IE Homepage resetting - about:blank

sunnyp13

hey everyone!

i've recently encountered a problem where my homepage for IE has been resetting itself back to about:blank. i've used numerous programs such as Adaware and CWShredder (both are up to date versions) but thus far have had no effect.

This is my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 10:20:00 AM, on 15/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\lkikqg.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\PC-CIL~1\pccguide.exe
C:\PROGRA~1\TRENDM~1\PC-CIL~1\PCCCLI~1.EXE
C:\PROGRA~1\TRENDM~1\PC-CIL~1\Pop3trap.exe
C:\WINDOWS\lkikqg.exe
C:\PROGRA~1\MESSEN~2\MsgPlus.exe
C:\PROGRA~1\ANALOG~1\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\Telstra\CABLEL~1\bpcable.exe
C:\PROGRA~1\MIFB84~1\point32.exe
C:\PROGRA~1\MICROS~2\type32.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Telstra\Toolbar\bpumTray.exe
C:\PROGRA~1\steam\steam.exe
C:\DOCUME~1\SUNNYP~1\Desktop\FREERA~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\SUNNYP~1\MYDOCU~1\Sunny\Stuff\Software\HIJACK~1\HIJACK~1.EXE
C:\WINDOWS\System32\Iajlli32.exe

O1 - Hosts: 62.93.200.61 servserv.westwood.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [FreeRAM XP] "C:\DOCUME~1\SUNNYP~1\Desktop\FREERA~1.EXE" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: BIGPOND.lnk = C:\Documents and Settings\Sunny Pan\Desktop\BIGPOND.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

It would be much appreciated if anyone could help with my problem. :bigggrin:

mmonnin

Did you install a Bog Pond toolbar? If not get rid of all those that pertain to bpumToolBand and Big Pond.

Iajlli32.exe didnt even come up in google? What is that?

Straight_Man

Let's go at this sideways, and humor me as security updates to IE can cause this with no adware involved-- just as one of my customers had 300 email messages she THOUGHT she had deleted reappeared in her deleted items list after a security update that happily redefaulted her default view when she had hidden the trash contents instead of deleting the trash.... Removing things that have hijacked IE can casue it to revert also, to soemthing that happened BEFORE the hijacker software was killed. There is almost nothing in malware that can set a blank page home page, the malware authors want you to be redirected to tHIER sites and not to a nice blank page, as IE uses about:blank for NO home page defaulted.

Get into IE, find the menu entry for Internet Options. In one one of the tabs there is an entry box for home page. Stick the home page name you want there. Then do this:

Close the dialog by using OK until the whole IE Internet Options dialog vanishes and you are looking at the IE window. Close IE, and then reopen. If you home page now works, close IE and then RESTART Windows. THEN see if it is still there as correct home page. Every oncwe in a while, security packs will resurrect things you thought you had left behind, or in killing something that you did not know you HAD killed the settings in the IE Internet Options part of registry get reasserted.

Everyone else is welcome to look at log, and there are some things that you could remove and that would free resources, but I see little that is potentially hijackware in the log at hand.

No, not AT ALL belittling anyone, just find that after every upgrade to IE, and after all the service packs, there are some interesting little things that can happen, and this is one of them-- reverting home page, that is.

BTW, also when you have time, clear out your temporary internet files. Clearing IE's cache will also accomplish this, or running the disk cleanup wizard in Start|Accessories|System Tools will leave your cookies and get rid of the temp files that IE happily squirrels away.

Overloading the cache space has caused this in some versions of IE also, it only grabs a certain amount of RAM to work in, and tracks cache contents-- if there is too much in cache or cookies and cache combined, settings changes can not get saved. IF Windows is hyper-busy with underlying tasks, and box is not rebooted, then the change can never get properly commited to registry. AND if there is a trojan in the cache, it can reassert itself when IE is opened again, but I know of only two very old things that deliberately set the home page to no home page.

They should show up in any virus scan. Adaware 6.0 knows them well, also. So, what else you said tells me this is probably something we first try to fix differently than with HijackThis, but good to know you scanned the box, that eliminated some things for me and made diag easier-- THANKS.

John D.

Straight_Man

mmonnin wrote:

Iajlli32.exe didnt even come up in google? What is that?

Indian language Packard Bell\Tamarack scanner driver installer component. As in COUNTRY of India, IAJ language support type. HMMM.... lli is for a scanner library, iaj is a language support designation, 32 is used for 32 bit executables. OLDER scanner, BTW, circa 5-6 years old or more.

No, no English results do show up, right Mark.

John D.

ginipig

Did you unintentionally lock home page settings using one of your adware-removing tools?

sunnyp13

I cleared out my temporary internet files and then did as you asked (set homepage to www.google.com). Upon closing and reopening IE the homepage is www.google.com. However after a reboot, the homepage reverts back to about:blank.

Also, I have no idea what "C:\WINDOWS\System32\Iajlli32.exe" and "C:\WINDOWS\lkikqg.exe" are as I do not live in India, nor do i have a scanner connected to this computer (the other computer has a cannon scanner connected; both computers are linked via a router). One thing to note may also be that when I'm trying to shut down or reboot, windows seems to have trouble ending Iajilli32.exe and lkikqg.exe. Both are reported to be "not responding". Both these appear in task manager as processes and when ended, do not appear to have any effect. These appeared yesterday while surfing the internet. Is there any way to remove them?

Is it possible that these processes are linked to the homepage problem?

sunnyp13

I've been using Adaware for quite some time now and have had no problems with it yet. But it may be a possibility that I have locked the homepage settings. If so, how do I unlock it?

By the way, Big Pond is my ISP and I installed the toolbar so I wouldn't think that it's causing this problem.

Dexter

I would get rid of that guy:

C:\WINDOWS\lkikqg.exe

But I suspect your problem is here:

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

I think that Ageek was on to something, perhaps your AdAware quarintined an entery instead of deleting it, and you have an empty Toolbar, which may be preventing you from changing the home page.

This entry:

O1 - Hosts: 62.93.200.61 servserv.westwood.com

Leads to a game server for the games Command & Conquer: Tiberian Sun, FireStorm, Red Alert 2, Yuri's Revenge and Emperor: Battle for Dune. If you ar enot playing those games, delete that item.

Boot up on safe mode, fix those items, and let us know what happens.

Dexter...

blue centerlight

Go to this link:
http://www.spywareinfo.com/~merijn/cwschronicles.html and download CWShredder free of charge. It is updated frequently and specifically targets Cool Web Search, of which about:blank is a variant. It worked for me, following no luck from Adaware or Spybot S&D

mntsurf

Hello,

I found the answer to fix the about_:blank virus. I got the virus on my computer about a week ago and tried everything. I finally found the solution: you need to run CWShredder in safe mode. Safe Mode being the key. I ran it in regular mode first and it didn't fix the problem, then I ran it in SAFE MODE and I haven't had a problem since. Give it a try and see what happens. Don't forget, run CWShredder in SAFE MODE.

Link for CWShredder:

http://www.spywareinfo.com/download.../CWShredder.exe

Access Safe Mode by hitting F8 while computer is starting.