

Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:F2 - REG:system.ini: UserInit=Userinit.exe,
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Now go to the Control Panel>Internet Options and change the Home Page to whatever you want and then close Control Panel.

Step #3

Ok. Reboot your computer normally and test your Internet Explorer. Post back here with your results.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 kagai

kagai
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 10 June 2005 - 04:11 PM

Thanks for your reply. The good news is I fixed the problem, the bad news is I did it before seeing your post, so I can't say whether that would have worked, or not.

This is what I did to remove the files. Because, Pocket Killbox wasn't removing the files that I needed it to remove, for whatever reason, I had to go into the Recovery Console and delete them manually. Using my Win 2000 CD, I booted from the CD and chose repair, then repair with the Recovery console.

Once logged on, I changed my directory to C:\WINNT\SYSTEM32. I used ATTRIB -R to remove the read only from the file TGBRFV_5.dll. Then, I deleted both TGBRFV_5.dll and TGBRFV_5.exe, there were two other files that I was to look for according to internet sources: TGBRFV_.dll and TGBRFV_.exe, but neither of those were on my system.

After deleting those files, I rebooted and logged on normally. Once logged on, I went to start/run and typed %temp%. I then highlighted all items in that folder and deleted them.

I opened IE properties and changed the home page, and to be on the safe side, I also deleted all cookies and files. I then opened IE and the correct home page came up and I have yet to have any further problems.

To anyone reading this with this problem, please be aware that I did follow the other instructions given with this problem (such as, using HJT, and AdAware, and Pocket Killbox), so everything else was gone from my system, save for these two files that I couldn't get rid of. If you are in the same boat, everything looks good but you are still having problems setting your home page, I recommend going in through your recovery console and deleting the files listed above manually.

Thanks to everyone for their help.

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:19 AM

Posted 11 June 2005 - 09:47 AM

Sounds like this is closed.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users