unstoppable spyware/virus - please help 3

[rlaeromech]

I seem to have a spyware or a virus that nothing can fix. It changes my homepage to "about:blank" and that is a search page with no name. It also sends pop-ups that tell me I have spyware installed and to click the add to get software to remove it. The pop-ups breack through my adsgone software. I have run ad-aware, hijack this, cwshredder and spybot. Hijack this finds the R1 and R0's and I delete them as well as a BHO wchich shows a *.dll file in my winnt/system32 folder. I have tried to delete the dll file, but it won't let me because the file is in use. So I changed the name of the file and then deleted it. But then it reproduces itself under a different *.dll name and does the same thing. I am running an online virus scan again at trendmicro, but I have done this before as well. Ad-aware finds some objects as well as some files and they have been deleted. But somewhere I have a virus I think that is running in the background and I can't find it. Anyone help?!!!

 

[dstcroix]

Everytime it was detected as a different .dll file. I think it is random.

AVG from Grisoft detected it, but could not repair nor quarantine it.

 

[diogenes10]

Another approach from a different site. Dont know if it will work any better.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[rlaeromech]

what is the other approach, what do you mean diag..

 

[diogenes10]

My apologies, I forgot to post the link. I think this is another approach to getting rid of the hidden dll that's causing the problem.

http://forums.subratam.org/index.php?showtopic=583

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[dstcroix]

Excellent Diogenes10. Thanks much. That's a pretty valuable page of information.

That hi-jacking is particularily nasty.

 

[rlaeromech]

Diogenes, thanks for that link, I tried it and it found the host file that is causing the problem, but when I rebooted and it tried to unlock the file, it couldn't, it tried like 3 times, finally said it had to restore the original file and I am now back to where I began.

 

[diogenes10]

Re jun 8 post not finding file,

Is the system set to show hidden files?


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

Jun 9 post immediately above

If you can get the dll identified with the dllfix program
would moveonboot (missleman my June 1 post) or killbox then get rid of it?



-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[rlaeromech]

possibly, where can I get them, the file name is winelbj.dll. I am going to search it on google and see what I get.

 

[diogenes10]

Killbox download is involved in the fixes described on page3 of bcastners second link above and the third (jun 1) link I gave you above.

moveonboot is referenced towards the bottom of the first link I gave you on june 1 above.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

I was hunting information this morning and found reference to this file. Another removal tool.

http://www.soft32.com/download_8644.html

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[rlaeromech]

.... and the winner is... Diogenes10. I think that copylock finally killed it. I used that and the program said it was succesfull, I then ran Hijack this, CWshredder and adaware to make sure, I used reglite to see if the winelbj.dll showed up in the registry and it wasn't there anymore. I also rebooted to see if it would come back and reglite didn't show it in there like in the past. So what to do...
1. follow bcastners link

http://www.spywareinfo.com/forums/index.php?showtopic=43970

2. stop at direction number 4 and note the name and the path of the source file. Mine was winelbj.dll, yours may be the same or may be different.
3. Use Diogenes link to get copylock

http://www.soft32.com/download_8644.html

4. Use copylock to unlock this file. This is where the dll fix failed.
5. That should take care of it. Check in reglite to see if it still shows up, if it does, you may have to delete it but it should be deletable this time.
6. Run all scans you have to double check, reboot and check reglite one more time to make sure.

I will add to this thread if it comes back again

Thanks agian to Diogenes10 and Bcastner for their help!!!

 

[brodie1227]

I have tried everything in everyones post short of reinstalling xp to remove the about blank trojan. Will doing a reinstall of ie repair the regisrty key affected? Here is my problem that when I try to delete the dll affected, I cannot see it in cmd prompt. All other dlls are there but not the one in reglite. Any help greatly appreciated.

 

[brodie1227]

Have not tried copylock. Will try this first. Must have overlooked the last post. Bill and Diogenes thanks as always, you da man. Let you guys know tommorow.

 

[kuhlin]

Go to

http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

I deleted until I was blue in the face and then downloaded the latest cwshredder and it worked great.