Jump to content


Photo

Another About:blank sufferer


  • Please log in to reply
6 replies to this topic

#1 poiuyt09

poiuyt09

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 24 June 2004 - 10:27 PM

Like most others i am almost at my wits end. Any help would be appreciated...

Logfile of HijackThis v1.97.7
Scan saved at 10:51:58 PM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\Explorer.EXE
C:\WINDOWS.000\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\WINDOWS.000\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS.000\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {83E36735-4196-470C-A6BD-24AAF6838B94} - C:\WINDOWS.000\System32\cocpc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll (disabled by BHODemon)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS.000\SYSTEM32\sdph20.dll (disabled by BHODemon)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS.000\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: D:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8161.1752546296

#2 pll8on

pll8on

    Member

  • New Member
  • Pip
  • 4 posts

Posted 24 June 2004 - 11:09 PM

In your log, lines three,five and nine are about:blank start page entries. The first two are R0 (zero) lines and the last one is a R1 (one) line. With your HJT program, check those lines and "fix" em .

#3 nando

nando

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 25 June 2004 - 02:22 AM

delete C:\WINDOWS.000\System32\cocpc.dll (with Killbox)
run HijackThis and fix
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
O2 - BHO: (no name) - {83E36735-4196-470C-A6BD-24AAF6838B94} - C:\WINDOWS.000\System32\cocpc.dll

try it and tell me of the results

#4 poiuyt09

poiuyt09

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 25 June 2004 - 09:25 AM

Thanks nando. Can you advise link to safe download of killbox.

Also, curiously, I noticed that the about:blank stuff keeps coming back several minutes after its deleted by hijackthis or spybot. It seems to reappear as a result of the deletion from these programs. I followed directions by removing *.tmp, *.js, *hta files in safe mode.

Thanks again for helping out!

#5 Mere_Mortal

Mere_Mortal

    Spy-Aware

  • Helper Trainee
  • PipPipPipPip
  • 292 posts

Posted 25 June 2004 - 09:58 AM

For members that are replying, please see The various helper groups here. Do join the team if you want to post help, we'd love to have you with us. :)

poiuyt09, please stand by for instructions from a helper or advisor.

Edited by Mere_Mortal, 25 June 2004 - 09:58 AM.


#6 poiuyt09

poiuyt09

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 25 June 2004 - 10:07 AM

Mere Mortal:

Thanks. I will await you and/or your helpers instructions.

#7 Mere_Mortal

Mere_Mortal

    Spy-Aware

  • Helper Trainee
  • PipPipPipPip
  • 292 posts

Posted 27 June 2004 - 04:52 AM

I'm not so upto date as most trainees/helpers around here, thus I'm not sure about your R0/R1 entries, particularly;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

I think this is CoolWeb, so I recommend downloading [The Shredder]. Once you have installed and run it, post back a fresh HJT log for a more experienced eye to take a look. Don't fix anything with HijackThis until you have been given the go-ahead, as about:blank tends to come right back.

BTW, KillBox can be found [here].

Regards :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button