Hey all,
starting today I started getting this problem where I can't change my internet explorer
homepage from about:blank to anything else. I usually use hotmail as my default page,
but now every time I change it it goes right back to about:blank.

I've done the following to try and get rid of this problem (in order and multiple
times).

1. Updated my Windows XP
2. Ran CWShredder (updated version)
3. Rebooted my computer
4. Ran CWShredder (updated version)
5. Cleared my temporary internet files, cookies and offline files.
6. Searched and deleted all my *.tmp files
7. Emptied my C:\WINDOWS\Temp folder
8. Emptied my C:\Temp folder
9. Emptied my recycle bin
10. Ran SpyBot (updated version)
11. Ran Ad-Aware (updated version)
12. Ran Panda Antivirus (updated version)
13. Ran AVG Anitvirus (free updated version)

After this I still got the same problem that came up. Some of these programs found
some viruses and other things that I deleted and/or removed. But I still find myself
with the same problem at hand. I then decided to run "Hijack This" (offline) and
this is what it gave me:

Logfile of HijackThis v1.97.7
Scan saved at 10:29:54 PM, on 06/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\Emil\My Documents\Emil\Download\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pld.dll/sp.html
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pld.dll/sp.html
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pld.dll/sp.html
(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pld.dll/sp.html
(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pld.dll/sp.html
(obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pld.dll/sp.html
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FCB08CE6-160C-46AF-8F2D-30027DE0D4EA} - C:\WINDOWS\System32\pld.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus
2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: GraphicalChat Application - http://www.onchat.com/ChatWorld/chat-signed-ie.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37667.5103240741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

This is all I can come up with. I don't really know how to use "Hijack This" so I
decided not to mess around with it and left everything as is. Reminder, that is an
offline log of when I ran the program. Any help would be greatly apreciated. Thanks
in advance.

I would suggest download SpyBot Search and Destroy [ http://www.safer-networking.org/index.php?page=mirrors ] Run that and delete anything it finds. Remember to update it before you scan. Good Luck.

or Adaware 6

Hey everyone,

I've got the same problem HeadHunter does. I had espn.com as my homepage but now it always reverts to about:blank. The page is a search engine. I don't really know how to identify the page (the top of the page says "Search for..." and most text on the page is blue).

I have tried everything.

CWShredder (updated)
Spybot S&D
Adaware 6
SpySweeper
AVG Anti-virus
Hi-Jack This
Deleted temp files and cookies

I have done all of these numerous times while always rebooting. I'm at a loss and don't know what to do anymore. I've read all the articles I can find on the subject and still can't solve the problem. This is driving me crazy! If anyone could give me some guidance I would greatly appreciate it.

Ok Guys, Here's a sight where you can read on the very problem your having. There's a few threads on the subject, so you should find answers.
techtalkforums.com (http://www.daniweb.com/techtalkforums/forum29.html) Let us all know how you fix the problem for future reference please. Thnx :thumbsup:

Oh, And btw, I think these are your problem lines----
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pld.dll/sp.html
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pld.dll/sp.html
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pld.dll/sp.html
(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pld.dll/sp.html
(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pld.dll/sp.html
(obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pld.dll/sp.html
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
Hope the link helps.

Hawk,

Thanks for your input.

I finally cleared the problem up.

In Hi-Jack This I got rid of everything that had the word "search" in it as well as all of the "BHO" entries. There was also one exe file that I deleted but I don't recall what it was.

It did the trick! Back to normal. :thumbsup:

No problem OB, Glad I could help. Did you figure it out from going to techtalk forum? Just curious if thats what pointed you in the right direction.

