Jump to content


Photo

argrh! cant get rid of about:blank!


  • This topic is locked This topic is locked
6 replies to this topic

#1 snabb1

snabb1

    Member

  • New Member
  • Pip
  • 3 posts

Posted 19 May 2004 - 05:43 PM

can somebody help me? ive been trying for days to get rid of this stupid about:blank page. Most times (though not all...) i restart my computer it becomes my default home page, and i'm directed there when i mistype a url...

if i dont change it, every time i click on something i get another spyware popup. Running CWShredder removes 1 thing (Searchx) everytime, but then on restart everything reverts back to about:blank as default.

a couple times, after running spybot and adaware and CWShredder and whatever else i can find, i've managed to keep my default home page. but if i leave my computer on but alone for a few hours, somehow About:blank returns! how does it do that? its so annoying!

so here is my hijackthis log, maybe somebody can help? thanks sooo much!

-snabb1

Logfile of HijackThis v1.97.7
Scan saved at 3:41:18 PM, on 5/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sfgate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .edu/cgi/getdoc?tid=rop03e00&fmt=pdf&ref=resultsjava script:neww(java script:neww: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8038.1153703704
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.241.78.20...sCamControl.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B3D8F1D-5DAE-49DC-8B40-EFB7CD7A4F89} (VNLive Control) - http://www.scalado.c...s/vnpanoctl.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...jsp?forceLoad=1

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 05:55 PM

You have a virus:

O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE

Fix checked that line in hijackthis, reboot and delete that file!
Is your Norton Asleep? <_<

Backdoor.Jeem

Virus Definitions (Intelligent Updater) *
November 18, 2002

Virus Definitions (LiveUpdate™) **
November 20, 2002

Details:
http://securityrespo...kdoor.jeem.html


When done, follow these steps:
1.)
GoTo:
Start>run>Type:
msinfo32
*Expand: "Software Environment"
*Expand: "System hooks"
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If So hilite And use edit>copy and post here

2.)
Download: "StartDreck", unzip!
*Don't be f00led by the site's 'unique' interface!!!
http://members.black.../startdreck.htm
DoubleClick: 'StartDreck.exe'
Hit: -config
hit: -Unmark all
Check these boxes only:
Registry->run keys
System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!

Edited by freeatlast, 19 May 2004 - 05:57 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 snabb1

snabb1

    Member

  • New Member
  • Pip
  • 3 posts

Posted 19 May 2004 - 06:19 PM

okay, here's what i did...

found the .dll file... it is:

Window Procedure Hlpf.dll RUNDLL32.EXE C:\WINDOWS\SYSTEM\Hlpf.dll C:\WINDOWS\RUNDLL32.EXE


then i downloaded "startdreck" and set it up as instructed. the log is:




StartDreck (build 2.1.5 public BETA) - 2004-05-19 @ 16:15:38
Platform: Windows 98 SE (Win 4.10.2222 A)

舞egistry
舞un Keys
翟urrent User
舞un
*MsnMsgr="c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
舞unOnce
聞efault User
舞un
*MsnMsgr="c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=c:\windows\scanregw.exe /autorun
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Norton Auto-Protect=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*LoadQM=loadqm.exe
*YBrowser=C:\Program Files\Yahoo!\browser\ybrwicon.exe
*2wSysTray=C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE
*ViewMgr=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
舞unServicesOnce
**ndv=rundll32 C:\WINDOWS\SYSTEM\HLPF.DLL,StreamingDeviceSetup
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FF0F6D9F=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF3AF3=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF2D63=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFFD4BB=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFFACDB=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFFAFFF=C:\WINDOWS\RUNDLL32.EXE
*FFFED503=C:\WINDOWS\EXPLORER.EXE
*FFFD681B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFD7207=C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
*FFFD8277=C:\WINDOWS\SYSTEM\QTTASK.EXE
*FFFDAD7B=C:\WINDOWS\LOADQM.EXE
*FFFC4013=C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
*FFFBF523=C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE
*FFFB55AF=C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
*FFFD2DDB=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
*FFFB1ED3=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
*FFFC30BF=C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
*FFFA52BB=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFF963FF=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFF9CE4F=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE
*FFF8033F=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF8BE8B=C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
*FFF72823=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
翠pplication specific

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 06:51 PM

Easy fix, in your case! ;)

File was spotted in 2/2!

*Window Procedure Hlpf.dll RUNDLL32.EXE
C:\WINDOWS\SYSTEM\Hlpf.dll

*StartDreck log:
舞unServicesOnce
**ndv=rundll32 C:\WINDOWS\SYSTEM\HLPF.DLL,StreamingDeviceSetup

Go here:
http://www10.brinkst...last/pvtool.htm
Download and UNzip:
"Win98Fix.zip"

-DoubleClick on: 'RunFix.reg' file, hit 'yes'
on the prompt!
-Restart computer!

Find:
C:\WINDOWS\SYSTEM\Hlpf.dll file, as it should
be visible now, Zip it up and submit it on the same
page by clicking on the link provided:
files for submission:
It will open you email client, navigate
and add it as attachment! Thanks ;)


Delete the file and it's zipped copies!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 snabb1

snabb1

    Member

  • New Member
  • Pip
  • 3 posts

Posted 20 May 2004 - 04:18 AM

you are such a star...

i think everything is working fine now.

thank you SO much for your help, really.

-snabb1

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 20 May 2004 - 04:21 PM

Thanks, all's well now!

File recieved and identified!

Keep your precious Win98 out of trouble! ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 20 May 2004 - 06:36 PM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button