Hi

Could you please do the honours and help me get rid of About:blank?
I was naive I know to omit getting the bl**dy thing protected against this curse in the first place! Can't even send anyone an email because it hops,skips and jumps back to planet abouti**ing blank. Excuse my language, your help would be greatly appreciated!

Hi

I've just tried following a previous remedy on this site but now cannot even get on the 2 websites recommended for downloading the fix. I get the Page cannot be found treatment, please advise

HI,

Download the new version of hijackthis here:
http://www.thatcomputerguy.us/downloads-cat4.html
or here:
http://majorgeeks.com/download3155.html

Please put your HJT in a folder on your desktop or Create a folder HJT such as C:\HJT or C:\Program Files\HJT. Copy or drag-and-drop the HijackThis program to the newly created folder. Then make or alter the shortcut to the HJT program.

Notepad will open up and results of scan will be there, copy and paste that into your next reply. Thanks.

If you can't do this on your computer download/burn to disk Hijackthis to disk from an uninfected computer and then run it on your computer.

We can also do this with the fix tools needed.

Hi Neal

Please see the below report, I look forward to your reply.

Thanks

Daniel



Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\WINNT\System32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\program files\bt yahoo! internet\Watchdog.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\program files\bt yahoo! internet\DialBTYahoo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\A36OL4QU\hijackthis1991[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.btyahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.btyahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.btyahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.btyahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FFB04252-1B92-40B6-8BBF-018B5A1FE684} - C:\WINNT\system32\jmei.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [BT Modem Lock] "c:\program files\bt yahoo! internet\Watchdog.exe" -rk
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInsta ll
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/temp...control025.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Flitton.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2597A44-FD5D-4B8D-854C-802519F612F1}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4B30FD3-7E38-429D-A2B7-823E5787A7A4}: NameServer = 213.1.119.99 213.1.119.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Flitton.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Flitton.local
O18 - Filter: text/html - {FE586C21-A248-482A-ADA4-54FADF18963D} - C:\WINNT\system32\jmei.dll
O18 - Filter: text/plain - {FE586C21-A248-482A-ADA4-54FADF18963D} - C:\WINNT\system32\jmei.dll
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)

Originally Posted by Neal

HI,

Download the new version of hijackthis here:
http://www.thatcomputerguy.us/downloads-cat4.html
or here:
http://majorgeeks.com/download3155.html

Please put your HJT in a folder on your desktop or Create a folder HJT such as C:\HJT or C:\Program Files\HJT. Copy or drag-and-drop the HijackThis program to the newly created folder. Then make or alter the shortcut to the HJT program.

Notepad will open up and results of scan will be there, copy and paste that into your next reply. Thanks.

If you can't do this on your computer download/burn to disk Hijackthis to disk from an uninfected computer and then run it on your computer.

We can also do this with the fix tools needed.

Welcome back,

Go into add/remove program and remove:(IF FOUND)

spyware begone
spyware vanisher
spyware cleaner---all of these programs are considered rogue programs giving false positives and agressive advertiseing

reboot if anything was removed

Why don't you download Firefox browser and use it thru this fix.

Firefox download page:---www.mozilla.org/products/firefox/


It's more secure then IE anyway, you can switch back and forth as I do.

And it is uninstallable thru add/remove programs.

It will not take very long to download at least it didn't own my machine.

This will help in keeping the infection from coming back after reboot.


Make sure you can see hidden files.
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.


Please read the complete post first, you should copy and paste this post to a new text Document or print it.
Download and install http://www.ccleaner.com/ccdownload.php/do not run the tool yet please

Download and install Adaware, uncheck "show help file" and "perform full system scan" at the end of the installing routine, perform the update and close Adaware. You will need it later

Download and save to your Desktop, don't run it now, we will use it later:
http://securityresponse.symantec.com...r/FxAgentB.exe

Download About:Buster from here:

http://majorgeeks.com/download4289.html

Check for updates and then exit do not run the tool yet please.

Download http://cwshredder.net/bin/CWShredder.exe. Then close every window and disconnect from Internet.