Okay, well I'll try and check out that techtalk forum. What I did was I ran everything again including some Hijack This fixes (everything updated). I fixed the problem, and it came back after a few hours. Then I fixed it again by turning off system restore and it worked again. Then the day later, in the morning it was still fine, and then after I come back from school the problem came back. I have no idea what to do anymore... here's me new Hijack This log:


Logfile of HijackThis v1.97.7
Scan saved at 5:25:35 PM, on 08/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Documents and Settings\Emil\My Documents\Emil\Download\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ngeo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ngeo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ngeo.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ngeo.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ngeo.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ngeo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FB9BA0F2-3A75-4666-A4A8-FF3E7D6EB5C4} - C:\WINDOWS\System32\ngeo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: GraphicalChat Application - http://www.onchat.com/ChatWorld/chat-signed-ie.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37667.5103240741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

There you go. I'm really getting mad at this problem. It's really bugging me. Any help would be greatly apreciated. Thanks again...

I can fix it easy!!!!!


Format c:/u

This is just great. I come back from school today too and its back. Aaaaaaaahhhhhhhgggggggggg. I wonder if it's something new b/c nothing works.

Hawk or anyone else willing to help,

I cleared everything that I did yesterday. Rebooted and the problem was fixed but I went ahead and ran Hi-Jack This again just to see and everything I got rid off was back. I think there are some exe files that I should be deleting but I'm not sure. Here is my HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 5:58:37 PM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Marcus\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lnfah.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lnfah.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lnfah.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lnfah.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lnfah.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lnfah.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {477BA73E-52B5-4851-9B74-0E5056A454CE} - C:\WINDOWS\System32\lnfah.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)

I would appreciate any help.

Ok Guys, Got the problem solver right here for you. Computer Cops (http://computercops.biz/modules.php?name=Forums&file=viewtopic&p=133970)
Follow this guys directions and it will get rid of the problem. You've been highjacked by a (rogue dll). He explains how to remove it.

That did it Hawk. Thank you very much for the info.

I had to delete seperate .dll rogues for each user in safe mode and then clean up with Hi-Jack. Everything looks fine now and it doesn't show up in Hi-Jack anymore.

Whew, thanks again. :thumbsup:

Glad to help OB. I'm really happy that did the trick. :thumbsup: Searched a couple hrs until I found exactly what we were looking for. But, We got it anyway. Rogue DLL's! What are they going to think of next.

I've also been having the same problem. I've tried mostly everything as well and can't seem to get rid of the problem (spybot search and destroy, cws shredder, adaware, webroot spy sweeper). Can anyone help? Your help will be much appreciated.

Here is my log. (I've tried fixing all those that begin with an R (R1,R0 ), but they keep coming back when I open a browser like every second time)

Logfile of HijackThis v1.97.7
Scan saved at 1:56:48 AM, on 4/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ICQ\Icq.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jfhcba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jfhcba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jfhcba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jfhcba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jfhcba.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jfhcba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {D120B114-44E3-4DDD-B05B-50A83CF4C367} - C:\WINDOWS\System32\jfhcba.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

Yes Spekk, Go back one page on this thread and the computercops link will take you to the cure. Follow the directions of the first post on the page and it will take care of it. You'll have to do a little work to get rid of it. But it works, and that's what we're looking for-- good results.

Thanks a lot! It works!!!

it didn't work for me the first time because i thought it would have the same file name... but turns out, my file name was different...

thanks again...

That's great Spekk, Just for references, I know one of the rogue dlls is inadj.dll. What are the ones you guys found? That way if someone else has the problem we could list the rogue dlls.

Glad to help OB. I'm really happy that did the trick. :thumbsup: Searched a couple hrs until I found exactly what we were looking for. But, We got it anyway. Rogue DLL's! What are they going to think of next.
I had the same problem and cleared it the same way, but 24 hours later, it came back with the same type of .dll, but named differently. I fixed it again and just to test, I adjusted my calender to 24 hours in the future and opened IE again. It took opening it twice to get the about blank home page again. I then cleared it again using the same steps and adusted my calender to 1 year in the future and tried again; same result. I cleared the .dll again and changed my calender back to the current day and tried again - this time, no blank:about. It looks like there is a program or something somewhere that is waiting 24 hours and inserting new rogue .dlls. I changed my calender to 10 years in the future and opened IE again and got the blank:about again, then cleared it. It looks like it looks for the last time it inserted the .dlls and waits until a day later to do it again. The trojan or whatever is still there, but it won't act again until much in the future...

