MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Another about:blank takeover...
June 07, 2020, 05:02:59 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 07, 2020, 05:02:59 AM

Login with username, password and session length
 Featured Sites:
News
Help us help you! Help us help you by helping out! The more people know about us, the more help will be available. Click here to find out how...
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Another about:blank takeover...  (Read 1767 times)
DBmann
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 3


Bookmark and Share

View Profile
« on: July 11, 2004, 01:55:19 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: WIN 2000
Problem Application Name & Version:IE 6
Problem Hardware Make & Model:
Error Messages:



Hello, I also have the about:blank problem.  I have looked at the other posts and tried to see if following the sujested steps would help, but it looks like all are a little different so I am posting my log file here for the Pro's to look at.

One thing I have is a program called WinPatrol.  It lets you know when another program is wanting to change a setting and asks for your approval.  I get asked about every 2min to change my home page to about:blank and someone is wanting to load a .dll called GAHECA.  (don't know if that info helps)

Thanks,
------------

Logfile of HijackThis v1.98.0
Scan saved at 9:25:48 AM, on 7/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\PDesk\PDesk.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINNT\system32\wuauclt.exe
C:\HJ this\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/srh/144/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/srh/144/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/srh/144/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/srh/144/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DB_MFG~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/srh/144/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DB_MFG~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DB_MFG~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DB_MFG~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DB_MFG~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/srh/144/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Internet Spy Hunter - {3424643B-A93E-45BF-ACA9-AF8B3ACC7BF0} - C:\PROGRA~1\INTERN~2\SPYHUN~2.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DB1A4B11-0707-4806-B455-5039C71A67BE} - C:\WINNT\system32\gaheca.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinPatrol PLUS] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.toolbars-cash.com/clk/144.chm::/file.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.exe
O18 - Filter: text/html - {5B67BB14-8511-44BC-ABF5-79E2A7945C95} - C:\WINNT\system32\gaheca.dll
O18 - Filter: text/plain - {5B67BB14-8511-44BC-ABF5-79E2A7945C95} - C:\WINNT\system32\gaheca.dll
 


Logged

 
berebus
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 17


Bookmark and Share

View Profile
« Reply #1 on: July 11, 2004, 02:11:09 PM »

DBMANN:

I suspect these are some of your main suspects, and I would fix the following using Hijack this, and then run spybot...fix all files.  "I want to Point Out, that I am not an expert, and I would wait until somebody else confirms this"....I recently have gone through this myself and just jumped into it...started deleting stuff....not a good option unless you have "system restore"....its functionality has been quite handy.

I reccomend that when you confirm or start off on your quest....that you do all these functions in safe mode (reboot....tap f8), as well, repeat them on any user profile you might have.

good luck,
b

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/srh/144/

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/srh/144/

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/srh/144/

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/srh/144/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DB_MFG~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/srh/144/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/srh/144/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {DB1A4B11-0707-4806-B455-5039C71A67BE} - C:\WINNT\system32\gaheca.dll
Logged

 
DBmann
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 3


Bookmark and Share

View Profile
« Reply #2 on: July 11, 2004, 07:49:34 PM »

Thanks,

That seems to of worked.  WinPatrol is no longer giving me warning about someone wanting to change my homepage of load .dll's.  I have posted a new log file after doing the above...  What about all the sp.* files???  Is it ok to leave all of those there?  

Thanks again for the help
-------------------

Logfile of HijackThis v1.98.0
Scan saved at 3:37:48 PM, on 7/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\PDesk\PDesk.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJ this\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DB_MFG~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DB_MFG~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DB_MFG~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DB_MFG~1\LOCALS~1\Temp\sp.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Internet Spy Hunter - {3424643B-A93E-45BF-ACA9-AF8B3ACC7BF0} - C:\PROGRA~1\INTERN~2\SPYHUN~2.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinPatrol PLUS] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.toolbars-cash.com/clk/144.chm::/file.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.exe
O18 - Filter: text/html - {5B67BB14-8511-44BC-ABF5-79E2A7945C95} - C:\WINNT\system32\gaheca.dll
O18 - Filter: text/plain - {5B67BB14-8511-44BC-ABF5-79E2A7945C95} - C:\WINNT\system32\gaheca.dll
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #3 on: July 12, 2004, 01:25:34 AM »

Do another Scan with Hijackthis and put a check next to these entries and then FIX CHECKED when ALL other windows are closed

O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.toolbars-cash.com/clk/144.chm::/file.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.exe


RESTART your computer
I've omitted some entries on purpose
Download and Install
FindnFix.exe

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results....

Logged

 
DBmann
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 3


Bookmark and Share

View Profile
« Reply #4 on: July 13, 2004, 01:51:11 AM »

The "Find n Fix" link has a problem....  Is it some place elese?
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page August 04, 2018, 09:08:58 AM