Disconnect from the internet....pull the plug...very important or fix will fail

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Run HijackThis
Click on scan and put a check on the following lines, if they are still there

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FFB04252-1B92-40B6-8BBF-018B5A1FE684} - C:\WINNT\system32\jmei.dll---this file name probably will have changed but still in the same place

O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInsta ll
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

18 - Filter: text/html - {FE586C21-A248-482A-ADA4-54FADF18963D} - C:\WINNT\system32\jmei.dll
O18 - Filter: text/plain - {FE586C21-A248-482A-ADA4-54FADF18963D} - C:\WINNT\system32\jmei.dll

O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)


Make sure all browser and all Windows Explorer windows are closed and click on fix.

Now, run About:Buster as many times as it takes until it does not find anything.

Double click the CWSshredder icon on your Desktop.
Click Fix, ok and then Next, let it fix everything it asks about.

Shut down all running programs, make sure that you are not connected to the internet!
Double-click the FxAgentB.exe file to start the removal tool.
Save the log it makes and post it in your next reply.
Please do NOT start any other applications until the removal tool exits and the computer is restarted.

Restart the computer/Back into safe mode

Run the removal tool again to ensure that the system is clean.

Hunt for and delete these files/folders: while still in safe mode

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll < file
C:\WINNT\system32\jmei.dll---probably will have changed, it is the 02 above and will be the same file as the two 018's
gxlib.exe < file---this is a trojan
C:\Program Files\spywarevanisher-free < folder
C:\Program Files\SpywareBegone < folder
C:\Program Files\Spyware Cleaner < folder
C:\WINNT\web\related.htm < file


Start Ccleaner and click: Run Cleaner./use windows tab only

Run Adaware and perform a full system scan.

Reboot and post a new HijackThis log.

Hi Neal

Please see the Remover log:

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2


C:\System Volume Information: (not scanned)
Backdoor.Agent.B has not been found on your computer.

There were a couple of files that I could not find to remove:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll < file
C:\WINNT\system32\jmei.dll---probably will have changed, it is the 02 above and will be the same file as the two 018's
gxlib.exe < file---this is a trojan

Here is the Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 1:14:13 PM, on 10/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\WINNT\System32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\program files\bt yahoo! internet\Watchdog.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.btyahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.btyahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.btyahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.btyahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FFB04252-1B92-40B6-8BBF-018B5A1FE684} - C:\WINNT\system32\jmei.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [BT Modem Lock] "c:\program files\bt yahoo! internet\Watchdog.exe" -rk
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInsta ll
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/temp...control025.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Flitton.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2597A44-FD5D-4B8D-854C-802519F612F1}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Flitton.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Flitton.local
O18 - Filter: text/html - {FE586C21-A248-482A-ADA4-54FADF18963D} - C:\WINNT\system32\jmei.dll
O18 - Filter: text/plain - {FE586C21-A248-482A-ADA4-54FADF18963D} - C:\WINNT\system32\jmei.dll
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)

Many thanks for your help so far, I look forward to your reply

Daniel

Originally Posted by Neal

Welcome back,

Go into add/remove program and remove:(IF FOUND)

spyware begone
spyware vanisher
spyware cleaner---all of these programs are considered rogue programs giving false positives and agressive advertiseing

reboot if anything was removed

Why don't you download Firefox browser and use it thru this fix.

Firefox download page:---www.mozilla.org/products/firefox/


It's more secure then IE anyway, you can switch back and forth as I do.

And it is uninstallable thru add/remove programs.

It will not take very long to download at least it didn't own my machine.

This will help in keeping the infection from coming back after reboot.


Make sure you can see hidden files.
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.


Please read the complete post first, you should copy and paste this post to a new text Document or print it.
Download and install http://www.ccleaner.com/ccdownload.php/do not run the tool yet please

Download and install Adaware, uncheck "show help file" and "perform full system scan" at the end of the installing routine, perform the update and close Adaware. You will need it later

Download and save to your Desktop, don't run it now, we will use it later:
http://securityresponse.symantec.com...r/FxAgentB.exe

Download About:Buster from here:

http://majorgeeks.com/download4289.html

Check for updates and then exit do not run the tool yet please.