That's interesting JMoore. Do you think there is an exe file we should be deleting in Hi-Jack in addition to the .dll's? Have you seen this anywhere else Hawk? I found another one today (ijfod.dll). Spybot and my other virus software doesn't find the trojan or whatever it is. Just wish I knew what we were looking for, and where it is.

That's interesting JMoore. Do you think there is an exe file we should be deleting in Hi-Jack in addition to the .dll's? Have you seen this anywhere else Hawk? I found another one today (ijfod.dll). Spybot and my other virus software doesn't find the trojan or whatever it is. Just wish I knew what we were looking for, and where it is.

Know thy system files!

I perform adware removals (about 5/day) with hijackthis as part of my RL job. I have to know not just standard business image application entries, but some of our business units have line of business apps and other registry settings that could be incorrectly identified and deleted...

So, if I can remember all this without trying, you can run hijack this and track down the less obviously named apps/dlls listed using google (there shouldn't be that many you don't recognize). It's all really about how bad you want the system cleaned, then taking the proper steps to ensure you never get the adware/spyware again. If you're not willing to do one or both, then this won't be the last time. We can't possibly list all spyware/adware in the universe here, it will require some effort on your part (and spybot/adaware only catch the older, more widely distributed forms and there's about a month delay before their dat files are updated). :thumbsup:

Just a side note -- task manager is also a useful tool, some spyware run iexplorer sessions and hideout as a service that isn't always detected by hijackthis or the scanners.

AS I understand it, There's multiple rogue dll's out there that will do this. If you run hijack and then copie and paste the lines one at a time into google search as stoopid says,(thnx stoopid), it will take you to the explaination of each. That way you'll know what each line represents, and can delete accordingly.

Mine still isn't fixed. I've followed just about every damn procedure out there and it always gets fixed and then comes back a day or two later... Any more suggestions?

Me too HeadHunter.

hey everyone

i'm having trouble getting rid of this about:blank homepage problem. i have tried using HighjackThis v1.97.7 but am unable to find the R1 entries in the log file:

Logfile of HijackThis v1.97.7
Scan saved at 12:28:00 AM, on 15/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\lkikqg.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\PC-CIL~1\pccguide.exe
C:\WINDOWS\lkikqg.exe
C:\PROGRA~1\TRENDM~1\PC-CIL~1\Pop3trap.exe
C:\PROGRA~1\MESSEN~2\MsgPlus.exe
C:\PROGRA~1\ANALOG~1\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\TRENDM~1\PC-CIL~1\PCCCLI~1.EXE
C:\PROGRA~1\Telstra\CABLEL~1\bpcable.exe
C:\PROGRA~1\MICROS~2\type32.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\MIFB84~1\point32.exe
C:\PROGRA~1\Telstra\Toolbar\bpumTray.exe
C:\PROGRA~1\steam\steam.exe
C:\WINDOWS\System32\ctfmon.exe
C:\DOCUME~1\SUNNYP~1\Desktop\FREERA~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sunny Pan\My Documents\Sunny\Stuff\Software\Hijack This!\HijackThis.exe

O1 - Hosts: 62.93.200.61 servserv.westwood.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [FreeRAM XP] "C:\DOCUME~1\SUNNYP~1\Desktop\FREERA~1.EXE" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: BIGPOND.lnk = C:\Documents and Settings\Sunny Pan\Desktop\BIGPOND.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

this problem is really annoying so if anyone could help me out, that'd be great :thumbsup:

You might want to post this problem on short-media's Spyware/Virus/Trojan (http://www.short-media.com/forum/forumdisplay.php?f=57) forum.

ya go there, people here dont give 2 shits about the problems ur having.


click here to register , http://www.short-media.com/forum/register.php?

That's interesting JMoore. Do you think there is an exe file we should be deleting in Hi-Jack in addition to the .dll's? Have you seen this anywhere else Hawk? I found another one today (ijfod.dll). Spybot and my other virus software doesn't find the trojan or whatever it is. Just wish I knew what we were looking for, and where it is.

