about blank problem

Discussion in 'adware, spyware & hijack cleaning' started by mountainmutts, Apr 28, 2004.

Thread Status:
Not open for further replies.
  1. mountainmutts

    mountainmutts Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    1
    Hi, I am new here and I know other people have had this problem but I didn't want to copy their instructions if it is different for me.

    We have been getting about:blank homepage for the past week now. No matter what I do it comes back. And now from deleting things I guess, when I type in posts it takes forever for the actual charaters to show up.

    After I run the programs below I try to install spware blaster 6 and get this message: This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it.

    I ran Adaware and got 11 new items. I also ran CW Shredder and got 6 items. I removed them all and ran hijack this. Here is my log.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:16:31 AM, on 4/28/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\MFBLBP.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\MFBLBP.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\MFBLBP.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\MFBLBP.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\MFBLBP.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\MFBLBP.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {2050CA10-7760-4296-BE17-18B752D30541} - C:\WINDOWS\SYSTEM\MFBLBP.DLL
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .hpb: C:\PROGRA~1\INTERN~1\PLUGINS\nphpipb.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .bpt: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Smart Viewer 7) - http://209.10.141.166/viewer/activeXViewer/activexviewer.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://www.ea.com/downloads/games/common/boot_strap/iegils.cab
    O16 - DPF: {F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1} (IE Active Setup Control) - http://www.microsoft.com/windows/ie/ie40/download/cdf/setupctl.cab
    O16 - DPF: {6BD4FB43-470E-11D2-B99D-00104B02C956} (AtDownloadIE Class) - http://cpulse.webex.com/client/webex/atbootie.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.104/308ed8d6f1836be05721/netzip/RdxIE.cab
    O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://www.realityobjects.com/download/3_0_1_135/eonx.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
    O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37883.5574421296
    O16 - DPF: {7EF1788A-8C66-4A77-95D2-3341111E4ACD} (CouponsIncIECtl2 Class) - http://a19.g.akamai.net/7/19/7125/1404/ftp.coupons.com/v7/cpnsie2.cab
    O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://www.cabeagent.com/netagent/objects/custappx2.CAB
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/MySignatureInitialSetup1.0.0.6.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
    O19 - User stylesheet: C:\WINDOWS\win32.bmp

    Any help would be appreciated as this is driving me crazy. Also, my husband and I have different logon names so whatever I do under my login doesn't seem to apply for his. So I think that may also be hurting me. o_O

    thanks
    mountainmutts
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi mountainmutts,Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/MySignatureInitialSetup1.0.0.6.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
    O19 - User stylesheet: C:\WINDOWS\win32.bmp

    Can you please mail
    c:\windows\win.exe
    C:\WINDOWS\win32.bmp
    to the address I will send to your PM box?

    Then go here:
    http://www10.brinkster.com/expl0iter/freeatlast/PVtool.htm
    And download "Xfind.zip" from there.
    Unzip, run the 'find.bat' inside.
    Wait till it terminates and find 'log.txt' inside which
    you'd need to attach into your next reply.

    Next, do this:
    open the registry from start/run/regedit
    And expand the following:
    *HKEY_CLASSES_ROOT\PROTOCOLS\Filter
    RightClick the 'filter' key, choose 'export' name it and save in location of choice

    Navigate to this key next:
    *HKEY_LOCAL_MACHINE\SOFTWARE\
    Microsoft\Windows NT\CurrentVersion\Windows
    Find this value on the right panel:
    "Appinit_Dlls"< RightClick and rename to:
    ->'Appinit_Dlls1'
    Close regedit, reopen it to the same key, Hilite the
    'Windows' key there,
    Export it the same way and save in location of choice


    Lastly, navigate to:
    *HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Explorer\
    Browser Helper Objects<
    Export that Subfolder the same way.
    And proceed to do the following:

    RightClick Security/permissions on 'Browser Helper Objects'
    in 'advanced, de-select (uncheck) the
    "inherit from parent...permissions" lower box.
    Hit ok' and 'remove' on next prompts.

    That will prevent it from spreading further.

    Into your next reply, navigate to the .reg files
    you saved, RightClick each -> edit, copy the
    contents and post here, along with new hijackthis log.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.