Download http://cwshredder.net/bin/CWShredder.exe. Then close every window and disconnect from Internet.


Disconnect from the internet....pull the plug...very important or fix will fail

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Run HijackThis
Click on scan and put a check on the following lines, if they are still there

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FFB04252-1B92-40B6-8BBF-018B5A1FE684} - C:\WINNT\system32\jmei.dll---this file name probably will have changed but still in the same place

O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInsta ll
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

18 - Filter: text/html - {FE586C21-A248-482A-ADA4-54FADF18963D} - C:\WINNT\system32\jmei.dll
O18 - Filter: text/plain - {FE586C21-A248-482A-ADA4-54FADF18963D} - C:\WINNT\system32\jmei.dll

O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)


Make sure all browser and all Windows Explorer windows are closed and click on fix.

Now, run About:Buster as many times as it takes until it does not find anything.

Double click the CWSshredder icon on your Desktop.
Click Fix, ok and then Next, let it fix everything it asks about.

Shut down all running programs, make sure that you are not connected to the internet!
Double-click the FxAgentB.exe file to start the removal tool.
Save the log it makes and post it in your next reply.
Please do NOT start any other applications until the removal tool exits and the computer is restarted.

Restart the computer/Back into safe mode

Run the removal tool again to ensure that the system is clean.

Hunt for and delete these files/folders: while still in safe mode

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll < file
C:\WINNT\system32\jmei.dll---probably will have changed, it is the 02 above and will be the same file as the two 018's
gxlib.exe < file---this is a trojan
C:\Program Files\spywarevanisher-free < folder
C:\Program Files\SpywareBegone < folder
C:\Program Files\Spyware Cleaner < folder
C:\WINNT\web\related.htm < file


Start Ccleaner and click: Run Cleaner./use windows tab only

Run Adaware and perform a full system scan.

Reboot and post a new HijackThis log.

Let's try this again,


Go into add/remove program and removeIF FOUND)--I did not put that frown there????

spyware begone
spyware vanisher
spyware cleaner---all of these programs are considered rogue programs giving false positives and agressive advertiseing

reboot if anything was removed

Make firefox your default browser when it asks you

Why don't you download Firefox browser and use it thru this fix.

Firefox download page:---FireFox


It's more secure then IE anyway, you can switch back and forth as I do.

And it is uninstallable thru add/remove programs.

It will not take very long to download at least it didn't own my machine.

This will help in keeping the infection from coming back after reboot.

Show hidden files/folders first
Windows 2000
1. Open My Computer.
2. Select the Tools menu and click Folder Options.
3. Select the View Tab.
4. Under the Hidden files and folders heading select Show hidden files and folders.
5. Uncheck the Hide protected operating system files (recommended) option.
6. Click Yes to confirm.
7. Click OK.

Disconnect from the internet....pull the plug...very important or fix will fail

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Scan only with HJT and put a check next to these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FFB04252-1B92-40B6-8BBF-018B5A1FE684} - C:\WINNT\system32\jmei.dll

O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInsta ll
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O18 - Filter: text/html - {FE586C21-A248-482A-ADA4-54FADF18963D} - C:\WINNT\system32\jmei.dll
O18 - Filter: text/plain - {FE586C21-A248-482A-ADA4-54FADF18963D} - C:\WINNT\system32\jmei.dll

STILL IN SAFE MODE

Shut down all running programs, make sure that you are not connected to the internet!
Double-click the FxAgentB.exe file to start the removal tool.
Save the log it makes and post it in your next reply.
Please do NOT start any other applications until the removal tool exits and the computer is restarted.

Reboot your computer back into safe mode

Now, run about:Buster as many times as it takes until it does not find anything.

Double click the CWSshredder icon on your Desktop.
Click Fix, ok and then Next, let it fix everything it asks about.

Do this again
Shut down all running programs, make sure that you are not connected to the internet!
Double-click the FxAgentB.exe file to start the removal tool.
Save the log it makes and post it in your next reply.
Please do NOT start any other applications until the removal tool exits and the computer is restarted.

