Jump to content


Photo

about:blank has control of my homepage


  • This topic is locked This topic is locked
7 replies to this topic

#1 Brian in VA

Brian in VA

    Member

  • New Member
  • Pip
  • 4 posts

Posted 30 May 2004 - 12:02 PM

I have read the FAQ's provided and went through each of the steps with IE screens closed, but I cannot get ride of about:blank. Here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 1:00:05 PM, on 5/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\KGEEO.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\KGEEO.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\KGEEO.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\KGEEO.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\KGEEO.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\KGEEO.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {29FAB469-B230-11D8-BC29-AA0FF9573C50} - C:\WINDOWS\SYSTEM\KGEEO.DLL
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://66.117.38.54:...80/dexUS616.exe

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 12:11 PM

I have
read the FAQ's provided and went through each
of the steps with IE screens closed, but I cannot
get ride of about:blank.  Here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 1:00:05 PM, on 5/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Which steps did you follow?

FIRST, go here:
http://windowsupdate.microsoft.com

Scan and apply any and all security
patches on offer, including but not limited to
the latest and current version of IE6/SP1.

Your current and notably outdated version can't be fixed.

When you have done all that, rescan with
hijackthis and fix checked this Xpl0it:

*O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://66.117.38.54:...80/dexUS616.exe

Next,
GoTo:
Start>run>Type:
msinfo32
*Expand: "Software Environment"
*Expand: "System hooks"
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If So hilite And use edit>copy and post here

Next, Download both tools:
http://freeatlast.10.../StartDreck.zip
http://freeatlast.10...om/Win98Fix.zip

Unzip and run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 Brian in VA

Brian in VA

    Member

  • New Member
  • Pip
  • 4 posts

Posted 30 May 2004 - 04:12 PM

I did each download, although the http://freeatlast.10...om/Win98Fix.zip was not available. Here is the information requested:

Keyboard Wnhooks.dll WNCONNECT.EXE C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\Wnhooks.dll C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
Mouse Wnhooks.dll WNCONNECT.EXE C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\Wnhooks.dll C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE


StartDreck (build 2.1.5 public BETA) - 2004-05-30 @ 17:04:31
Platform: Windows 98 (Win 4.10.1998 )

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*EnsoniqMixer=starter.exe
舞unOnce
舞unServices
*SchedulingAgent=mstask.exe
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
翡rowser Helper Objects (LM)
*{29FAB469-B230-11D8-BC29-AA0FF9573C50}
`InprocServer32=C:\WINDOWS\SYSTEM\KGEEO.DLL
肇iles
艋ystem/Drivers
舞unning Processes
*FFEFA03D=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFF795=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFE105=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFFCCE5=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFFCFBD=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFFD7BB5=C:\WINDOWS\SYSTEM\PSTORES.EXE
*FFFDFC59=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFD6ED1=C:\WINDOWS\EXPLORER.EXE
*FFFD7485=C:\WINDOWS\STARTER.EXE
*FFFDEC79=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
*FFFC643D=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFFCED71=C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
*FFFC9F61=C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
*FFFB7551=C:\WINDOWS\SYSTEM\TAPISRV.EXE
*FFFB5C61=C:\WINDOWS\SYSTEM\RNAAPP.EXE
*FFFA9555=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE
*FFFA5801=C:\UNZIPPED\STARTDRECK[1]\STARTDRECK\STARTDRECK.EXE
*FFFBCEB1=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
翠pplication specific

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 05:08 PM

You don't seem to have the same problem

Downlod the 'Win98Fix.zip' from here:
http://freeatlast.10....com/index.html

Unzip, -DoubleClick on: 'RunFix.reg' file, Answer 'yes'
to the prompt!
-Restart computer!

DoubleClick on the 'who.bat' file included.
'badfile.txt' should be found in the same
folder, unless empty, copy it's contents here.


Run these tools, have them fix all problems:
*Ad-Aware6:
http://www.lavasoftu...ftware/adaware/

*Recent Updates:
http://www.lavasofts...showtopic=28310

How To: Perform a "Full Scan" With Ad-aware 6 Build 181

*http://www.spywarein.../CWShredder.exe


When done with the above, restart in Safe mode and do 'find-files' for:
KGEEO.DLL
Delete when/if found.

Post another hijackthis log when done.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 Brian in VA

Brian in VA

    Member

  • New Member
  • Pip
  • 4 posts

Posted 30 May 2004 - 09:48 PM

I did everything. I did not find anything for the 'badfile.text' or KGEEO.DLL. Here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 10:42:31 PM, on 5/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8137.4680439815

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 31 May 2004 - 03:22 AM

Well done

Just fix this in hijackthis:
*R1 - HKCU\Software\Microsoft\Internet Explorer\
Main,HomeOldSP = about:blank

Keep your Win98 out of trouble... :)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 Brian in VA

Brian in VA

    Member

  • New Member
  • Pip
  • 4 posts

Posted 31 May 2004 - 09:01 AM

Thank you for your patience with someone who turns on his desktop and expects it to work everytime without much thought into its care. I could never have corrected this without your help. Thank you again.

Brian :bounce:

#8 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 01 June 2004 - 08:55 AM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button