2 Cool Fishing Forum banner

1 - 14 of 14 Posts

·
Registered
Joined
·
30,257 Posts
Discussion Starter · #1 ·
I have had my homepage continually reset to "about:blank" how can I make it quit doing that? I have reset it in IE, but every time I reboot, it comes back. What to do?
 

·
Premium Member
Joined
·
40,476 Posts
I hate to be the one to tell you

but about.blank can be a pain to remove.
First, I will say that I know some people use that as a setting to make IE load faster. But most people do not and it is a result of a hijacker. The best way to start is to make sure to run Ad-aware, Spybot S&D with the current updates. Disable any auto restore before running the programs in safe mode, this sometimes works. Clean out the temp internet files and cookies also. Lets try this before running a hijackthis log and making any registry edits.
 

·
Registered
Joined
·
3,775 Posts
My mother-in-law gets the about.blank webpage also every time the system is rebooted. I've run Ad-aware and spybot, cleaned the temp files and cookies, but it also comes back. Can you describe in more detail the disable auto restore part - maybe that's what I'm missing.

She's got WP and Norton SystemWorks 2004 and I had pure h*ll to get this thing to let me install necessary windows updates. Even when Norton found problems, it couldn't auto-delete. I had to manually find the files and delete them. It seems to be running good now, but I'm sure the next reboot will bring back about.blank
 

·
Premium Member
Joined
·
40,476 Posts
WinME
1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the Performance tab.
3. Click on the File System button.
4. Click on the Troubleshooting tab.
5. Put a check mark next to 'Disable System Restore'.
6. Click the 'OK' button.
7. You will be prompted to restart the computer. Click Yes.
Note: To re-enable the Restore Utility, follow steps one to seven and on step five remove the check mark next to 'Disable System Restore'.

WinXP
1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the System Restore tab.
3. Put a check mark next to 'Turn off System Restore on All Drives'.
4. Click the 'OK' button.
5. You will be prompted to restart the computer. Click Yes.
Note: To re-enable the Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

What did Norton detect? I guess she is using Intenet Explorer. If you need more help, just ask. I would like to see a HijackThis log of her computer. She might have some "nasty" hiding in there.
 

·
Registered
Joined
·
3,775 Posts
Norton detected some adware programs that I was able to delete. Yes, its Internet Exployer. I can't remember all the files but one was win32.ddl, I think. Also, there is a file labeled twain.ddl and 3 other files labeled twain.??? that when deleted, always come back almost immediately. They are in her Windows/system32/ file folders.

Excuse my ignorance, but what/how do I get a hijack This log. It is a downloadable program. The about.blank had come back without a reboot by the time I left her house Sunday afternoon. From what I've gathered from her, this has been happening for about 4 months - she's just been ignoring it - ughhh!!!
 

·
Premium Member
Joined
·
40,476 Posts
HiJack This can be downloaded here.
http://www.spychecker.com/program/hijackthis.html

Run, then post a copy of the log. Don't do anything else until I can review it. You don't want to remove good things. LOL

Twain, in most simple terms, is your camera, or scanner or other device connected to your computer. Do not delete them.

I am leaving to Trick & Treet and should be back in a little while. The log will be long and if you have questions, it might be a good idea to email them to me.
Having somethings in places like you mentioned gives me cause to believe you have a virus. We will see.
 

·
Registered
Joined
·
3,775 Posts
Thanks Bill - I won't be able to run that log until Wednesday night when I go back to Austin and have access to her computer. Thanks for the help. I'll post up the log when I have it run sometime Wed. evening.
 

·
Premium Member
Joined
·
40,476 Posts
OK, I will keep an eye out for it. I'm looking for the log part that starts with R0 all the way down to 019. Just copy and past that information for me. On the Hijack log there will be a check mark next to each entry, don't do anything yet, placing a check in there will remove that entry. The full log might be long if the computer is very old, so don't worry about it. We will clean out the junk.
 

·
Registered
Joined
·
3,775 Posts
Thanks again - I think the computer is a little over 2 years old - an HP pent. 4, 1.8ghz. My father in law got it a few months before he passed away. I'll be in Austin from Wed. night to Sun. helping her with the closings, etc and moving her from the old home to the new one, so I should have some time to get this computer fixed Wednesday night and most of the day Thursday between the 2 closings.
 

·
Registered
Joined
·
3,775 Posts
Bill - the report

Bill, This is the report from spychecker.com Thanks for any help you can provide.

Logfile of HijackThis v1.97.7
Scan saved at 8:32:07 PM, on 11/3/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Palm\HOTSYNC.EXE

C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KFB3AC91\HijackThis[1].exe

C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {2AA46213-6076-416B-9350-05284618FCBF} - (no file)

O2 - BHO: (no name) - {30661752-9878-4D6E-8BFC-7181EF6D5BA8} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {726D1FAF-80D7-41DB-9059-A8FB095214D0} - (no file)

O2 - BHO: (no name) - {7BF43442-0B11-4B40-957E-639BF78C2756} - C:\WINDOWS\system32\clhfmcb.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE

O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

·
Premium Member
Joined
·
40,476 Posts
Sorry about the late reply, I'm swimming in computer issues. I got the log and will take a look at it now.
 

·
Premium Member
Joined
·
40,476 Posts
Have Hijackthis fix these.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {2AA46213-6076-416B-9350-05284618FCBF} - (no file)

O2 - BHO: (no name) - {30661752-9878-4D6E-8BFC-7181EF6D5BA8} - (no file)

O2 - BHO: (no name) - {726D1FAF-80D7-41DB-9059-A8FB095214D0} - (no file)
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
Is this something you installed? If not remove.
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
Again, keep if you know what it is, otherwise remove.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Unless you have the Spybot S&D option 'Lock homepage from changes' active, have HijackThis fix this.

There are many programs that are loading during start up, I would not allow them unless it is something you want. Some of the programs that load are: Real Player, Messenger, Google Toolbar, Password account manager, Quick Time, Microsoft Money, Microsoft Works, Microsoft Office and Excel. You can still use any of them just don't need them taking up space and memory all the time. Hope this helps. After you run the fix, let me know how it runs. Bill

 

·
Premium Member
Joined
·
40,476 Posts
I found the "zero knowldge" you can keep if you installed their popup killer. It struck me as weird so I was unsure, it should be fine to keep if installed.
 
1 - 14 of 14 Posts
Top