• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
moshquerade

YAABRT - yet another about:blank removal thread

5 posts in this topic

i know it has been asked here before, but i have also succumbed to an about:blank homepage hijack.

i ran virus scan, adaware, spybot, and deleted TIF. i can reset my homepage, but the about:blank homepage will again take over my browser after a reboot.

 

i was referred here by someone who posts at anandtech and also is on staff at this board. i would appreciate help, in layman's terms, to get rid of this hijack, and how to prevent it in the future.

 

thanks!

Share this post


Link to post
Share on other sites

ok, i just did the same thing asked in a similar thread

 

Can you please download HijackThis from this link, install it into C:\HJT. Run it, click on scan, save log and please post your entire log here for analysis.

 

Logfile of HijackThis v1.97.7

Scan saved at 8:22:11 PM, on 6/14/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\STARTER.EXE

C:\WINDOWS\GWHOTKEY.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE

C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE

C:\PROGRAM FILES\CASINOONLINE\CSREMND.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE

C:\PROGRAM FILES\THE HELPSPOT!\FAWGRD32.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE

C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\EREG\REMIND32.EXE

C:\WINDOWS\SYSTEM\MSWHEEL.EXE

C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE

C:\PROGRAM FILES\THE HELPSPOT!\FA_GD32.EXE

C:\PROGRAM FILES\THE HELPSPOT!\RTFIXM32.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\MY DOCUMENTS\TYRUS\MY DOCUMENTS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\KKNFBB.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\KKNFBB.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\KKNFBB.DLL/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\KKNFBB.DLL/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\KKNFBB.DLL/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\KKNFBB.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll

O2 - BHO: (no name) - {8DFE4C21-B3E7-11D8-9DCA-004FA4A441DE} - C:\WINDOWS\SYSTEM\BHDJAOB.DLL (file missing)

O2 - BHO: (no name) - {EBBDAD6C-B923-11D8-9DCA-004FD33C5E96} - C:\WINDOWS\SYSTEM\KKNFBB.DLL

O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe

O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe

O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe

O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE

O4 - HKLM\..\Run: [WebInstall2] C:\PROGRAM FILES\CLIPGENIE\WEBINSTALL.EXE /R

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE

O4 - HKLM\..\Run: [Remndr] "C:\PROGRAM FILES\CASINOONLINE\CSREMND.EXE"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE

O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RuLaunch.exe" /STARTMONITOR

O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE

O4 - Startup: Windows Guardian.lnk = C:\Program Files\the HelpSpot!\Fawgrd32.exe

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE

O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Pro 8.0\Ereg\REMIND32.EXE

O9 - Extra button: AIM (HKLM)

Share this post


Link to post
Share on other sites

As this is a relativly new and difficult infection to clean.. I suspect that the DLL I am looking for is hidden very well and you need the DLLFIX.. So please try this for me..

 

Download the file from

http://downloads.subratam.org/dllfix.exe

or

http://tools.zerosrealm.com/dllfix.exe

and save it in a place you like.

 

The file when downloaded will be dllfix.exe.

 

Double-Click or Open the self-extracting file. It will ask for installation and change location. Please Keep it in BOOT drive and not in any place else. Preferable in Desktop.

 

Navigate to the folder with the contents of the file. You will see there are two more folders inside and two BAT files.

 

Run start.bat and you should get a screen with options.

Run the Option 1. for report. Which when run will have a purple screen.

 

Once the search is complete a ".txt" file should pop up with the name "Output.txt". Keep it. You will see there is a random dll named there if found. If you are not sure Post the log for Expert View.

 

NOW:

Run the start.bat again after dll found or whatever. Run option 2 and choose correct option in submenu. The sub-menu should be another box with options in it. It's probably green to.

 

Option 1 -- > is if you found the dllname that is locked or in the appinit key.

Option 2 -- > is for if you can't find the dllname.

 

It will reboot in 15 seconds.

 

If you are still unsure, Post your query here for Expert View.

 

If you know the file name, Reboot & There will be the scan for the " dll " on-boot screen, which will search and fix it. There will just be a md5 scan if the filename was entered manually. (option 2,1 in start.bat)

 

Reboot and Download ADAWARE. Check for updates. Then Run the update Ad-aware.

 

Reboot. Run HijackThis and save the fresh log.

 

THEN: Post a new Output.txt (option 1 in start.bat ), the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder) and a fresh HijackThis Log here in this thread.. well take it from there

Share this post


Link to post
Share on other sites

You are still infected. But I will wait until you come back for further help before I post again.

 

Good luck though.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0