Jump to content


Photo

about:blank


  • Please log in to reply
8 replies to this topic

#1 hustler

hustler

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 02 June 2004 - 07:46 PM

hey, just recently having this problem with about:blank page appearing as home page. i have tried spybot and cws shredder but with no luck!!platform is windows xp home, wondering if ny1 can help???

Logfile of HijackThis v1.97.7
Scan saved at 01:48:42, on 03/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lime_Shop\Limeshop0.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lime_Shop\Limeshop1.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ilnblp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ilnblp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ilnblp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ilnblp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ilnblp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ilnblp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {551EAD1D-EF7D-4603-B4AF-14E33248F37B} - C:\WINDOWS\System32\ilnblp.dll
O2 - BHO: Core Library - {6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} - C:\WINDOWS\System32\sfg4880.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SENS Keyboard V4 Launcher] "C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SafeGuard Popup Blocker Updater (required)] regsvr32 /s C:\WINDOWS\System32\sfg4880.dll
O4 - HKLM\..\Run: [Limeshop0] "C:\Program Files\Lime_Shop\Limeshop0.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8009.5379166667
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab


thanks!!

#2 hustler

hustler

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 03:07 AM

bump

#3 bfudge

bfudge

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 03 June 2004 - 03:17 AM

Hi,
Recently got rid of this by following this advice from someone that must use this forum as well the one I was on:

About:blank is a known CWS hijack caused by using Microsoft's obsolete Java Virtual Machine. The hijack may be removed using the latest CWShredder:
http://www.spywarein.../downloads.html
Quote: "A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D and Ad-aware tend to forget essential parts of the hijack, so until they update, you can use this to completely remove the hijack. This program is updated to remove the new variants once they come out."

Preventing CoolWebSearch hijacks.
CWS hijacks exploit a flaw in Microsoft's now obsolete Java Virtual Machine. They can be prevented by replacing it with Sun's Java Runtime Environment (JRE) as explained in 'Uninstalling the MS Java VM':
http://www.spywarein...instmsjava.html
Quote: "The Sun Microsystems Java VM is a replacement for the now obsolete MS Java VM. Instructions on replacing the MS Java VM with the Sun Java VM are as follows:"

Preventing other adware, spyware and Trojan "drive-by downloads".
'Browser hijackers', Trojans, diallers and other malware are parasites -- they can only exist because of the flaws in the software they exploit. Most "drive-by downloads" exploit Internet Explorer's Act iveX vulnerability. While tightening Internet Explorer's 'security' settings can help it is not a solution. ActiveX is there by design (as a foil to Sun's Java technology). There are several other 'Unpatched Internet Explorer Bugs':
http://www.safecente...ched/index.html
Quote: "There are currently 24 items, updated on 2004/01/27."

The next step I took was to stop it from happeining again using this from the smae person:

Mike Healan, owner and webmaster of Spywareinfo.com, knows more than most about Windows malware. He offers some good advice to 'Prevent Browser Hijacking':
http://www.spywarein...ked/prevent.php
Quote: "First and most simply, stop using Internet Explorer. If you use either Mozilla Firefox or Opera, you are immune to all known and future browser hijackers."


I hope it works for you as well :D

#4 hustler

hustler

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 04:51 AM

thanks, tried the websites suggested but still no luck!!

#5 hustler

hustler

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 02:03 PM

bump

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 03 June 2004 - 02:29 PM

Download and Install: >>Find-All.exe (Win2K/XP only!)<<

Run the Find-All\"Find-All.Cmd" file, wait for the log and post it here.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 hustler

hustler

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 04 June 2004 - 02:03 PM

Fri Jun 04 20:08:16 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (0451:4B90) - FS:FAT clusters:16k
Total: 29 982 900 224 [28G] - Free: 19 347 783 680 [18G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 8.0.0.4490 shp 520,192 04-11-2003 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 05-21-2004 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-18-2001 regedt32.exe


»»PC uptime:
8:08pm up 1 day, 1:02

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
4 System
568 SMSS.EXE
632 CSRSS.EXE Title:
656 WINLOGON.EXE Title: NetDDE Agent
700 SERVICES.EXE Svcs: Eventlog,PlugPlay
712 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
876 SVCHOST.EXE Svcs: RpcSs
976 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi
ity,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,
eclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upload
gr,W32Time,w
1112 SVCHOST.EXE Svcs: Dnscache
1196 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1460 EXPLORER.EXE Title: Program Manager
1472 SPOOLSV.EXE Svcs: Spooler
1604 IGFXTRAY.EXE Title: igfxtrayWindow
1616 HKCMD.EXE Title:
1628 LTMOH.EXE Title: TrayIconHandler
1644 SynTPLpr.exe Title: Touchpad driver helper window
1660 SynTPEnh.exe Title: Touchpad driver tray icon window
1668 Navapw32.exe Title: Norton AntiVirus
1676 SensKbd.exe Title: MagicKBD
1696 AGRSMMSG.EXE Title: Agere Systems Soft Modem Monitor
1788 WINAMPA.EXE Title:
1800 QTTASK.EXE Title: QTPlayer Tray Icon
1920 CTFMON.EXE Title:
1944 MSMSGS.EXE Title:
304 Navapsvc.exe Svcs: navapsvc
1036 JAVAW.EXE Title: LimeWire: Enabling Open Information Sharing (275.3k files / 941.4 GB available)
3940 realsched.exe Title: Notification Wnd for RNAdmin
4072 Mozilla.exe Title: SWI Forums -> about:blank - Mozilla
1684 Limeshop0.exe
2844 Limeshop1.exe
2560 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3172 ntvdm.exe
1688 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{551EAD1D-EF7D-4603-B4AF-14E33248F37B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CDF3C49-20E6-48d7-811B-9F5DD17F1D90}]
@="Core Library"
"Default"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{96E0E1FF-E5CB-45E7-AD58-DB02CF1AA9F4}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{96E0E1FF-E5CB-45E7-AD58-DB02CF1AA9F4}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

»»Group/user settings:


User: [SAMSUNG-3YMY4EE\Owner], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group SAMSUNG-3YMY4EE\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx No permissions are set. All user have full control.
ERROR: There are no more files.
»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file Size: (Default/plain: ~732-4 bytes)
A C:\Find-All\Find-All\oldhosts.txt
--a-- - - - - - 732 06-02-2004 oldhosts.txt
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 732 06-02-2004 hosts
------
»»Rehash:

Fri Jun 04 20:08:23 2004 -- ++Find-All backups:
c:\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-04-2004 winbackup.hiv
c:\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-04-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-04-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 594 06-04-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#8 marisk

marisk

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 04 June 2004 - 03:07 PM

Hey gang this URL : http://www.safecente...ched/index.html

just sent me to the http://th.msie.tv/index.php?aid=20038 page which I believe is the abou:blank home page.

#9 hustler

hustler

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 06 June 2004 - 05:48 PM

bump




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button