Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: rondlac on January 25, 2005, 01:40:58 AM
-
Problem: Home page address has been taken over. Cannot always get to my home page on boot-up or going there from other web sites. I would find myself on an search engine site with "about blank" in the address block.
Cannot find anyway to get rid of the problem without scrubbing the HDD. Hopefully, someone knows of a less painful fix.
Thanks,
rondlac
-
Welcome to the forum.
If you use the search feature you'll find many threads about this. If you still have issues after trying the various fixes, post back.
Let us know how you get on.
-
Click on the link in my signature and follow the instructions in the malware removal section.
-
I get nothing but a spinning globe and a black screen. I don't know if it is "about blank" or the hyper link.
-
I get nothing but a spinning globe and a black screen. I don't know if it is "about blank" or the hyper link.
But did you follow Eddy's instructions?
Can you run SpyBot or Ad-aware?
Are you using Windows XP?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.
-
rondlac,
if you are able, download and install Firefox browser. using the "vanilla" install use it to browse to to Eddy's links and take your time to run all the suggested programmes.
-
If it is truely the about:blank hijack then this gives useful information.
About:Blank Homepage Hijacker Removal Instructions and Help (http://www.pchell.com/support/aboutblank.shtml)
-
Technical,
It's tough for me to keep up with you guys. I'll try every suggestion and to respond to every post.
1. Yes, I followed Eddy's instructions. Did a scan with 'spybot s&d' and 'Hijackthis'. 'spybot s&d' gave me all tracking cookies and 'Hijackthis' gave me a list of items that included "=about:blank" in the address line also a .DLL (C:\WINDOWS\SYSTEM\ODMBIB.DLL) that, acouple of days ago, was identified by avast as the bearer of a virus in an alert which I put into quarantine immediately. The first scan with 'Hijackthis' produced a long list. I shortened it by removing the domains I recognized as friendlies and did another scan showing the questionables.
2. I am using Win Me.
3. I tried scheduling an avast scan on boot as you directed but the required selection on the avast pop-up was grayed out. It would not work.
Is it possible for me to get a copy of the 'Hijackthis' scan to someone for interpretation?
rondlac
-
inthewildteam,
1. Yes, I read as many of the 'about:blank' postings as I could handle.
2. Download and install FireFox browser...I guess so...'using the "vanilla install"'...don't know what that is.
3. After trying at least nine times I finally got Eddy's site to come on, but I would like to know what a "vanilla install" is.
4. I ran a couple of the programs listed on Eddy's site (see posting to Technical on this date).
5. The problem I had with Eddy's site is a common occurrence since I had been hit with that trojan, avast addressed it as "Win 32: Start Page-006 [TRJ]" and found it in C:\WINDOWS\SYSTEM\ODMBIB.DLL while I was surfing he internet. All kinds of problems.
rondlac
-
DavidR,
The hyperlinked site in your post talks to XP & 2000. I've got Me and even if the recommended actions would work on Me I don't know how to use them. For me if it ain't 'KISS' I'm 'LOST'.
rondlac
-
1. Vanilla install is basically using default settings that are built in to the installation routine, you don't have to change anything.
2. Whilst the information on the link may have been a bit over your head, but you will probably have noticed that some of it looks familiar, e.g. the part that looks like a hijackthis log file.
3. Hijackthis is probably the easiest interface for you, although it doesn't offer any help in getting rid of things, it gives lots of useful information that can be analysed both on-line and using Eddy's Hijackthis Log File Analyser. You could also post the contents of the hijackthis log file here for more help.
Eddy's Website (http://members.home.nl/edeijl/) click the "HiJackThis Section" and also the "Malware removal instructions and applications" section, and follow the directions there and get back to us if you need more help....
For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php or use Eddy's hijackthis log file analyser.
-
Eddy,
I need help. I screwed up. I got button happy with HijackThis and selected what I thought were safe items in the on-line scan and put them into the 'don't scan until values change' department. I have since found out all that I thought were safe items were not. I uninstalled HijackThis and re-installed it only to find out all of the registry backups and 'don't scan until values change' lists must be deleted manually. What I need is a guide to finding the items I need to manually delete so I can redownload HijackThis and do a clean up.
Thanks,
rondlac
-
Restore the items from the backup that HijackThis create and post a log here.
-
Eddy,
Here is a copy of the log.