I have looked for an .exe file everywhere I can think of, with no luck. I ran Norton and AVG anti virus with no results. I also went through all the processes running and found nothing. One thing I noticed is that when IE is opened, in the status bar at the bottom, I see about:blank flash momentarily, so I know its still out there waiting for the right date check. I would bet there is an activeX control somewhere that is being run...I'll keep looking.

This Needs To Be A Sticky!!!!!!!

I would have suggested mozilla, or firefox. they are another internet explorer but better. they have javascript blockers and pop-up stoppers built right in. i have had it for a couple years and never had any problems with "stuck homepages" or anything like that.

Hi all I´m new but with the same problem, i have tried all what I have found in the forums and mostly without result, but for now It seems that i have luckily found the cure.... ro something, i´m not sure :S

Aniway this is what i do: I put mi calendar to 2055 and next time I reboteed instead of apearing again the "search for.." page it popup a message that reads: jusched.exe Has performed an unautoriced operation and will sut down, as far as I know jusched is a program used by sunjava and it should be harmless but in the same folder was a file called: jusched.exe-2A8F6C10 with date ecual to the day that mi problems begun, for now I have both files in the trash, and for now mi start page havent changed.... yet...

hope anyone finds this helpfull and aid in finding the solution.

So far this has worked for me. We'll see if it stays that way.
I got these instructions from steamwiz on the computer cops site.

Follow these directions step by step in the order written.


First Please download TheKillbox from this link: http://download.broadbandmedic.com/VbStuff/KillBox.zip

Download the newest CWShredder from this page:

http://www.computercops.biz/downloads-cat-14.html

Do not run either yet.

Sign off the Internet and close all IE Windows.
-----------------------------------------
Run CWShredder.

Then copy the contents of the quote box to Notepad. Name the file fix.reg
SAve all type All Files. Double click on fix.reg to remove certain other possible registry entries.

Quote:

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]



To uninstall the secret reinstaller do this:
Go to start>Run and type regedit. Press enter.

Navigate to:
Open the registry and navigate here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Highlight Windows in the left pane.

Look in the right pane for this value:
AppInit_Dlls

You won't see any data there.

But if you right click on that and choose Modify Binary Data you will.

If nothing is there it should just show a few 0's.

But if they are hiding a dll they load to resintall, it will show a path to it.


----------------------------
This is now one looks when there is only one file loading.
0000 00 00 3A 00 5C 00 77 00 ..:.\.w.
0008 69 00 6E 00 64 00 6F 00 i.n.d.o.
0010 77 00 73 00 5C 00 73 00 w.s.\.s.
0018 79 00 73 00 74 00 65 00 y.s.t.e.
0020 6D 00 33 00 32 00 5C 00 m.3.2.\.
0028 6D 00 73 00 6B 00 6B 00 m.s.k.k.
0030 67 00 2E 00 64 00 6C 00 g...d.l.
0038 6C 00 00 00 l...

Notice on the far right. You want to look there. It looks funny because all of the periods.

Look closely and you'll see the path and file name here was:
Windows\system32\mskkg.dll

This was the example. Yours will have its own file name. This is not the same file as you are seeing in your HijackThis log. Get its name the same as I just described.
--------------

Once you have the filename unzip TheKillBox and run it.

Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

c:\windows\system32\filename Where filename is what you found as the filename in the appinit_dlls key in the registry.

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The c:\Windows\system32\filename listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot. Restart the Computer.

When you get back into Windows reset your Search and Home pages.

Look in the registry and remove the entry which should now be clearly visible and no longer hidden.


This last part and removing the AppInit_Dlls entry and its corresponding file is removing the reinstaller. So you do not get reinfected. Do not go on the internet until you have performed all of the steps.

Hey all, well I still have the same problem coming back over and again, so I'm coming back here and trying to solve it. I tried to do what you said OrangeBlood but I don't have the following directory since I have Windows XP and not NT: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows , but I did try with another option to find the .dll file causing the problem using a .VBS file and it gave me c:\windows\system32\logighn.dll . I then did the procedure u said with killbox and did everything including running CWShredder and all, but the problem just comes back a few hours or days later. Does anyone have a fix that'll stick? Thanks for the replies thus far.

