Jump to content


Photo

another about:blank problem


  • This topic is locked This topic is locked
19 replies to this topic

#1 Holdem

Holdem

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 May 2004 - 10:04 AM

Hey Guys-
I've got the about:blank problem and have tried all of the fixes without success...HELP...I'm a self taught, not talented
computer user...Any explanation not in 5th grade english will probably be over my head...Thanx for any help and I really appreciate
the site!
Logfile of HijackThis v1.97.7
Scan saved at 7:37:16 AM, on 5/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\ULTIMATEBUDDY\ULTIMATEBUDDY.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\ULTIMATEBET\ULTIMATEBET.EXE


C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ILLOFFA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ILLOFFA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ILLOFFA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ILLOFFA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ILLOFFA.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ILLOFFA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {3F64F7E0-B13E-11D8-AB37-00A02EFDD50F} - C:\WINDOWS\SYSTEM\ILLOFFA.DLL
O4 - HKCU\..\Run: [UltimateBuddy] C:\PROGRAM FILES\ULTIMATEBUDDY\ULTIMATEBUDDY.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelp...s/WalletCab.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38135.628599537

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 May 2004 - 10:12 AM

GoTo:
Start>run>Type:
msinfo32
*Expand: "Software Environment"
*Expand: "System hooks"
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If So hilite And use edit>copy and post here

Next, Download both tools:
http://freeatlast.10.../StartDreck.zip
http://freeatlast.10...om/Win98Fix.zip

Unzip and run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 Holdem

Holdem

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 May 2004 - 10:37 AM

Thanks Free! Here's what I found on the first directive:

Window Procedure Wdmcpl.dll RUNDLL32.EXE C:\WINDOWS\SYSTEM\Wdmcpl.dll C:\WINDOWS\RUNDLL32.EXE

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 May 2004 - 11:08 AM

As expected! ;)

Go ahead and proceed with the other step!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 Holdem

Holdem

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 May 2004 - 11:54 AM

OK- originally had some trouble w/ the Dreck download, but now got it to work...Here's what I got....Thx again!

StartDreck (build 2.1.5 public BETA) - 2004-05-29 @ 09:40:13
Platform: Windows 98 SE (Win 4.10.2222 A)

舞egistry
舞un Keys
翟urrent User
舞un
*UltimateBuddy=C:\PROGRAM FILES\ULTIMATEBUDDY\ULTIMATEBUDDY.EXE
*SpySweeper=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
*MSMSGS=C:\Program Files\Messenger\msmsgs.exe /background
舞unOnce
聞efault User
舞un
*UltimateBuddy=C:\PROGRAM FILES\ULTIMATEBUDDY\ULTIMATEBUDDY.EXE
*SpySweeper=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
*MSMSGS=C:\Program Files\Messenger\msmsgs.exe /background
舞unOnce
腿ocal Machine
舞un
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
舞unOnce
舞unServices
舞unServicesOnce
**qeqr=rundll32 C:\WINDOWS\SYSTEM\WDMCPL.DLL,StreamingDeviceSetup
舞unOnceEx
舞unServicesOnceEx
翡rowser Helper Objects (LM)
*{3F64F7E0-B13E-11D8-AB37-00A02EFDD50F}
`InprocServer32=C:\WINDOWS\SYSTEM\ILLOFFA.DLL
肇iles
艋ystem/Drivers
舞unning Processes
*FFEFC0E3=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFF777=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF8007=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFF99C7=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFEC01F=C:\WINDOWS\RUNDLL32.EXE
*FFFE8167=C:\WINDOWS\EXPLORER.EXE
*FFF963F3=C:\WINDOWS\SYSTEM\RPCSS.EXE
*FFF9E977=C:\PROGRAM FILES\ULTIMATEBUDDY\ULTIMATEBUDDY.EXE
*FFF9A94F=C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
*FFF8ED87=C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
*FFFBD9C3=C:\PROGRAM FILES\ULTIMATEBET\ULTIMATEBET.EXE
*FFF5F16B=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFF114E7=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFF52FDB=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE
*FFFA7A7B=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF55503=C:\UNZIPPED\STARTDRECK\STARTDRECK\STARTDRECK.EXE
翠pplication specific

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 May 2004 - 12:28 PM

Easy fix, in your case! ;)

File was spotted in 2/2!

*System hooks:
Window Procedure Wdmcpl.dll RUNDLL32.EXE
C:\WINDOWS\SYSTEM\Wdmcpl.dll C:\WINDOWS\RUNDLL32.EXE


*StartDreck log:
舞unServicesOnce
**qeqr=rundll32 C:\WINDOWS\SYSTEM\
WDMCPL.DLL,StreamingDeviceSetup


Now, unzip the
"Win98Fix.zip" you downloaded.
-DoubleClick on: 'RunFix.reg' file, Answer 'yes'
to the prompt!
-Restart computer!

