• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
TrendyGuy

About:Blank Hell Please help!!!

10 posts in this topic

Whever internet explorer is opened my home page gets changed to about:blank. This also happens when i close internet explorer and when i open my computer and such. I have been able to keep it under control so far with the new spybot software that asks you to accept or decline new registry changes. But this is getting very annoying. Everything I do brings me to a registry change box about "about:blank". Please help. Thanks!!

 

Logfile of HijackThis v1.97.7

Scan saved at 12:50:20 AM, on 6/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\system32\setver32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\msiexec.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\Trendy\LOCALS~1\Temp\Rar$EX00.015\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Trendy\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Trendy\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Trendy\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Trendy\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Trendy\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Trendy\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {EE55620F-16E9-4A4E-90BE-6C1797447246} - C:\WINDOWS\System32\fnfk.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O9 - Extra button: ATI TV (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_37.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7908.8501388889

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

your problem is this file

 

O2 - BHO: (no name) - {EE55620F-16E9-4A4E-90BE-6C1797447246} - C:\WINDOWS\System32\fnfk.dll

 

delete C:\WINDOWS\System32\fnfk.dll with kill box

this file has been created at the beginning of your problem.

Share this post


Link to post
Share on other sites

your problem is this file

 

O2 - BHO: (no name) - {EE55620F-16E9-4A4E-90BE-6C1797447246} - C:\WINDOWS\System32\fnfk.dll

 

delete C:\WINDOWS\System32\fnfk.dll with kill box

this file has been created at the beginning of your problem.

Share this post


Link to post
Share on other sites

Ok, thank you for that reply. I tried that the same day and it worked great. Then all of a sudden it started happening again. I did not go to any websites within that time I actually did not even use the computer once during that time. Here is a new log. Any help would be great thanks.

 

Oh!! And now not only does it try to put my homepage to "about:blank" but now it also tries to add a BHO to my registry too now since deleting the file I was told too. Please help.. THanks.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:26:45 PM, on 6/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\system32\setver32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Trendy\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Trendy\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Trendy\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Trendy\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Trendy\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Trendy\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Trendy\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O9 - Extra button: ATI TV (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_37.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7908.8501388889

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

After reading your entire post I ran through all the steps he had mentioned to you. Most of them did not work. I am hoping that same person or someone who can possibly help will read this post. Hear is the log from FINDnFIX. Thanks again for all trying to help.

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

Mon 06/28/2004

0:47am up 0 days, 0:09

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\HLPK.DLL +++ File read error

\\?\C:\WINDOWS\System32\HLPK.DLL +++ File read error

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»Special 'locked' files scan in 'System32'........

**File C:\FINDnFIX\LIST.TXT

HLPK.DLL Can't Open!

 

****Filtering files in System32... (-h -s -r...) ***

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\WINDOWS\SYSTEM32\

hlpk.dll Wed Jun 2 2004 11:03:04p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

 

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\HLPK.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 52

 

»»Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access ROB\Trendy

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access ROB\Trendy

 

 

»»Member of...: (Admin logon required!)

User is a member of group ROB\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

Service search: '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x ROB\Trendy

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: ROB\Trendy

 

Primary Group: ROB\None

 

 

 

»»»»»»Backups created...»»»»»»

0:47am up 0 days, 0:10

Mon 06/28/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-28-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 108 06-28-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

zAppInit_DLLsndleøÿÿÿØ

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

Windows

zAppInit

DLLsndle

 

**File C:\FINDnFIX\WIN.TXT

2 Øÿÿÿvk € zAppInit_DLLsndleøÿÿÿØ ø

Share this post


Link to post
Share on other sites

It looks like your offending file is "HLPK.DLL". If you substitute this file name with the one in the other posting (where he says to copy and paste), that should do the trick. That's how I fixed mine, at least.

Share this post


Link to post
Share on other sites

I did all process with the "HLPK.DLL" and it all seemed to work. My logs were exactly the same as the ones on that previous post. I am not positively sure it is gone. But for the time being it is. This "about:blank" seems to regenerate files though once some are deleted so I will leave a follow up post tomorrow. Thanks.

 

P.S. If any more tips please leave a post. Thanks.

Share this post


Link to post
Share on other sites

Trying running another HighjackThis log to see if the about:blank references are gone. That should tell you if it is really gone, but it sounds like it worked.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0