Jump to content


Photo

about:blank problem again


  • Please log in to reply
10 replies to this topic

#1 lo_kiz

lo_kiz

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 11 June 2004 - 04:02 PM

i got this problem for almost a week now. everytime i open MS Internet explorer, it goes to "about:blank" as my home page. It is suppose to be blank as the name suggests but it becomes a "search" page. it is use java to do so. I already used cws shredder to try to clean it but it keeps on coming back. I also used adware and spyware sweeper to try to clean it but it remains there.


Logfile of HijackThis v1.97.7
Scan saved at 4:52:41 PM, on 6/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {F8B8209A-0333-467C-A511-0058F1546F35} - C:\WINDOWS\System32\jipgcpa.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8143.8273148148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

please help.

#2 iamiam80

iamiam80

    Member

  • New Member
  • Pip
  • 2 posts

Posted 11 June 2004 - 04:46 PM

you edit in the registry by going to
\HKEY_CURRENT_USERS\SOftware\Microsoft\Internet Explorer\Main\and change the value of Startpage to what ever you want make sure to include full url http://www.mystartpage.com

#3 lo_kiz

lo_kiz

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 11 June 2004 - 05:12 PM

it is set as "about:blank" but when i open explorer, it still goes to the not wanted page...the new "about:blank"

#4 lo_kiz

lo_kiz

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 11 June 2004 - 05:25 PM

also, on the webpage, all the "links" uses javascript. Sometimes, there's a pop up saying that your computer is infected by spywares, adwares, etc. I tried your method, iamiam80 but it is set as "about:blank" I tried going to TOOLS. Internet Options to change my home page but it cannot be set as something else.

#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 11 June 2004 - 06:16 PM

Download: "Beta-Fix.exe" from the 'Find-All page' link in my signature.
Install (extract), DoubleClick on the 'LOG.BAT' file, post the log here!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 lo_kiz

lo_kiz

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 11 June 2004 - 06:29 PM

遙遙遙遙遙遙遙遙遙***Attention!***遙遙遙遙遙遙遙遙
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

遙Locked or 'Suspect' file(s) found...

7:29pm up 0 days, 0:26

C:\WINDOWS\System32\KBDNFMH.DLL +++ File read error
\\?\C:\WINDOWS\System32\KBDNFMH.DLL +++ File read error
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙


遙Size of Windows key (*plain-450 *No AppInit-398 *fake-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

遙Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access DELL\Quan
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access DELL\Quan


User is a member of group DELL\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.



遙遙遙Backups created...遙遙遙
7:30pm up 0 days, 0:26

A C:\Beta-Fix\winBackup.hiv
--a-- - - - - - 8,192 06-11-2004 winbackup.hiv
A C:\Beta-Fix\keys\winkey.reg
--a-- - - - - - 594 06-11-2004 winkey.reg

遙Performing conditional 16bit string scan....

Windows
DeviceNotSelectedTimeout
=pGDIProcessHandleQuotaout
trSpoolerc
swapdisk
TransmissionRetryTimeout
USERProcessHandleQuotarz

regf
hbin
Windows
DeviceNotSelectedTimeout
=pGDIProcessHandleQuotaout
trSpoolerc
swapdisk
TransmissionRetryTimeout
USERProcessHandleQuotarz



#7 lo_kiz

lo_kiz

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 12 June 2004 - 11:38 AM

bump

#8 lo_kiz

lo_kiz

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 12 June 2004 - 09:10 PM

bump again. please help

#9 Betamax

Betamax

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 12 June 2004 - 09:30 PM

i have the exact same problem. I've used HiJackThis and it finds the page. After i remove it, i load up internet exploder and the about:blank page is blank (things are back to normal, right? wrong). when i close IE and open it back up again, the page has returned. all the links are javascript links. it's like IE's default blank page has been changed. i'd post my hijackthis logs in another thread but what's the point? he alredy posted his.

EDIT - This problem seems to be javascript based. It's also attacking the startup process for IE, not all of windows. The page reconstructs itself after restarting IE, not all of windows. That should help narrow it down a little. Is there a startup list for IE (much like there is a startup list for all of windows)?

Edited by Betamax, 12 June 2004 - 09:43 PM.


#10 Betamax

Betamax

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 12 June 2004 - 10:14 PM

i've gained some ground on this problem. i think i've located the problem file. it has a huge file name, and windows won't let me delete it. says file not found, even tho it's right there (<3 windows).

anyway, it's named memberembedded;dcopt=ist;h=rcategory.........[1].htm

i think this is the root of the problem.

#11 lo_kiz

lo_kiz

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 13 June 2004 - 12:48 PM

i have solve the problem. it is called a trojan called backdoor.agent.ba. you have go to system32 and find the "wrong" .dll file. it is different for everybody.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button