Find and delete:
C:\WINDOWS\SYSTEM\WDMCPL.DLL file,

Consider the main problem solved! ;)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To fix all other, related/non related problems,
Run these tools, have them fix all problems:
*Ad-Aware6:
http://www.lavasoftu...ftware/adaware/

*Updates:
http://www.lavasofts...showtopic=28310

How To: Perform a "Full Scan" With Ad-aware 6 Build 181

*http://www.spywarein.../CWShredder.exe

Feel free to post follow up hijackthis log when done!
Good luck ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 Holdem

Holdem

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 May 2004 - 12:29 PM

what do ya think free?

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 May 2004 - 12:35 PM

what do ya think free?

Now, you don't have to be a computer engineer to be
able to follow the simple &convenient steps listed in my previous post, do you? :ph34r:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 Holdem

Holdem

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 May 2004 - 01:01 PM

The directions were awesome free, but I tried it and still got the hijack..Should I see anything on reboot to help me look for the file? I used "find files" and found it and deleted...but...no luck. I know, I know...I'm fairly certain i've done something wrong...Hang in there with me...

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 May 2004 - 01:14 PM

You will continue and get hijacked, of course
since you have other problems.

If you deleted the file, your problem IS solved!
Everything else has to be taken care of by
the tools I listed above..
When done, post another hijackthis log,
and any remnants, if left can be handled then.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 Holdem

Holdem

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 May 2004 - 01:16 PM

AHHHHHHHHHHHHHHHHHHHHHHHH....Thank you very much! doing these now.

#12 Holdem

Holdem

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 May 2004 - 05:37 PM

OK did what u directed and here's the latest:
Logfile of HijackThis v1.97.7
Scan saved at 3:22:18 PM, on 5/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\ULTIMATEBUDDY\ULTIMATEBUDDY.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ILLOFFA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ILLOFFA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ILLOFFA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ILLOFFA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ILLOFFA.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ILLOFFA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {BBCA45F8-B15D-11D8-AB37-00A0176D6AD0} - C:\WINDOWS\SYSTEM\ILLOFFA.DLL (file missing)
O4 - HKCU\..\Run: [UltimateBuddy] C:\PROGRAM FILES\ULTIMATEBUDDY\ULTIMATEBUDDY.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelp...s/WalletCab.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38135.628599537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#13 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 May 2004 - 05:59 PM

Did you run both Ad-Aware and CWShredder?
Shredder would have removed these!

In hijackthis fix checked:
All-- *R1/*R0/*02- lines.

Restart computer, Run hijackthis and post another log.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#14 Holdem

Holdem

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 May 2004 - 06:22 PM

yeah Free...I ran all of it and it fixed ALOT of stuff...but i keep getting these. It's now to the point where spysweeper is blocking the homepage hijack each time it tries though it's still there. I'll do the above. Thanks again!

#15 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 May 2004 - 06:36 PM

SpySweeper is rather known to cause problems.
It will go on and alert you about any home page changes, and
yet unable to fix anything as advertised.

You should disable it till (and even after ) the
problem is resolved.
There is no need for it,
Ad Aware and Spybot are suffice, along with cwshredder.

When done with the steps above, reset IE options
to defaults as well as your preferred home opage.

FYI, this is what an infected and--later disinfected Win98
with --identical problem looks like! (minus Spy~Bloat~$weeper :ph34r:

http://www.spywarein...wtopic=2978&hl=
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#16 Holdem

Holdem

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 May 2004 - 10:29 PM

Free-
THANX VERY VERY MUCH!!! The problem now appears fixed! I'm rerunning my ad aware and others to be sure but computer is alm

#17 Holdem

Holdem

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 May 2004 - 10:34 PM

almost acting normal! I may have inadvertently deleted my sound file as there is no longer an icon on my tool bar (Read: yes, Holdem is truly a computer donkey...) If you know how to change that little issue, great, if not...I can't thank you enough for the help!!! I WAS SO FRUSTRATED! Gracias...

#18 Holdem

Holdem

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 May 2004 - 10:59 PM

Free-

My computer is much happier now!!!! And so am I! Thanx so much!!! the problems seem to have been solved, and i've removed the spware sweeper as directed. I'm still a donkey though and somehow managed to delete my sound...No volume control, sound icon on toolbar, etc. I don't know how, but i've learned more about computers in the last several hours, so EVERYTHING is a stretch.(LOL). If you know how to fix, awesome...if no, no worries as you've been such a HUUUUUGE help! Either way, take care...Holdem

#19 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 05:10 AM

I'm still a donkey though and somehow
managed to delete my sound...No volume
control, sound icon on toolbar, etc

Start menu->Settings->Control panel.
Multimedia-> under the audio tab: (lower panel)
"Show volume control on the task bar..."
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#20 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 01 June 2004 - 08:58 AM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button