Jump to content


Photo

about: blank constant reset of homepage


  • Please log in to reply
6 replies to this topic

#1 plaing

plaing

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 01 July 2004 - 09:31 PM

Greetings All:
I have run Adaware, spy sweeper and Spybot S&D and AVG. Visiting www.rumormillnews.com seems to set this off even more.

Spy sweeper notifies me all the time that my homepage has been reset but about:blank often appears as a pop-up.

thank you for your help. My hijack this log is below:

Logfile of HijackThis v1.97.7
Scan saved at 7:25:03 PM, on 7/1/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SYMANTEC\ACT\SIDEACT.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - C:\WINDOWS\IEHR.DLL
O2 - BHO: (no name) - {4520A881-C004-11D8-B5A3-4445662203F5} - C:\WINDOWS\SYSTEM\AOK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [SpywareGuard] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\shockwave\swinit.exe
O4 - Startup: SideACT!.lnk = C:\Program Files\Symantec\ACT\SideACT.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.micro...en/nsmp2inf.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7996.0299537037

#2 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 02 July 2004 - 08:21 AM

I suggest using BobO's fix posted HERE. Post back if it works or if you are having problems.

#3 plaing

plaing

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 03 July 2004 - 02:04 PM

Thank you Fist:

I had problems with the fix. I got as far as Step 5 in BobO's procedure. When I checked in System Hooks there were "no items to display in this catagory". It appears that I can not continue until I find out what or where I can find the offending file(s).

I also am not that computer saavy so I don't know about how to Command Safe Prompt Mode or reboot in Windows Safe Mode.

How should I proceed?

thank you to any one that can tell me what to do from here

Plaing

#4 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 03 July 2004 - 08:29 PM

plaing:

Try Rubber Ducky's fix - about:buster HERE. Post the about:buster log and a new hijack this log.

If that doesn't work your best option is to go into MSDOS mode (in windows ME it can be found in Start -> Programs -> Accessories -> MSDOS Prompt). That may work in '98 or you can try Start -> Run and type "cmd" (without the quotes).

From the MSDos prompt, type "cd c:\windows\system" (no quotes) and then type "dir *.dll |more" (no quotes). Note that there is a space between dir and * and a space between .dll and |. Also note that the | key is [shift]\ (e.g. hit the shift key and the \ key). Using the space bar to scroll through the list of files, look for a file that is dated recently (e.g. June 2004) and is 57,334 bytes. That will be your file. If you find the file, post back the name, size and date of the file and I will walk you through the process of deleting it.

Good Luck.

#5 plaing

plaing

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 04 July 2004 - 02:11 AM

Dear Fist:
I downloaded the About: Buster fix and ran the scan. The box that appeared in the white box said: "Run-time error '53' File not found".

The Hijack This log is:

Logfile of HijackThis v1.97.7
Scan saved at 12:06:18 AM, on 7/3/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SYMANTEC\ACT\SIDEACT.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\HIJACKTHIS FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - C:\WINDOWS\IEHR.DLL
O2 - BHO: (no name) - {4520A881-C004-11D8-B5A3-4445662203F5} - C:\WINDOWS\SYSTEM\AOK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [SpywareGuard] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\shockwave\swinit.exe
O4 - Startup: SideACT!.lnk = C:\Program Files\Symantec\ACT\SideACT.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.micro...en/nsmp2inf.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7996.0299537037

Fist, I hope I did this right so far. Thank you for your help

plaing

#6 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 04 July 2004 - 01:19 PM

=== Find Name of Hidden dll ===
Download: "StartDreck", from here:
http://members.black.../startdreck.htm
http://www.niksoft.a.../startdreck.htm

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Post the log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#7 plaing

plaing

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 07 July 2004 - 01:59 AM

thank you Lo Phat:
Here is the log for StartDreck.log. How should I proceed now?

Plaing



StartDreck (build 2.1.5 public BETA) - 2004-07-06 @ 23:49:06
Platform: Windows 98 (Win 4.10.1998 )

舞egistry
舞un Keys
翟urrent User
舞un
*SpySweeper=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
*SpywareGuard=C:\WINDOWS\SYSTEM32\WINPROC32.EXE
舞unOnce
聞efault User
舞un
*SpySweeper=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
*SpywareGuard=C:\WINDOWS\SYSTEM32\WINPROC32.EXE
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*QuickTime Task=C:\WINDOWS\SYSTEM\QTTASK.EXE
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*AVG_CC=C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Avgserv9.exe=C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FFCF2FD9=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFDB41=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFECF1=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFFF9DD=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFE414D=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFE54C9=C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
*FFFE7EDD=C:\WINDOWS\EXPLORER.EXE
*FFFD217D=C:\WINDOWS\TASKMON.EXE
*FFFD3169=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFD9791=C:\WINDOWS\SYSTEM\QTTASK.EXE
*FFFDADC5=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
*FFFDBC21=C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
*FFFC5E71=C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
*FFFC1415=C:\PROGRAM FILES\SYMANTEC\ACT\SIDEACT.EXE
*FFFC036D=C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
*FFFCD219=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFFB7829=C:\PROGRAM FILES\GRISOFT\AVG6\AVGW.EXE
*FFFB7DF1=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFFBB4ED=C:\WINDOWS\SYSTEM\RNAAPP.EXE
*FFFEBEF9=C:\WINDOWS\SYSTEM\TAPISRV.EXE
*FFFBD0A5=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFFBA565=C:\WINDOWS\SYSTEM\PSTORES.EXE
*FFFABB9D=C:\UNZIPPED\STARTDRECK[1]\STARTDRECK.EXE
翠pplication specific




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button