Jump to content


Photo

about:Blank Hijack


  • Please log in to reply
6 replies to this topic

#1 Dsanders

Dsanders

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 July 2004 - 10:55 AM

Hi,

Thank you in advance for any help you can offer and for taking the time to look at my problem. Internet Explorer keeps going to and about:Blank start page that loads a search page and a pop up. i've gone to the pop up to see what it linked to and it links to the cool web search page. i've looked around on the forums searching for help that could solve this. i've downloaded hijack this, cool web shedder, about:buster, and ad-aware. i've made sure everything was updated. i ran everything through safe mode then restarted my computer. everything appears to be gone till about the 4th or 5th time i start IE then i'm redirected to the about:Blank search page with the pop ups that tell me i have spy ware on my computer.(one of the pop ups i actually find funny, it has some bugs having sex on it. entertaining but annoying when it pops up everytime i visit a new page). i don't know how i keep getting reinfected or if i'm not removing everything. i'm also running Aol Instant Messanger wich also seems to bring up the pop ups. i've included the log file of hijack this. any help would be most appreciated.

thank you,
Dj


Logfile of HijackThis v1.97.7
Scan saved at 11:44:47 AM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Microsoft Money\System\mnyschdl.exe
C:\Program Files\Microsoft Money\System\misuser.exe
C:\Program Files\Microsoft Money\System\mis.exe
C:\WINDOWS\cw shredder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Dj\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Dj\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Dj\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Dj\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Dj\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Dj\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {D942671A-BE04-4666-B6B7-9709284CEDE9} - C:\WINDOWS\System32\jnom.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 28 July 2004 - 12:35 PM

Hi. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section, the name AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs entry and copy and paste the text found in the value field in your next reply to this post.

#3 Dsanders

Dsanders

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 July 2004 - 04:52 PM

ok here's the value.

C:\WINDOWS\System32\sqlpml.dll

#4 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 28 July 2004 - 05:12 PM

Please follow these steps:

Step 1:
Go to Folder Options> View

Scroll to the bottom of the list to find the box labeled:
Use Simple File Sharing(Recommended)
Remove the check from that box and press ok.

Step 2:

Download CWShredder from this link:
http://www.spywarein.../CWShredder.exe

Save that file somewhere as we will use it later.

Step 3:

Download this file and then immediately sign off the
internet and stay off until all steps are finished.


The file to download is here:

http://computercops....ownload&id=1183

Extract the batch file (hiving.bat) and run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box.

After a reboot the super hidden nasty file will no longer be loaded and will be visible. This will end the constant reinstall of about:Blank.

Step 4:

Restart the Computer.

Find this file:
c:\windows\system32\sqlpml.dll

Use the security tab on sqlpml.dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.

Example:
sqlpml.dll>bleh.txt
bleh.txt > badfile.111

Please zip that file and store it somewhere as I would like you to email it to me.

Now delete the original file.

Step 5:

Extract and Run CWShredder immediately.
Press the fix button to clean.

Restart and run hijackThis again.
Post your new log here in your next reply.

#5 Dsanders

Dsanders

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 July 2004 - 07:14 PM

Step 1: Failed.

there was no option to uncheck that said Use Simple File Sharing(Recommended)

Step 2: Failed.

link brought error said couldn't find server. i have how ever downloaded CWShredder from some other location.

Step 3: Completed

Downloaded, extracted, and saved. it ran through to completion.

Step 4: Failed.

Found file but was unable to find security tab. tried unchecking read-only but was given access denied error.

#6 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 28 July 2004 - 07:33 PM

You have xp home?

#7 Dsanders

Dsanders

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 July 2004 - 07:38 PM

correct.

i might not know were to look.

for Use Simple File Sharing i went in to My Computer and went under the Tools menu option.

on step 4 i right clicked the file, properties. it only gave me a General tab.

thanks again for the help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button