Logfile of HijackThis v1.99.0
Scan saved at 11:45:44 PM, on 01/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UTILITY DOWNLOADS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {3E50211F-4D05-49E4-AC6A-AC9D46FE8E0B} - C:\WINDOWS\SYSTEM\ODMBIB.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE (file missing)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\NPQTPL~1.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {FE67C682-F5EA-11CF-9C2F-0000C0C83ADC} (Jamba Class Library) - http://www.americanracing.com/wheelmatch/Jambalib.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4_0_2_10.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O18 - Filter: text/html - {B64DF3FA-BBF8-4655-8EAE-865C954DC5AC} - C:\WINDOWS\SYSTEM\ODMBIB.DLL
O18 - Filter: text/plain - {B64DF3FA-BBF8-4655-8EAE-865C954DC5AC} - C:\WINDOWS\SYSTEM\ODMBIB.DLL
-
This is the result of my HijackThis Log Analyzer:
--------------------------------------------------------------------------------
THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
\program files\mywebsearch\bar\1.bin\mwsoemon.exe
r1 - hkcu\software\microsoft\internet explorer\main,search bar = res://c:\windows\temp\sp.dll/sp.html
r1 - hkcu\software\microsoft\internet explorer\search,searchassistant = about:blank
r0 - hklm\software\microsoft\internet explorer\search,searchassistant = about:blank
r1 - hkcu\software\microsoft\internet explorer\main,homeoldsp = about:blank
r1 - hklm\software\microsoft\internet explorer\main,homeoldsp = about:blank
o2 - bho: (no name) - {3e50211f-4d05-49e4-ac6a-ac9d46fe8e0b} - c:\windows\system\odmbib.dll (file missing)
o4 - hklm\..\run: [systemtray] systray.exe
o4 - startup: mywebsearch email plugin.lnk = c:\program files\mywebsearch\bar\1.bin\mwsoemon.exe
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra 'tools' menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra button: (no name) - {cd67f990-d8e9-11d2-98fe-00c0f0318afe} - (no file)
o9 - extra button: aim - {ac9e2541-2814-11d5-bc6d-00b0d0a1de45} - c:\program files\aim95\aim.exe (file missing)
o16 - dpf: {fe67c682-f5ea-11cf-9c2f-0000c0c83adc} (jamba class library) - http://www.americanracing.com/wheelmatch/jambalib.cab
o16 - dpf: {ef99bd32-c1fb-11d2-892f-0090271d4f88} (ybioctrl class) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4_0_2_10.cab
o16 - dpf: {9b03c5f1-f5ab-47ee-937d-a8eda626f876} (anonymizer anti-spyware scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/webaas.cab
o18 - filter: text/html - {b64df3fa-bbf8-4655-8eae-865c954dc5ac} - c:\windows\system\odmbib.dll
o18 - filter: text/plain - {b64df3fa-bbf8-4655-8eae-865c954dc5ac} - c:\windows\system\odmbib.dll
--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:
--------------------------------------------------------------------------------
o4 - hklm\..\run: [msconfigreminder] c:\windows\system\msconfig.exe /reminder
-
Eddy,
Did as directed: ran a scan, selected items called out in your analysis sheet, ran the 'fix' then ran another scan to review the results of the fix. None of the 'fixed items' came back, got 4 new ones though and the computer problems are still there, maybe even a little bit stronger. There are some sites I cannot get into, like locked out. Internet maneuvering goes from slow to stop to 'I ain't gonna let you go there'. Off line there doesn't seem to b a problem. Any ideas?
rondlac
-
Post a new hijacklog or use the on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php
-
DavidR,
Below is another HJT log. I did an analysis myself but no fixes. I found 4 nasty, 2 possible nasty and 1 unknown.
The 4 nasty speak for themselves, the 2 possible nasty: first one is R1-HKLM... I only use Netscape for the email and the second O14-IERESET.INF:... I have no idea what that is (aol did not make my computer).
When I took the action to fix the items in the analysis Eddy set to me I lost the JAVA from my Internet Explorer and tried to download a replacemet from Sun Microsystems and can't use it because my security settings are too high for ActiveX to be used. The settings when changed keep going back to default. Can I undo the last set of fixes? and How can I pick out the 'nasty' I fixed and caused the loss of JAVA?
Logfile of HijackThis v1.99.0
Scan saved at 11:42:58 PM, on 01/28/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\UTILITY DOWNLOADS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\NPQTPL~1.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
-
You seem to be getting the hang of it now, most of the R0 or R1s can go unless you have specifically set them up.
Being an ME user you are limited to using IE6 SP1 and not the stronger 'Internet Explorer v6.00 SP2 (6.00.2900.2180)' as this can only be applied for WinXP SP2 users. This makes browsing with your current IE6 SP1 more vulnerable.
There is no real way round this other than upgrade your OS or try a browser that is a little more secure. The browser switch/try is the lessor of two evils, I would suggest you give firefox a try.
-
At least the system is clean now. So it is not malware causing the current problems.
-
Eddy,
Negative, not clean...nasties keep coming back, system is loaded with spyware & adware (243 entries-mostly registry), trojan is still there...hkey_current_user\software\accelerationsoftwareinternationalcorporation and browser is screwed up plenty.
I got the spyware & adware population data through a free pest scan from Zone Labs, yea, another item for the black list. I went through your signature web site and learned a lot, however I'm a still a long way from home. I need to clean out the crap and corruption that is still in my registry and repair IE. I would prefer staying with IE for now, so much learning and too many changes would surely screw things up.
Removing the trojan is the first thing I need to learn how to do and registry clean up second.
rondlac
-
Eddy,
How do you register onto the HijackThis forum? The registration form is in German. I need it translated, my Favorites listing for the site that translates web sites was one of the items wiped out by the trojan. Do you have any help?
rondlac