Jump to content


Photo

about blank


  • Please log in to reply
5 replies to this topic

#1 deerhands

deerhands

    Member

  • New Member
  • Pip
  • 1 posts

Posted 23 June 2004 - 09:33 PM

I'm trying to remove about blank. I ran the hijack and this is what I got. Any help would be greatly appreciated!


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\UMCSTUB.EXE
C:\WINNT\system32\CfgSrvc.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Navnt\defwatch.exe
C:\WINNT\etlisrv.exe
C:\WINNT\system32\CfgSrvc.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\CA_APPSW\dts\bin\tngdoba.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\SxpInst\sxplog32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\dpmw32.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\WINNT\system32\NWTRAY.EXE
C:\TNGSD\BIN\triggusr.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINNT\sabserv.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\sg0899280\Local Settings\Temporary Internet Files\Content.IE5\3M8N3TOL\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SG0899~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SG0899~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SG0899~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SG0899~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SG0899~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SG0899~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - P:\MARIACHI\HOTELCON\Spybot\SPYBOT-S\SDHelper.dll (file missing)
O2 - BHO: (no name) - {864C4A6C-B682-45D4-A670-BB2AEAD30635} - C:\WINNT\system32\aoiofa.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 02
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopupDestroyer] C:\Program Files\Popup Ender\Popup Ender.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Sabre Server.lnk = C:\WINNT\sabserv.exe
O4 - Global Startup: Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CMAGS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://fyeowbp01.sabre.com/awswaxf.cab
O16 - DPF: {1EE104B2-B32A-43D2-8DF1-2FD84BD00B14} (WebIntelligence 2.6 Report Editor Control) - http://wailea.dev.sa.../WIPanelXEN.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://webworkshop.f...aDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://wailea.dev.sa...RptViewerEN.cab
O16 - DPF: {F9B3E1F4-3F66-11D3-AD61-0090275A7262} (ZABOClientControl Class) - http://wailea.dev.sa...eX/ZABOIEEN.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Global.ad.sabre.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A246B311-3A89-40CE-B80F-49D76650B4E1}: NameServer = 144.9.33.153,144.9.102.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Global.ad.sabre.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = global.ad.sabre.com,sabre.com,ad.sabre.com,dev.sabre.com,sabre.net,host.sabre.co
m,sabre-unicenter.sabre.com,webad.sabre.com,easysabre.com,afw.sabre.com,agentexplorer.sa
bre.com,canada.sabre.com,PRDPLEXB.sabre.com,stinmex.sabre.com,vpars.sabre.com,sab
regroup.com,sabremobile.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Global.ad.sabre.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = global.ad.sabre.com,sabre.com,ad.sabre.com,dev.sabre.com,sabre.net,host.sabre.co
m,sabre-unicenter.sabre.com,webad.sabre.com,easysabre.com,afw.sabre.com,agentexplorer.sa
bre.com,canada.sabre.com,PRDPLEXB.sabre.com,stinmex.sabre.com,vpars.sabre.com,sab
regroup.com,sabremobile.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = global.ad.sabre.com,sabre.com,ad.sabre.com,dev.sabre.com,sabre.net,host.sabre.co
m,sabre-unicenter.sabre.com,webad.sabre.com,easysabre.com,afw.sabre.com,agentexplorer.sa
bre.com,canada.sabre.com,PRDPLEXB.sabre.com,stinmex.sabre.com,vpars.sabre.com,sab
regroup.com,sabremobile.com

#2 peldio

peldio

    Member

  • New Member
  • Pip
  • 1 posts

Posted 23 June 2004 - 09:59 PM

Hi,
new to the site and been working on several computers with the same problem about:blank homepage hijacked and tried Adawre, spybot, spy sweeper, etc and it still loads the same scum homepage and looked all over the web and nada. I've seen a few sites saying about editing the registry but can't remember the sites. Does anybody have a idea about getting rid of this scumware?



Peldio :huh:

#3 mjp65aa

mjp65aa

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 23 June 2004 - 10:16 PM

Peldio,

This is the best site for help on this that i've seen. I suggest you read other threads of people getting help with the same problem to see if you can learn how to fix your problem. Obviously, only do this if you are confident you can try things without making it worse. Or, and if that doesnt work, start your own thread and wait in line :whistle: for one on one help. The helpers here are very good, but very busy lately. :mellow:

Edited by mjp65aa, 23 June 2004 - 10:21 PM.

mjp65

#4 nando

nando

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 24 June 2004 - 03:59 AM

delete this file C:\WINNT\system32\aoiofa.dll,
run hijackthis and fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SG0899~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SG0899~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SG0899~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SG0899~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SG0899~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SG0899~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {864C4A6C-B682-45D4-A670-BB2AEAD30635} - C:\WINNT\system32\aoiofa.dll

#5 Raiyn

Raiyn

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 June 2004 - 11:41 AM

i got the same problem as the first guy. i ran hijack this and got this:

O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm006
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: Tornado 21 - http://download.game...s/y/t21t0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt2_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.game...nts/y/ft3_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} - http://63.219.181.7/cax.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - http://toolbar.isear...general/drm.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.6.cab
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downlo...DHTML_US_XP.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downlo...es/IA/ia_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard..../wowbeta/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://www.x0.nl/install2/dialxs.ocx
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downlo..._US_pack_XP.cab
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com...eeddelivery.dll
O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} - http://usa-download....TMLDialerXP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://bannerfarm.ac...r1137040505.EXE
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft...nloads/outc.cab
O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://216.133.83.16...loads/UGO20.exe
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolba...s/v3.0/0006.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_3_0.cab

#6 Raiyn

Raiyn

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 June 2004 - 11:41 AM

any heop would be, well helpful




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button