"About: Blank" Homepage Hijack - Jimster

Unknown

Dear All,
I am also having the same problems, I have followed most of the advice being given out on the discussion threads (AVG, Adaware, Spybot, CW shredder), follows my HijackThis log file.
I seem to be able to clear the problem temporarily but the home page returns to about:blank after a while.
I do not no which of the following to fix, however "R0- HKLM........about:blank" I have tried to fix several times but it keeps re appearing, please help.





Logfile of HijackThis v1.97.7
Scan saved at 23:21:00, on 27/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\alg.exe
F:\PROGRA~1\Grisoft\AVG6\avgserv.exe
F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
F:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\apache\mysql\bin\mysqld-nt.exe
F:\WINDOWS\System32\nvsvc32.exe
c:\apache\APACHE.EXE
c:\apache\APACHE.EXE
F:\WINDOWS\system32\fxssvc.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
F:\PROGRA~1\TWINTO~1\mHotkey.exe
F:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
F:\WINDOWS\System32\RUNDLL32.EXE
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\Program Files\Messenger\MSMSGS.EXE
F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
F:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
F:\WINDOWS\System32\rundll32.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\jim work\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\gffdfca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\gffdfca.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\System32\gffdfca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\gffdfca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\gffdfca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\System32\gffdfca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {04079851-5845-4dea-848C-3ECD647AA554} - F:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8DC39E98-FFED-4AE6-B53F-F319C0354AC2} - F:\WINDOWS\system32\sdxli.dll
O2 - BHO: (no name) - {B6B7A7C1-CCCA-4663-8A1C-CDAB247F9F43} - F:\WINDOWS\System32\gffdfca.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [mouseElf] F:\PROGRA~1\TWINTO~1\mouseElf.exe
O4 - HKLM\..\Run: [mHotKey] F:\PROGRA~1\TWINTO~1\mHotkey.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG_CC] F:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [LDM] F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: Web Savings - file://F:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://download.yahoo.com/dl/bty/yinst.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06c51d248dbdf661d805/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.co.uk/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003031901/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37953.480462963
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash5/cabs/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C8CE445-796E-424C-BBE7-3C83E8DB4C6A}: NameServer = 194.74.65.86 194.72.9.44


Thanks
Jimster

Dexter

Did you try the technique linked in my reply in this thread:

http://www.short-media.com/forum/showthread.php?p=130163#post130163 ?

Please try that advice first, then let us know what happens.

Dexter...

Jimster

Thanks, I have now seen that thread and I believe I have solved the problem, I traced the relevent .dll file (in my case "gffdfca.dll") and used hijackthis to kill all the relevant bits and bobs, also used the regedit to check the Appinit_dlls I found only 0's so hopefully I am cured.

Thanks for the help this is the first time I have had this type of problem how prevalent is it and what is the best advice to prevent reinfection

Regards
jimster

Kwitko

The best advice to prevent reinfection is to scan regularly with Ad-Aware and/or Spybot S&D, use SpywareBlaster to immunize your machine, use a hosts file, and above all, use common sense in watching what sites you visit and what programs you download.