Jump to content


Photo

About:Blank removal


  • Please log in to reply
6 replies to this topic

#1 KDHILL

KDHILL

    Member

  • New Member
  • Pip
  • 1 posts

Posted 28 May 2004 - 06:42 AM

I have tried removing a Website called About:blank from myhomepage but none of the spyware I have installed will find it. I've gone numerous registry cleans and just about anything we can think of but it keeps coming back. I have used Spybot and Spysweeper.... I set my homepage in IE to www.msn.com and the next time I open IE it goes to About:Blank.... Help Please...

#2 quirkasaurus

quirkasaurus

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 28 May 2004 - 01:52 PM

check if the malicious installation isn't resident in your c:\boot.cfg file.

If you look closely at your "about blank" home page, in IE->tools->options,
click on the window, and highlight the whole window, click HOME.

You should see, a big long URL.

Grab the info from that URL and search based on that string at google
or here.

#3 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 28 May 2004 - 08:25 PM

Hi KDHILL,

You have a nasty parasite call CoolWebSearch. It requires special removal.

First, download hijackthis from here:
http://www.spywarein.../HijackThis.exe

Click Scan, then click save log. Post the contents of your log back into this thread.

Then go here and download this self extracting file:
http://tools.zerosrealm.com/dllfix.exe

Save it to your desktop, double click dllfix.exe and follow the prompts.

Go to the newly created dllfix folder on your desktop and double click start.bat and choose option #1. This will scan your computer for the 'bad' file. Notepad will open with a report in it.

Copy the contents of the report back into this thread, along with the hijackthis log.

Edited by OSC, 28 May 2004 - 08:31 PM.


#4 ericb

ericb

    Member

  • New Member
  • Pip
  • 1 posts

Posted 21 June 2004 - 08:11 PM

I am having trouble with the about blank page
this is the hijack files found, I was told to post these here as you might be able to sort this problem out and tell me what needs to be deleted out of the registry
Thanks in advance


Logfile of HijackThis v1.97.7
Scan saved at 9:02:10 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Eric Burton\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jbfabcn.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jbfabcn.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jbfabcn.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jbfabcn.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jbfabcn.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jbfabcn.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...ie.aspx?tb_id=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
O2 - BHO: (no name) - {8647CC27-7435-4295-987F-C66DDD8B578B} - C:\WINDOWS\System32\jbfabcn.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [WorkFlo] E:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsy...l/T_40/QDow.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownload...m/installer.dll
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D0} (EZListings) - http://www.therealye...ve/ezlistng.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/UCSearch.CAB

#5 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 22 June 2004 - 02:20 PM

Hi ericb,

Please start a new topic. Posting your log in someone else's thread creates mass confusion for all involved. Thanks for your understanding. :)

http://www.spywarein...p?showtopic=227

#6 rwf001

rwf001

    Member

  • New Member
  • Pip
  • 1 posts

Posted 23 June 2004 - 02:52 PM

Had the same problem with the about:blank being forced into my start page - followed the instructions here but the file dllfix.exe not available.

The link http://www.spywarein.../HijackThis.exe
was most usefull with this I was able to identify an unknown DLL file that once deleted fixed my problems.

#7 jstrong

jstrong

    Member

  • New Member
  • Pip
  • 1 posts

Posted 28 June 2004 - 12:48 AM

Thank you guys, I have been trying to get rid of this for a couple days on my own and I just wanted to let you all know that yall ROCK!!!!!! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button