0

Several days ago I asked for help getting rid of about:blank. I followed the recomendation to remove a number of things from my hjt log, and thought I had successfully fixed my problem. Alas, I had not. Every day or day and a half I find that something has again set IE to about:blank. The guilty file changes each time--first it was ankli.dll, then hknilk.dll, then nadanp.dll, and this morning kgil.dll. If the create dates are accurate, these dll files are created right before I notice them. Finally, I have only been to what I consider fairly safe sites--e.g., NY Times, CNN, slate.com, and so on. There must be something still on my computer that from time to time generates a new take-over. Any suggestions as to what or how I can cure it, will be greatly appreciated.


For the record, here is my HJT after I just removed kgil.dll:

Logfile of HijackThis v1.97.7
Scan saved at 7:00:12 AM, on 4/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe
C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\default\Local Settings\Temp\Temporary Directory 31 for hijackthis.zip\HijackThis.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.nytimes.com/"); (C:\Documents and Settings\default\Application Data\Mozilla\Profiles\default\v3xvwlt4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\default\Application Data\Mozilla\Profiles\default\v3xvwlt4.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620/qtinstall.info.apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/store/executables/ie/IDA.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38087.6809027778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

John

4
Contributors
4
Replies
5
Views
13 Years
Discussion Span
Last Post by TonyGreenwell58
0

Several days ago I asked for help getting rid of about:blank. I followed the recomendation to remove a number of things from my hjt log, and thought I had successfully fixed my problem. Alas, I had not. Every day or day and a half I find that something has again set IE to about:blank. The guilty file changes each time--first it was ankli.dll, then hknilk.dll, then nadanp.dll, and this morning kgil.dll. If the create dates are accurate, these dll files are created right before I notice them. Finally, I have only been to what I consider fairly safe sites--e.g., NY Times, CNN, slate.com, and so on. There must be something still on my computer that from time to time generates a new take-over.

Your HjT log looks pretty clean. Judging by the pattern of DLL names, it would appear that you have a morphing virus of some sort that has been able to elude the virus checkers that you have used so far--not to mention HjT itself or a Google search. Have you cleared your IE cache, etc? I would also manually clean out your Temporary Internet Files, as well. See Microsoft's Really Hidden Files for more on this issue (warning: potentially offensive site-name and email address). Though the article was written for Windows 98, it still applies.

You might also try an on-line virus checker other than Trend Micro as a cross-check. Here's my list.

Another way to close the door on some of the vunerabilities used is by running Shoot the Messenger, DCOMbobulator, and UnPlug n' Pray from Gibson Research (about mid-page).

There is one thing you can remove using HjT, though, that may help a bit (dead link):

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...meInstaller.exe

0

Several days ago I asked for help getting rid of about:blank. I followed the recomendation to remove a number of things from my hjt log, and thought I had successfully fixed my problem. Alas, I had not.

After more research, I have come to the following conclusions.

* First, turn off System Restore before removing stuff. Some of your problems may be sneaking back in that way.

* Next, go into the folder C:\Windows\Prefetch, and look at the files there. Are any of them suspect? List the files here. You may even want to reboot your computer into Safe Mode and then delete all the files in your Prefetch folder at this time, just to be safe. Viruses hide there. This may be extreme, but so is your distress at this point.

Here's some prevention tools:

SpywareBlaster -- blocks malware installation. Not a removal tool, helps keep adware and spyware off your PC by blocking ActiveX for known malware. Updates available on a regular basis.

SpywareGuard -- detect spyware programs. SpywareGuard works similar to an anti-virus program, by scanning EXE and CAB files on access and alerting you if known spyware is detected.

IE-SPYAD: Restricted Sites List for Internet Explorer. Registry add-in that moves known malware sites to the "Restricted" zone in IE to block the nasties.

XP Anti-Spy -- turn off the "phone home" functions in XP. Did you know that Windows XP, by default, monitors your computer usage and reports back to Microsoft? Slow it down, at least, with this tool.

0

Can you run AdAware (make sure REF files are the most current) and post the log from it --- this is a problem with several people, and by looking at the log from that, I can tell if yours is the same :)

0

Can you run AdAware (make sure REF files are the most current) and post the log from it --- this is a problem with several people, and by looking at the log from that, I can tell if yours is the same :)

How can I get rid of about blank when I click on IE icon? Everytime I go into Tools/ internet options and I select a site for my home page it always goes back to About blank page and gives me some search page.

What is the problem? Please advise

TonyGreenwell58@hotmail.com

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.