How do i get rid of about:blank

Discussion in 'adware, spyware & hijack cleaning' started by sk85cky, May 12, 2004.

Thread Status:
Not open for further replies.
  1. sk85cky

    sk85cky Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    18
    HOW do i get rid of this beast


    --------------------------------------------------------------------------
    I dont know how to unzip hijack to a spaarate folder so it doesnt create backups when i delete the adware called (obfuscated) or somthing but im more focused on about:blank one its killing me

    Heres my log
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\S3apphk.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\WINDOWS\System32\gearsec.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Valve\Steam\Steam.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Owner\Desktop\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\oakphfc.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\oakphfc.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\oakphfc.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\oakphfc.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\oakphfc.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\oakphfc.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O2 - BHO: (no name) - {FE69C268-12B5-4A82-A0FF-7E5FEDE1A624} - C:\WINDOWS\System32\oakphfc.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
    O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38107.896099537
    O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi sk85cky,

    This is a tough one :(

    We will do a series of steps and see how it goes.

    --Download, unzip (extract) to folder of choice FindAll.zip :

    http://www10.brinkster.com/expl0iter/freeatlast/Find-All.zip

    Open folder and run FindAll.bat, it will start a search and create two txt files :

    -"Output.txt"

    -"windows.txt"

    Copypaste the contents of both here, please.

    Thnx!

    Cheers,
     
  3. sk85cky

    sk85cky Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    18
    Not to make things harder on you, (more harder on me) i went to that link and It seems that link is broken. Is it broken for you?
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi,

    That link should work. It works for me, and I've asked someone else to check it and it worked for him as well.

    Cheers,
     
  5. sk85cky

    sk85cky Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    18
    Ok, it just worked and heres what it had

    --===**'FIND-ALL' VERSION 3.1, 5/13**===--

    *System Info:

    Microsoft Windows XP [Version 5.1.2600]


    Locked or 'Suspect' file(s) found...
    'Xfind' is not recognized as an internal or external command,
    operable program or batch file.
    'Xfind' is not recognized as an internal or external command,
    operable program or batch file.


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}]
    @="Freedom BHO"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    @="NAV Helper"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE69C268-12B5-4A82-A0FF-7E5FEDE1A624}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{262E778A-6FC6-4BFA-A1C5-08BA831F5930}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{262E778A-6FC6-4BFA-A1C5-08BA831F5930}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    *Security settings for 'Windows' key:
     
  6. sk85cky

    sk85cky Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    18
    hmm, i hope you didnt forget about me,.. or did i do somthing wrong did i post somthing wrong above ^^^o_O

    Or maybe you just didnt get to it, sorry im sorta unpatient :'(
     
  7. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi,

    Nope not forgotten :)

    We are just waiting for some final modifications that are being made right now for a removal tool.

    As soon as that is done we'll update further instructions.

    Thnx for your patience !

    In the meantime can you try this ? :

    Download this program :

    http://www.resplendence.com/reglite

    Open it and navigate to :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

    -Rename the Folder Windows
    to NotWindows (highlighted as a purple folder
    in the left hand pane of reglite.)

    -Doubleclick "AppInit_DLLs" (in the right column) and see in the value box if you see a dll named there, note it down and post it here

    -Rename the NotWindows folder back to its original name Windows

    Thnx

    Cheers,
     
  8. sk85cky

    sk85cky Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    18
    In the value box when i double clicked on it; this came up.

    C:\WINDOWS\System32\winb.dll

    But, i didnt see any purple folders maybe i did somthing wrong
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  10. sk85cky

    sk85cky Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    18
    Wait im confused , :'( it says--


    "The key is :

    Trying to make this superhidden dll visible so it's removable! Lately, it seems best to start with the removal of this dll, before following other instructions!"

    So wouldn't that mean i wouldnt have to do alll that stuff below it sicne i found the name of the hidden dll? what do i do? im confused im not too great with computers.
     
    Last edited: May 21, 2004
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  12. sk85cky

    sk85cky Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    18
    So all i have to do now is run Ad-aware? because i have that of course already installed on my computer
     
  13. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    As Pieter said as long as that dll. is visible and u set Ad-aware up as per the link he posted. ;)


    snowbound
     
  14. sk85cky

    sk85cky Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    18
    Thanks alot for finally fixing the bug!

    now i can go on my homepage without 80 popups about "penis enlargement!"

    see ya
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  16. sk85cky

    sk85cky Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    18
    ouch.. :( it came back after about 24 hours( about:blank) i guess il just run ad-aware again- i think i dled somthing anyway with adware though. il check
     
Thread Status:
Not open for further replies.