That's what I just got as well mesich. You godda stand, cheer and admire Norton though :) 0_o

0

Hi Jon, hello everyone Jon, Your log is clean as it stands. When is Internet Explorer being redirected to About Blank? Best Regards, Mesich

0

Hi Viking, Jon, hello everyone I think I am lost at what exactly the problem is, as the log is clean and shows no redirects. Might need a simpliar explaination for my old, tiring mind. :-) Best Regards, Mesich

0

The problem began a few days ago. I've had the redirect before that makes my home page 'about:blank' several times, but each time the various tools cleaned it up, and it stayed cleaned up. This time, the payload of the infection seems tougher to get rid of. For instance, even if I clean at night before shutting down, the next morning, the redirect is back, along with the dirty log for hijack this. Adaware, spybot, cwshredder, and ht have always been able to remove the problem before. Each time, the file that infected the system had a different name. This one corresponds to a particular .dll in windows/system. Again, each time I reboot. the problem resurfaces. That is what is so frustrating about it. The system seems clean, but the problem persists! Thanks again Jon

0

Hello everyone, Jon, Pardon me for not being able to understand exactly whats going on, sometimes it's just not all so clear when communicating via the keyboard. :-) Are you having the problem right now, with the clean log? Do a search on the computer for a file named sp.reg. Let us know if it exist. I understand you have an Antivirus program installed but also recommend you perform an on-line scan here. Is your Spybot up to date? It should be looking for 12,481 different parasites. Best Regards, Mesich

0

Hi again: The problem only is cured for the moment after fixing via hijack this. As soon as the computer reboots, or a browser is opened, it happens again. I did not locate the file 'sp.reg'. I have tried an online scan at Housecall, but I get an error...strange eh? My spybot may not be totally up to date, mind you. Any idea why I can't perform the online scan at Trendmicro? Also, I hope it's a bit clearer as to what is wrong. Again, as soon as I clean, the problem reappears with reboot or reopening a browser. Other, previous redirects did not do this. Thanks! Jon

0

Jon, Try a different scan at Panda Active Scan. See what happens there. Housecall can sometimes not play ball, although it'd be interesting to hear what the error message was.

0

Hello everyone, Viking, Thanks for jumping in. I have some other ideas but would like to first get an on-line scan done, Panda sounds good to me. :-) Jon, Yes, I have done a refresh on the ol' memory and am good to go. :-) Thanks for the assistance in helping clear out the cobwebs. :-) Best Regards, Mesich

0

I am performing the Panda scan now...thanks for the recommendation. I will post the results. In the meantime, the error message at Housecall is a generic windows error, the one where it states would you like to send a report, and/or restart IE. I am still baffled as to the redirect, but will keep plugging away and all further opinions are welcome! Thanks Jon

0

sorry it's taking so long with Panda...but 100K files takes a bit of time! Care to pass the time with your alternate thoughts as to what it could be? No infection yet, 50% done... thanks! Jon

0

See what the scan comes up with first and then a scan with a fully updated Spybot S&D and AdAware. It could well be a (new) CWS variant. I'd also do a search for files and folders and search for KCABGAA.DLL and then I'd right click it and open it with notepad or a hex editor and see if there is any recognisable English in it, no matter how small. Your looking for clues. You already have full, real time, virus scanning protection on. But that's just me.

0

Hi Viking: I am not sure how to do the notepad thingie you mentioned...all I know is this is the most tenacious hijack I've ever had. The Panda Active Scan is making progress, and does indicate 2 infections...do I get a report after the scan is done? I am surprised my Norton which is updated innumerable times daily didn't catch anything? I've played cat and mouse with this issue for a couple days, and it's frustrating to see the cleansed issues reappear. I'll post when the scan is done, thanks again. Jon

0

Yep, Panda asks you if you want to auto disinfect somewhere along the line. Before you do write all the details down of the infections, that's important. So you can double check the virus/trojan details and see if any aditional reg editing is needed. See what the disinfection gives you before trying opening that dll in notepad. Sort that out after if it's needed.

