Jump to content


Photo

please help about:blank


  • This topic is locked This topic is locked
9 replies to this topic

#1 tiger

tiger

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 July 2004 - 11:02 AM

Hello,

Can someone please help me with the removal of about:blank

THANX !!!

Here is my Hijack This report

Logfile of HijackThis v1.98.0
Scan saved at 18:14:56, on 14-7-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.237.53.4 my.search
O2 - BHO: (no name) - {38C01EC1-D0E6-11D8-B1BB-005002BDE486} - C:\WINDOWS\SYSTEM\GBBGIAA.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O12 - Plugin for .mov: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall...call/xscan4.cab
O18 - Filter: text/html - {B72B0F50-D326-11D8-B1BB-0050C80C4623} - C:\WINDOWS\SYSTEM\GBBGIAA.DLL
O18 - Filter: text/plain - {B72B0F50-D326-11D8-B1BB-0050C80C4623} - C:\WINDOWS\SYSTEM\GBBGIAA.DLL
O19 - User stylesheet: (file missing)

#2 tiger

tiger

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 17 July 2004 - 02:28 AM

Nobody?

It has been 4 days since my post but no answers. :whistle:


Can please someone help me?
My computer is still messed up :techsupport: and i don't want to do some more damage before you experts have givven me advise .

THNX ! :wave:

Edited by tiger, 17 July 2004 - 02:29 AM.


#3 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 17 July 2004 - 03:55 AM

Download StartDreck from here. Unzip to its own folder and start the program:

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes

Press 'Ok'. Press 'Save' and select the location to save the log file (default is the same folder as the application). Post the log in this thread.
Posted Image

#4 tiger

tiger

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 17 July 2004 - 08:34 AM

Hi daemon,

Thanks for your reaction and thanks for your help. :thumbsup:
Here is the logfile created as you asked it:

Greetz,

Tiger



StartDreck (build 2.1.5 public BETA) - 2004-07-17 @ 15:48:27
Platform: Windows 98 SE (Win 4.10.2222 A)

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Disc Detector=C:\Program Files\Creative\ShareDLL\CtNotify.exe
*AHQInit=C:\Program Files\Creative\SBLive\Program\AHQInit.exe
*AudioHQ=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
*InCD=C:\Program Files\ahead\InCD\InCD.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*CriticalUpdate=C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
*WinampAgent=C:\Program Files\Winamp\winampa.exe
*devldr16.exe=C:\WINDOWS\SYSTEM\devldr16.exe
舞unOnce
舞unServices
*TrueVector=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
*SchedulingAgent=mstask.exe
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FFCF5B6F=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF9B17=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF932F=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFFF85DF=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE1E5F=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
*FFFE3793=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFE9167=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFEF293=C:\WINDOWS\SYSTEM\DEVLDR16.EXE
*FFFD3AD3=C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
*FFFD5FAF=C:\WINDOWS\EXPLORER.EXE
*FFFDCDCF=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFC102F=C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
*FFFC526F=C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
*FFFC7383=C:\WINDOWS\SYSTEM\STIMON.EXE
*FFFCABE3=C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
*FFFCA0D3=C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
*FFFCFDEF=C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
*FFFB4087=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFFC3F3F=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFFA5643=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
翠pplication specific

#5 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 17 July 2004 - 01:33 PM

No evidence of a hidden file. Please do this.

Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done.

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done.

Create a new folder called C:\HijackThis, move the HijackThis.exe file into the new folder and run it from there. This is necessary to ensure you have backups should anything go wrong.

Rescan with HJT and post a new log here for a final check over.
Posted Image

#6 tiger

tiger

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 17 July 2004 - 01:45 PM

Hi Daemon,

Thanx for your reply.

However i cannot acces the pc yet (it's on my daughters room and she is asleep)
i will try tomorrow.

if it is any help for you:
earlier i runned ad-adware + spybot + x-block.
they all find spyware and can remove it..... but after reboot about:blank again.

As i said i will try again tomorrow and follow your advise.

THANX AGAIN!

Greetz,

Tiger :wave:

#7 tiger

tiger

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 18 July 2004 - 08:01 AM

Hi daemon,

I have done everything you asked and here is the Hijack This log
Thanks again for your time and trouble

Greetz,

Tiger. :wave:

Logfile of HijackThis v1.98.0
Scan saved at 15:14:51, on 18-7-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O12 - Plugin for .mov: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall...call/xscan4.cab
O19 - User stylesheet: (file missing)

Edited by tiger, 18 July 2004 - 08:01 AM.


#8 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 18 July 2004 - 11:13 AM

Looks better. With only HJT running, have it fix:

O19 - User stylesheet: (file missing)

Reboot and you should be good to go. How is it running now?
Posted Image

#9 tiger

tiger

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 18 July 2004 - 11:21 AM

Hi Daemon,

:bounce: looks very good !! :bounce:

Everything seems to be normal again !
IE started up with the msn homepage instead of abut:blank.

THANK YOU SO MUCH !!

great to have guys (or girls) like you to help us with those #####!

Thanx again!

Greetz,

Tiger :wave:

#10 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 18 July 2004 - 11:38 AM

You're welcome - glad to help :D

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button