OOOOOHHh! I was clickin and a surfin last night and WHAM WHAM WHAM WHAM, antivirus was going nuts saying it was blocking backdoor this and Trojan that. I closed IE. Next thing I know I open up IE again and got the dreaded "about:blank" homepage!! :eek: :eek: :eek: :eek:

I quickly printed out this thread, and followed OrangeBlood's recommendations.
I had not rebooted at this point, after downloading and running CWShredder (which found something and deleted it) I went to look in my registry and couldn't find the AppInit_Dlls entry that OrangeBlood wrote about.
I changed my homepage back to normal, and it was fine. So I took a chance and rebooted, all was fine. I assume since I acted so quickly and didn't reboot that all is OK, but only time will tell. :rolleyes: :( :mad:

if anyone is having a similar problem do me a favor and post your hijackthis log. its just that simple

if anyone is having a similar problem do me a favor and post your hijackthis log. its just that simple

yea ive been having the same prob and cant get rid of it, i got rid of something similar on my computer but i dunno what the hell to do about this on my aunt's computer

Logfile of HijackThis v1.97.7
Scan saved at 4:11:22 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Roxanne Head\Desktop\HijackThis.exe
C:\Documents and Settings\Roxanne Head\Desktop\HijackThis.exe
C:\Documents and Settings\Roxanne Head\Desktop\HijackThis.exe
C:\Documents and Settings\Roxanne Head\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
O2 - BHO: (no name) - {1FEA39D6-46B3-4F66-BC38-4839CFE198EA} - C:\Program Files\Geek Superhero\GeekSuperHeroSlapdown.dll
O2 - BHO: (no name) - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\delfromlist.js
O9 - Extra button: Bug Swatter Options (HKLM)
O9 - Extra button: Popup Slapdown Options (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} (WebBar Class) - http://www.advancedsearchbar.com/searchbarsetup2.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38124.9367824074
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

yea ive been having the same prob and cant get rid of it, i got rid of something similar on my computer but i dunno what the hell to do about this on my aunt's computer

Logfile of HijackThis v1.97.7
Scan saved at 4:11:22 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Roxanne Head\Desktop\HijackThis.exe
C:\Documents and Settings\Roxanne Head\Desktop\HijackThis.exe
C:\Documents and Settings\Roxanne Head\Desktop\HijackThis.exe
C:\Documents and Settings\Roxanne Head\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
O2 - BHO: (no name) - {1FEA39D6-46B3-4F66-BC38-4839CFE198EA} - C:\Program Files\Geek Superhero\GeekSuperHeroSlapdown.dll
O2 - BHO: (no name) - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\delfromlist.js
O9 - Extra button: Bug Swatter Options (HKLM)
O9 - Extra button: Popup Slapdown Options (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} (WebBar Class) - http://www.advancedsearchbar.com/searchbarsetup2.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38124.9367824074
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
hey man you don't have to do all that crap
all you have to do is download f-secure anti-virus 2004. go into advance and set the protection level to high. as soon as it comes up again the program will pick it up then you can delete it.
IT IS THAT SIMPLE

hey man you don't have to do all that crap
all you have to do is download f-secure anti-virus 2004. go into advance and set the protection level to high. as soon as it comes up again the program will pick it up then you can delete it.
IT IS THAT SIMPLE

well i tried the anti-virus prog you suggested and it didnt pick it up even on high, is it the anti virus you used or their "internet security" prog

OOOOOHHh! I was clickin and a surfin last night and WHAM WHAM WHAM WHAM, antivirus was going nuts saying it was blocking backdoor this and Trojan that. I closed IE. Next thing I know I open up IE again and got the dreaded "about:blank" homepage!! :eek: :eek: :eek: :eek:

I quickly printed out this thread, and followed OrangeBlood's recommendations.
I had not rebooted at this point, after downloading and running CWShredder (which found something and deleted it) I went to look in my registry and couldn't find the AppInit_Dlls entry that OrangeBlood wrote about.
I changed my homepage back to normal, and it was fine. So I took a chance and rebooted, all was fine. I assume since I acted so quickly and didn't reboot that all is OK, but only time will tell. :rolleyes: :( :mad:

Still geting gobs of popups when running IE, about blank is still gone though.