Reboot back into safe mode




Hunt for and delete these files/folders:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll---This in a Temporary folder

C:\WINNT\system32\jmei.dll---This is in the system32 folder

gxlib.exe

C:\Program Files\spywarevanisher-free < folder

C:\Program Files\SpywareBegone < folder

C:\Program Files\Spyware Cleaner < folder

C:\WINNT\web\related.htm < file

Now reboot normal mode and get on the internet to download Ewido and do the below please

Run Ewido Trojan scanner from safe mode below:

Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.

4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.


5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.


Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Hi Neal

Had another go, still could not find those files to delete in the Temp files and what have you.

Please see the Ewido log:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:23:12 PM, 10/15/2005
+ Report-Checksum: FCD3B28C

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\SearchAssistant Uninstall -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-602162358-113007714-1343024091-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
[2380] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll -> Spyware.Hijacker.Generic : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wo0ii2zq.default\coo kies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wo0ii2zq.default\coo kies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wo0ii2zq.default\coo kies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wo0ii2zq.default\coo kies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wo0ii2zq.default\coo kies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wo0ii2zq.default\coo kies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wo0ii2zq.default\coo kies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wo0ii2zq.default\coo kies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wo0ii2zq.default\coo kies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wo0ii2zq.default\coo kies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051008-132109-827.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\se.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\Internet Explorer\rwdnkwkp.exe -> Trojan.LowZones.cp : Cleaned with backup
C:\web.exe -> Trojan.LowZones.cp : Cleaned with backup


::Report End

....and the latest HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 2:26:20 PM, on 10/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\WINNT\System32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINNT\Explorer.EXE
C:\program files\bt yahoo! internet\DialBTYahoo.exe
C:\program files\bt yahoo! internet\Watchdog.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Administrator\Desktop\HJT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.btyahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.btyahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.btyahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.btyahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [BT Modem Lock] "c:\program files\bt yahoo! internet\Watchdog.exe" -rk
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInsta ll
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/temp...control025.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Flitton.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2597A44-FD5D-4B8D-854C-802519F612F1}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Flitton.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Flitton.local
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe


The good thing is that I can now access my email account without reverting to the aforementioned anti-christ, the only other minor annoyance is the odd pop-up here and there. Do you think that the PC is now well enough or that it needs a little more TLC?

Thanks for your help

Daniel

Welcome back good job but it is going to come back because the se.dll is still showing in your HJT log.

Make sure you can see hidden files/folders
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.



Go to start >run and type: services.msc and click OK
Scroll down in that list and look if the following services are present:

Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service

Please make sure it is exactly the same written as above, because there are also legit services that look very much the same as the ones above, so please choose the right one!! For example, there's also a legit service called Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one.

Doubleclick on the service(s). In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.


Next:

Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type which ever rogue service you found(if any) and press OK. OK any prompts, close HijackThis, and restart your computer. Do the same again if there is more then one:

Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service



Some hidden process may be hampering the deletion of the bad files and the infection.
So let's do this:

1. Please download dllcompare (A scanner to locate hidden DLL files) from this locations:
* DllCompare.exe
2. When you execute dllcompare.exe, by default the c:\windows\system32 is selected. This can be changed to scan you entire computer for any file type - Simply select the path and check off the box labelled "Include SubDirectories"
3. Click on "Locate.com" and allow the scan to complete.
4. After the scan has finished click on "Compare" to scan for the files that Windows does not see. This step will take a few minutes to run.
5. If the box at the bottom of the screen contains any files, these are the ones that are hidden - Click on "Make a Log of what was Found".
6. When prompted to "View Log File" click on "Yes".
7. Notepad will open with the log file contents.
8. In Notepad, click on "Edit" => "Select All" => "Edit" = "Copy" and post the contents as a reply to this message.


Then:


Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInsta ll


Again make sure all browser windows are closed and click FIX

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Now please look for this file again


C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll---click start, click search type in se.dll and press enter

Or try to type this and press enter: se.dll,DllInsta ll


Reboot and post a new HJT log and the dllcompare log as well please, thanks.