Jump to content


Photo

About:Blank woes


  • Please log in to reply
3 replies to this topic

#1 crypt

crypt

    Member

  • New Member
  • Pip
  • 2 posts

Posted 07 July 2004 - 09:38 AM

Hello all, this site seems like a great place for information regarding the problem I am having.

I have a problem where Internet Explorer 6's homepage keep's getting hijacked.
I have followed the tutorials on setting up AdAware correctly and spybot.

I have finished scans with both software, removed a large amount of spy/malware but my browser keeps getting Hi-Jacked. I did get an error with Spybot, I will post the log below.

Any help would be appreciated as I have am at my wits end figuring this out.


Here are logs from Spybot and HiJackThis:


Logfile of HijackThis v1.97.7
Scan saved at 10:16:49 AM, on 07/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
c:\PROGRA~1\RIMSEC~1\RIMCLI~1\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\system32\NCDClientServices\Rsmp.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ThinkPad\Utilities\tponscr.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\system32\qoaxtavt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\mrtMngr.EXE
C:\WINNT\system32\NDrv.exe
C:\Program Files\Open Text\Livelink Explorer\LLSynch3.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Malware Parasyte removal tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by RIM SQA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.rim.net/"); (C:\Program Files\Netscape\Users\namedelete\prefs.js)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINNT\system32\NDrv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O2 - BHO: (no name) - {F757FBBF-10E5-4DDA-BBEA-2357E54BEA2B} - C:\Program Files\Open Text\Livelink Explorer\LLBHO3.DLL
O2 - BHO: (no name) - {FCECC495-BF38-474F-98CB-12BAB76A9A8C} - C:\WINNT\system32\fblk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nrtfby] C:\WINNT\system32\qoaxtavt.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NDrv] C:\WINNT\system32\NDrv.exe
O4 - HKCU\..\Run: [Puam] C:\Documents and Settings\namedeleted\Application Data\mdoa.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Livelink Explorer Synchronizer.lnk = C:\Program Files\Open Text\Livelink Explorer\LLSynch3.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {01516EAA-CC39-4477-9500-87CB12F72AFD} (Livelink Explorer Activator) - http://insiderim/Liv...exp/llexpld.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://insiderim/Liv...ppro/isetup.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7873.3626388889
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://wgt07ykf/view...tivexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sqa.rim.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sqa.rim.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sqa.rim.net

----------------------------------------------------------------------------------------------

Here is the spybot log:

Error during check!: Xabot (Ungültiger Datentyp für '') ()


DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2116825684-2010480077-1094980219-12100\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-118386988-638988448-1982858414-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-06-16 Includes\Cookies.sbi
2004-06-16 Includes\Dialer.sbi
2004-06-17 Includes\Hijackers.sbi
2004-06-16 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-06-16 Includes\Malware.sbi
2004-06-16 Includes\Revision.sbi
2004-06-16 Includes\Security.sbi
2004-06-16 Includes\Spybots.sbi
2004-06-16 Includes\Tracks.uti
2004-06-16 Includes\Trojans.sbi


Thankyou in advance for any help on this.

#2 snorts

snorts

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 07 July 2004 - 01:24 PM

Hi there crypt this is snorts here.

First of all I must say I`am a complete computer novice however I have had the same problem as you for several weeks. Normally would not post on a forum due to my inexperience however I was advised this solution worked on another forum at http://forums.tomcoyote.com/index

The solution however is held at http:\\www.akadia.com/services/about_blank_virus.html

IT HAS WORKED FOR ME AND OTHERS CHECK IT OUT AND SEE. Once again I am a computer novice but I have been so annoyed with this virus I feel I have to help others.

Yours Snorts

#3 crypt

crypt

    Member

  • New Member
  • Pip
  • 2 posts

Posted 07 July 2004 - 04:00 PM

Thanks Snorts, I will check that out tomorrow, I'll update you if it works for me.

Thanks again!

#4 snorts

snorts

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 08 July 2004 - 10:40 AM

No problems mate hope it works. Instructions are not that great give me a shiut if you have any probs.

Snorts

ps will be away from my computer till about the 15th july so if you need help let me know in the next 12 hours.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button