I am thinking about starting a class action suit against whoever is behind the website. Does anyone know how to find out who that is, and anyone know a good internet lawyer they could recomend. This website has to be illegal. I have plenty of money, but let me know if it would just be a waste of time.

:p
Go here http://www.computercops.biz/print-1-43426.html
let me know if it worked for u.
creamypie

You can try this (It worked for me & is not as hard as it looks) (You might want to copy and paste this)
1. Download and install Spybot - Search & Destroy.
2. Run the program.
3. GoTo Mode -> Advanced Mode, click 'Yes' at the warning.
4. Click 'Tools'.
5. Select 'BHOs'.
6. Select the bold registry entry.
7. To the right you will see a file (something.dll) ('something' can be any file name) at C:\Windows\System this is the file that regenerates everytime.
8. Select the registry entry and click 'Remove'.
9. Click 'Yes' at the confirmation.
10. Close all open windows and find C:Windows\System\something.dll
11. Right click it select 'Properties' and see that it is 30kb (30,720 bytes) and has only 'General' properties and no 'Version' properties.
12. Delete it. (Try as long as it takes it will eventully go)
13. Now if the main (.dll) file is the same on all computers you may find a file called 'dhcpcsvc.dll' at C:Windows\System\ (Or your equivalent 'System' Folder) it is about 24KB. Right it select 'Properties' and again it should have only 'General' Properties no 'Version' Properties AND you will see that the 'Modified' date is earlier (somewhere in 1999) than the 'Created' date.
14. This is the file that regenerates the other dll file. (we shall call it'anything.dll')
15. Delete it. (You can't ... mostly)
16. If you have found the culprit and reached step 15 skip ahead to step 26.
17. If you don't find the file read on.
18. First make sure 'Hide hidden files' is off.
19. To do this open Explorer -> View -> Folder Options -> View. Make sure 'Show all files' is selected. Start from step 13
20. If you still havn't found the file it means the main dll file's name is different on different computers. Don't worry.
21. Open your Internet Explorer.(You don't need to be connected).
22. Open Spybot - Search & Destroy.
22. In the tools click 'Process List'.
23. Select 'IEXPLORER.EXE'
24. See whichever dlls are being used, open 'Explorer' and check their 'Properties'.
25. Here you will find the dll mentioned in step 13 (it may or may not be named 'dhcpcsvc.dll')follow the instructions from step 13.
26. The damn file is being used by Windows isn't it.
27. If you have two operating systems you can delete one's dll files from one operating system and then vice verca.(NOTE:The dll is store in two or three places 'Search' for them all and delete ALL of them).
28. If you have a single operating system 'Restart in MS-DOS Mode'.
29. When it restarts type'cd \windows\system' (without the quotes)
30. When the directory changes type 'ren anything.dll anything.123'
31. Type 'exit' and restart windows.
32. Open Explorer and 'C:Windows\System' delete 'anything.123'
33. Almost done, now using 'AdAware' or something like it see if it finds a registry value with something like "HomeOldSP".
34. Delete this registry entry.
35. Open your 'Search' or 'Find' program from the Start menu.
36. Search for the two dlls you painstakingly deleted.
37. Don't worry if you find them they are dormant copies and should give you no trouble in deleting them.
38. Make sure you delete all the files even from your 'Recycle Bin'.
39. If you have Microsoft 'RegClean' use it if not don't bother.
40. DONE.

Thnx Mars, For the well thought out & typed reply. I know it took a while to make.
Hope this can help some with this problem. People have brought these kind of hijackers to the attention of the Congress and they are working on laws against it.

go to http://www.computing.net/security/wwwboard/forum/12316.html

see response number 5

There is a link for an uninstaller and it was the only thing that worked for me.