Jump to content


Photo

Yahoo/Google pop ups About:blank the cause?


  • Please log in to reply
9 replies to this topic

#1 AladdinSane

AladdinSane

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 28 May 2004 - 03:00 PM

Hi,

I have tried numerous times to fix this before coming and taking up peoples valuable time on this but for the life of me I cannot get this fixed. Spyboy catches 3 registry entries for about:blank. I delete them they come right back. I tried to remove the search assistant links from Hijack this but they also come right back. I am not sure where the root of this problem lies but if I see another pop up search for loans or inkjet cartridges im going to scream. I truly appreicate you taking the time to look at this for me.


Logfile of HijackThis v1.97.7
Scan saved at 3:22:15 PM, on 5/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
C:\My Download Files\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch....aspx?tb_id=401
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://216.247.86.99...06EB2200006AB50
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch....aspx?tb_id=401
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch....aspx?tb_id=401
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.attbusiness.net"); (C:\Program Files\Netscape\Users\orders\prefs.js)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Go - http://download.game...nts/y/gt2_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! PageBuilder - http://pagebuilder.y...code/client.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7672.4622337963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{665817AD-8E4A-4F19-AE01-96BD6EF52F7E}: NameServer = 207.69.188.187 207.69.188.186

#2 AladdinSane

AladdinSane

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 28 May 2004 - 10:23 PM

Hmmm, bump, anyone? Please.....hehe

#3 AladdinSane

AladdinSane

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 May 2004 - 09:31 AM

Anyone available to offer an opinion as to how to handle this?

#4 AladdinSane

AladdinSane

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 30 May 2004 - 12:35 AM

Still desperate. Anyone?

#5 AladdinSane

AladdinSane

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 01 June 2004 - 04:15 PM

If anyone has a suggestion I would really appreicate it. I dont want to start another topic so I have been trying to give as much time as I can before I bump this back to the top. I just really am desperate for help. If I have posted the wrong information or need to provide more please just ask because I really need someone to help me in regards to this matter. Thank you again.

#6 chuckjdj

chuckjdj

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 June 2004 - 04:54 PM

Quick Question:

Did you try running Spybot in Safe Mode to remove the spyware?

What is the problem you're experiencing (other than the inability to remove the items with Spybot)? Pop-up? Toolbars?

All of the items marked as "search page" look suspicious as well.

Here's what to start with:
* You need to disable system restore on your system.
- First, right click on My Computer and select properties (I don't know if your Icon is in your Start menu or on your desktop, but that's what you're looking for)
- Next, Select the 'System Restore' tab
- Then, select the check box that says 'Disable system restore on all drives'.
- Reboot your system in safe mode
- Run Spybot and remove the offenders
- Run HijackThis to ensure it's gone.
- Empty all temp folders to be safe
^ c:\windows\temp
^ c:\documents and settings\<your user name>\local settings\temp
^ c:\documents and settings\<your user name>\local settings\temporary internet files (delete all files in all folders)
- Reboot your system and Re-enable System Restore (Running XP without it is recipe for disaster)

Try that and let me know what happens.

#7 AladdinSane

AladdinSane

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 01 June 2004 - 06:49 PM

Thanks for the advice, its a work computer and I will try your suggestion as soon as I arrive tommorow and post the results. The main problem is constant pop ups evertime you go near google or yahoo. Its consistant and its definately coming from within the desktop not browser based pop ups. Its either an alternative search window, or ads for inkjet printer cartridges, loans, or assorted tomfoolery. Thanks again for taking the time to help me with this.

#8 AladdinSane

AladdinSane

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 June 2004 - 04:26 PM

Sorry for the delay in my response, but unfortunately this is still unfixed. I was just sent away on business and did not get a chance to return to this desktop. I did the things you suggested. I ran CWS Shredder and Spybot in safe mode, i removed the items, I emptied the temp folders as suggested but the pop-ups continue. But once I am back and running the same three problems pop up under Spybot which all seem to be about:blank related. I am enclosing the hijack this log once again and I am desperate for help with this.

Logfile of HijackThis v1.97.7
Scan saved at 5:23:20 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\OFFICE10\WINWORD.EXE
C:\My Download Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch....aspx?tb_id=401
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://216.247.86.99...06EB2200006AB50
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch....aspx?tb_id=401
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch....aspx?tb_id=401
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.attbusiness.net"); (C:\Program Files\Netscape\Users\orders\prefs.js)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Go - http://download.game...nts/y/gt2_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! PageBuilder - http://pagebuilder.y...code/client.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7672.4622337963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{665817AD-8E4A-4F19-AE01-96BD6EF52F7E}: NameServer = 207.69.188.187 207.69.188.186

#9 AladdinSane

AladdinSane

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 08 June 2004 - 11:39 AM

bump

#10 AladdinSane

AladdinSane

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 09 June 2004 - 01:25 PM

bump




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button