PDA

View Full Version : Hi, who can help to solve my "about:blank" problem? Thank you!

phoenixchen
19 Apr 2004, 11:04pm
Logfile of HijackThis v1.97.7
Scan saved at 13:34:20, on 4/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\System32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\tcpsvcs.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\Program Files\Network Associates\VirusScan\VsStat.exe
D:\Program Files\Network Associates\VirusScan\Vshwin32.exe
D:\Program Files\Network Associates\VirusScan\Avconsol.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Intel\DMI\BIN\WIN32SL.EXE
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
D:\WINNT\System32\inetsrv\inetinfo.exe
D:\WINNT\anvshell.exe
D:\Program Files\Intel\LDCM\Bin\USM.exe
D:\Program Files\Intel\LDCM\Bin\LDCMSync.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\3721\assistse.exe
D:\WINNT\system32\rundll32.exe
D:\WINNT\system32\internat.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINNT\System32\mdm.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINNT\system32\opne.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINNT\system32\opne.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wholeworldmarket.com/search/top/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wholeworldmarket.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINNT\system32\opne.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINNT\system32\opne.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINNT\system32\opne.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wholeworldmarket.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINNT\system32\opne.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - D:\WINNT\DOWNLO~1\CnsHook.dll
R3 - URLSearchHook: Assistant - {1B0E7716-898E-48cc-9690-4E338E8DE1D3} - D:\PROGRA~1\3721\Assist\assist.dll
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - D:\WINNT\bi.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Assistant - {1B0E7716-898E-48cc-9690-4E338E8DE1D3} - D:\PROGRA~1\3721\Assist\assist.dll
O2 - BHO: (no name) - {4FF513A9-E964-43BD-9006-4DED9636366A} - D:\WINNT\system32\opne.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - D:\WINNT\DOWNLO~1\CnsHook.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Assistant - {1B0E7716-898E-48cc-9690-4E338E8DE1D3} - D:\PROGRA~1\3721\Assist\assist.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [User Space Manager] D:\Program Files\Intel\LDCM\Bin\USM.exe
O4 - HKLM\..\Run: [LDCMSync] D:\Program Files\Intel\LDCM\Bin\LDCMSync.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe D:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Belt] D:\WINNT\Belt.exe
O4 - HKLM\..\Run: [system32.dll] D:\WINNT\system\sysdll32.exe
O4 - HKLM\..\Run: [assistse] "D:\PROGRA~1\3721\assistse.exe"
O4 - HKLM\..\Run: [helper.dll] D:\WINNT\system32\rundll32.exe D:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Short Message (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: 3721 Assistant (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: Repair Browser (HKLM)
O9 - Extra 'Tools' menuitem: Clean Internet access record (HKLM)
O11 - Options group: [!CNS] Chinese keywords
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FIX19105/flash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {99888952-AC62-437C-AFC6-7B5CF05A7F2F} (IEDown Class) - http://www.ourgame.com/srvcenter/download/IEDown.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37889.5990162037
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chml.ubc.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC2CE922-930D-4FC9-BBE2-0FF431910490}: NameServer = 137.82.1.1,142.103.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chml.ubc.ca
O17 - HKLM\System\CS1\Services\Tcpip\..\{AC2CE922-930D-4FC9-BBE2-0FF431910490}: NameServer = 137.82.1.1,142.103.1.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chml.ubc.ca
O17 - HKLM\System\CS2\Services\Tcpip\..\{AC2CE922-930D-4FC9-BBE2-0FF431910490}: NameServer = 137.82.1.1,142.103.1.1
O19 - User stylesheet: D:\WINNT\sstyle.css
O19 - User stylesheet: D:\WINNT\sstyle.css (HKLM)
Hawk
21 Apr 2004, 8:57pm
OrangeBlood has found the cure for this problem. Here's a link to the thread where he gives directions on removal of the offending software. about blank homepage (http://www.icronticforums.com/showthread.php?t=4098&page=3) Scroll down to his name and follow the directions he gives and you should be all set friend.
Administrator
2 May 2004, 6:39pm
This will help get rid of that About:Blank Crap !!

1) Download reglite
2) install "Reglite" and run it, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs into the address bar.
3) Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file; then this is the hidden file you need to get rid off.
4) You should not be able to delete this file if you try to clear the value field, IMPORTANT: take note of the path and name of the .dll file. Write it down so you do not forget it.
5) Rename the Folder "Windows" (This is a purple "highlighted" folder in the left hand window) to NOTWINDOWS. Simply click on the folder, click on "Edit" in the menu bar and select "Rename".
6) Click AppInit_DLLs again and clear the value containing the .dll and ok it. This should have removed the .dll
7) Rename the windows folder back to its original name "Windows".
8) Run SpyBot, Ad-Aware and CWShredder
9) Check the following three links for instructions on downloading and running the applications listed:
o How to use Spybot to remove Spyware
o How to use Ad-Aware to remove Spyware
o How to Remove CoolWebSearch with CoolWeb Shredder
10) Next step will be to remove this dll file so make sure you have it noted down.
11) Step 1
12) Download KillBox
13) Unzip and start the application
14) Paste in the dir <path and name of dll as found in the appinit value box> i.e C:\Windows\System32\nameofdll.dll
15) Menu Select Action -> Delete on Reboot
16) Select File -> Add file <It should add the path automatically>
17) <Same Window> Select Action -> Process and Reboot
18) If Step 1 didn't work
19) Step 2
20) Click "Start" => "Run" and type in "cmd" (Without the quotations) and click on "Okay".
21) This will open a command window I will assume you have a basic knowledge of DOS if you have any problems at this point just write back I will outline the commands.
22) Type in dir <path and name of dll as found in the appinit value box> and press "Enter". You should see the name of the file listed.
23) Go to the system32 folder (This is where the .dll file will typically reside) and type attrib -R "nameofdll".dll
24) Carry out Step 1 again
25) Restart your computer in safemode
26) Open cmd window again as before
27) Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.
28) While in safe mode (How do I boot into "Safe" mode?), run the 3 ad-removal programs again, just to make sure all traces are gone.
29) Boot up pc as normal and you should be trouble free.


++++++++++++++++++++++++++++++++++++++++++++++++++++++++

If the solution above doesn't work try this fix !


This is a fast way to stop the About:Blank trojan redirector !!


1. Go to your desktop and click "Start" then "Run"> type in regedit in the address
bar. and hit OK.\
2. Once in the registry go up to the first folder (HKEY_CLASSES_ROOT) and click on
the (+) sign to access the folders. Find the folder BHO.HelperObject click on
the (+) sign to view the sub folders inside. Look for a folder called: CurVer
then Right Click on the CurVer folder and choose "Permissions" from the list.

3. Highlight the Administrator or the first group user in the list at the top of
the permissions group list. Now go to the bottom area and check the boxes for
"Deny" for Full Control and Read categories
4. If there is a second Group user after the Adminstrator then highlight it and
repeat the same steps as above to "Deny" Full Control and Read privileges for
it also.
5. Click "Apply" and "OK" and close out of the registry area

6. This should stop the About:Blank trojan from setting up .dll files in your
System32 files

7. Download and Run Spysweeper and Download Spywareblaster to prevent
future spyware infections.


Pass this fix along to someone who needs it if it works for you ! :thumbsup: