I'm helping a friend with about:blank

[alt_ctrl_del]

A good friend of mine has the about:blank problem, and seemingly a few others.

IE's slow, it keeps reverting to about:blank every few days, I keep getting pop-ups from pages that don't normally have pop-ups, and I get messages saying my memory is low and I have to restart.

That's what she's saying at least.
She's running WINXP Home SP1, has run AdAware, and CWSShredder, Aboutbuster, all to no avail.

Here is her HijackThis log.

StartupList report, 7/9/2004, 1:44:26 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

IMArchive_Start = C:\Program Files\IMArchive\IMArchive.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - c:\windows\system32\ejbffb.dll (file missing) - {CFF4C327-5B41-48B9-8EE3-8C1A49FBE261}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Ad-aware 6.job
Disk Defragmenter.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 3,503 bytes
Report generated in 0.406 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Any speedy assistance would be greatly appreciated.
Thanks!

 

[Lobos]

HI again alt_ctrl_del



i see your friend is running hijack this from a temporary folder

and i need your hijack this log not your startup list log

First, create a folder for HijackThis in the root folder of your hard drive so it can make proper backups it can't make proper backups in a temporary folder

example

C:/HJT/hijackthis.exe
C:/hijackthis/hijackthis.exe

next

Click here to download Hijack This. Save it to the folder you have just created

Close all open windows and open HIJACK THIS. Click “Scan”[/b] . When the scan is finished (it only takes a second), the scan button will change to“Save Log”. Click on“Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET , most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.


Lobos

 

[alt_ctrl_del]

Sure thing, I'll have her do that.

 

[alt_ctrl_del]

Hopefully this is what you asked for?

Logfile of HijackThis v1.98.0
Scan saved at 6:33:06 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AIM\aim.exe
C:\hijackthis\hijackthis.exe

O2 - BHO: (no name) - {CFF4C327-5B41-48B9-8EE3-8C1A49FBE261} - c:\windows\system32\ejbffb.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HTTPServer] C:\Program Files\Spytech Software\SpyAnywhere\SpyAnywhere.exe
O4 - HKCU\..\Run: [IMArchive_Start] C:\Program Files\IMArchive\IMArchive.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

I'd do parts of this myself but I'm not able to get to her computer. I really appreciate your help!

 

[Lobos]

I don't see any sign of infection mmmmm
of course the log seem quite small

tell her to

CWShredder by Merijn Bellekom, the creator of Hijack This

Run it, press 'Fix', and allow it to fix all it finds.
And remember to click "Fix" (Not "Scan only")
Reboot



did your friend install this SpyAnywhere it is a keylogger but i'ts a commercial keylogger so most spyware programs wont pick it up.

fix this one with hjt

O2 - BHO: (no name) - {CFF4C327-5B41-48B9-8EE3-8C1A49FBE261} - c:\windows\system32\ejbffb.dll (file missing)

you should let your friend know that she is running the computer without an AV or a firewall . very dangerous to do.

Lobos

 

[alt_ctrl_del]

Will do. Thanks, I'll post an update of her status asap.