0

Hi Viking (and Mesich if you are still around)...I hope one of you will be around for a bit, I know this issue can be resolved, but it will take the proper steps. I can't believe, though, that constant and repeated Adaware, CWshredder, Spybot, Hijack this and Registry First Aid scans and fixes have done little to improve the matter. The dirty logs in Hijack this all correspond to that pesky .dll in Windows system folder (KCABGAA.DLL), which claims Browser Helper Objects and more...I can't manually delete it though...as Windows is using it? Hmmm...

0

Hi Jon, Viking, hello everyone I'm still around and will be. :-) What was the final results of the Panda scan? Best Regards, Mesich

0

Hi Mesich: Panda scan is about 75% done, with 2 alleged infections so far, albeit ones that Norton with updated definitions didn't seem to find (???what's up with that?). I am patiently waiting for the results, and as per Viking's advice, will be writing them down prior to disinfecting. I wonder if the .dll in the Windows folder is itself a virus? But why would Norton not find it? And we still want to know why the redirects after cleansing the system. Hold tight, I'll post when it's done. Jon

0

Hello Jon, mesich, viking, Might find this, a interesting read. As the others, on that page. Good Luck,

0

Argh...this web page finally froze, and thusly shutting down also killed the Panda Scan, but I am rescanning, and it seems to be moving at a better speed this time (rescan?...thusly I am needing to be patient again, and I'm hoping one of you can stay along for the ride. Again, upwards of 80% scanned, two alleged infections, identity pending! Thanks again for all the help, but I ain't done yet! Jon

0

I've read the Merjin.org page before, I have located the .dll file in the system folder, but so far I've been unable to delete because Windows is using it apparently. I hope that after the scan, and the cleanse, I can get rid of this sucker. Jon p.s. hope this is still a matter of interest for you helpful souls!

0

Hello everyone, Jon, I'm still around, not going anywhere for a while. :-) Let us know how it comes out. CrazyOne, Very nice link. The information provided shall be very useful in the near future if not the present. :-) Always good to hear from you, hope everything is well with you and yours. Best Regards, Mesich

0

Hello everyone, Jon, Let's wait for the results of the scanner. I'm not one to give up, nor is Vicking, or CrazyOne. :-) Best Regards, Mesich

0

Jon, I think about:blank can be removed in ME by dowloading and updating Ad-aware 6.0 then configure to these setting: Make sure the following settings are made and on -------"ON=GREEN" From main window :Click "Start" then " Activate in-depth scan" Click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files" Go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" and "Let windows remove files in use at next reboot" click "proceed" to save your settings. Run a HT scan and remove the new about blank items. Reboot the computer to safe mode and run AD-aware(From safe mode). When scan is finished mark everything for removal and get rid of it including quarintined items. Restart the computer in normal mode.

0

Thanks, I have printed that off and will digest it...I haven't used safe mode for over a year (how do access again? f8 at boot?) I will attempt that fix, but shall I first let the Panda Scan finish? It is about 65% there... 2 alleged infections, unknown at this time, found. Thanks for hanging around, all.

0

Just concentrate on what your doing and what you've got so far Jon. You have enough on your plate at the moment, so don't start getting distracted :) ..leave AdAware settings and details till you need them ...later. Let the scan finish and leave the results here, someone will be around to go through it. If not leave it over night and I'll check back in tomorrow morning.

0

If you think deleting that DLL in the WINDOW.002 folder will help or solve your problem, then make a Windows ME Startup boot diskette (Control Panel, Add/Remove Programs, Startup disk tab). Use it to boot your system to the DOS A: prompt. Then CD to the WINDOWS.002 directory, locate the DLL and DEL the file using DOS commands. However, something is loading that DLL and you need to find out what is doing it. Some of your comments and problems make me suspect that the WININIT.exe file in the Windows.002 folder is missing or corrupted. Make sure a clean copy of WININIT.exe with the 06-08-00 date is there (it is what drives the deleting of active system files when your reboot). After booting but before running and cleaning programs, look and see if there is a copy of the WININIT.INI file in the Windows.002 folder. If there is, then delete WININIT.INI and WININIT.BAK files (not WININIT.EXE), and then reboot. If necessary, Extract a clean copy of WININIT.exe from the system CAB files. (The next time you reinstall Windows ME over the top of itself, be sure to set the install folder back to C:\WINDOWS so that you are using the default folder name instead of WINDOWS.002 or WINDOWS.003. Then you can delete the extra copy of the Windows system folder.)

0

Well, here it is morning (where I am), and the scan is still going (!)...up to 126K files now, still the 2 alleged infections, i.d. still unknown. I am anxious to find out what the infections were. I am also going to check into the file as per Jack's advice above. If any of yesterday's altruistic individuals are still kicking around for the finale of the show, I'd as always appreciate the added ideas! I'll keep you posted. Thanks as always Jon

0

Scan results are in, and I hope nobody is disappointed! Seems that Panda would not cleanse the two files, and they are in fact in my Hijack This backups...specifically it claims the files are 'Trojan, Startpage DI', and their location is, again, in my JT backup files. However, it did not indicate that the .dll in my Windows/System folder, recall, 'kcabgaa.dll' was a problem, although that is the .dll cited in Hijack This as being the cause of all the problems, and which I can erase thru HT but then reloads each boot or browser opening. Recall, I also could not delete that .dll manually in the folder. Any further ideas? Will getting rid of the two HT backup files manually remove the alleged infections indicated in Panda? Thanks! Jon

0

Here's a quick plan ...man. May's well be thorough (ish) 1) Finish your scan, jot the details down, disinfect whatever it is that's there, post the names of the infections. 2) Run fully updated versions of adaware and spybot, using the setup details you got for adaware. Clean whatever is there. Also use the latest CWS shredder. 3) Go find KCABGAA.DLL and put your cursor over it and right click it, In the menu, select "open" or "open with" and choose Notepad -- but making sure that the little check box at the bottom, that says "always open with this" (paraphrase) does NOT have a check in it. (If it won't let you open it try doing it in safe mode.) When Notepad is open look through it all and look for any English words, or vague sentences in English. If you find some, post them at the same time as the virus/trojan details. Close Notepad. 4) Now follow JackG's post. Right, where does that now leave you ?

0

You posted before me. The rest still applies, at least you know you aren't infected with something else.

0

As per Jack's post, I have the following in Windows.002: WININIT.BAK has a date of 08-06-2004 WININIT.EXE has a date of 08-06-2000 (coincidence or what) WININIT.SAV has a date of 19-11-2003 wininitlog.old has a date of 08-06-2004. Now, I'm proficient enough for the macro stuff, but I don't know how to extact from system CAB files, nor am I confident in deleting those files with the recent date! I am now going to do some other scanning, as advised above, but feel just as 'quagmired' as before! Thanks Jon

0

as an added interest piece, if you look above at the 'english' headings in the notepad results, I believe the english headings are the ones you find on the about:blank search page. I wish I could delete that file!

0

Hello everyone, Jon, Start the computer in Safe-Mode and delete the file. Best Regards, Mesich

0

Hi Mesich: As I have not needed to access via safe mode for over a year, please give indication of how I do that? Is it toggle F8 at startup? Did the guts of the .dll file above lead you to this conclusion? Thanks as always, I look forward to further advice. I have also run an updated version of Spybot (1.3 vs. 1.1), and this got rid of some other matters, but not the pesky one we are dealing with. Thanks Jon

0

yep, F8 usually does the trick. After you've attempted to delete it in safe mode. Run CWShredder v1.59.0 -- http://209.133.47.12/~merijn/files/CWShredder.exe (download page link) The dll info has gone, I meant for you to take the code out and leave the bulk of English. No worries though. We knew it shouldn't be there anyway. The crap that was inside it just confirmed it.

0

Hi Viking...very odd...in safe mode, the suspect .dll was gone...now back in regular mode, and searching in Windows/System, the .dll is still gone. I have no idea what scrubbed it, maybe the 1.3 Spybot? You know the totally bizarre thing about that .dll? All the other hijacks I had, which were similar, could be cleaned INCLUDING the suspect .dll file, with an Adaware scan. This one, however, didn't allow for it, and in fact, an Adaware scan did NOT show it as being something to remove, although as you now know, the Hijack This scan was screaming it out to us. So...can I assume it is remedied (for now?) My home page is my home page again, FYI. Thanks for all the time, info, help, advice, etc etc...Each time I get screwed by some corruption, it adds to my knowledge base too! Thanks people...I'll post again in a new thread if the problem seems to persist. Jon

0