"About: Blank" Homepage Hijack - Jimster

Dear All,
I am also having the same problems, I have followed most of the advice being given out on the discussion threads (AVG, Adaware, Spybot, CW shredder), follows my HijackThis log file.
I seem to be able to clear the problem temporarily but the home page returns to about:blank after a while.
I do not no which of the following to fix, however "R0- HKLM........about:blank" I have tried to fix several times but it keeps re appearing, please help.





Logfile of HijackThis v1.97.7
Scan saved at 23:21:00, on 27/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\alg.exe
F:\PROGRA~1\Grisoft\AVG6\avgserv.exe
F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
F:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\apache\mysql\bin\mysqld-nt.exe
F:\WINDOWS\System32\nvsvc32.exe
c:\apache\APACHE.EXE
c:\apache\APACHE.EXE
F:\WINDOWS\system32\fxssvc.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
F:\PROGRA~1\TWINTO~1\mHotkey.exe
F:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
F:\WINDOWS\System32\RUNDLL32.EXE
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\Program Files\Messenger\MSMSGS.EXE
F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
F:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
F:\WINDOWS\System32\rundll32.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\jim work\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\gffdfca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\gffdfca.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\System32\gffdfca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\gffdfca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\gffdfca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\System32\gffdfca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {04079851-5845-4dea-848C-3ECD647AA554} - F:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8DC39E98-FFED-4AE6-B53F-F319C0354AC2} - F:\WINDOWS\system32\sdxli.dll
O2 - BHO: (no name) - {B6B7A7C1-CCCA-4663-8A1C-CDAB247F9F43} - F:\WINDOWS\System32\gffdfca.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [mouseElf] F:\PROGRA~1\TWINTO~1\mouseElf.exe
O4 - HKLM\..\Run: [mHotKey] F:\PROGRA~1\TWINTO~1\mHotkey.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG_CC] F:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [LDM] F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: Web Savings - file://F:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://download.yahoo.com/dl/bty/yinst.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06c51d248dbdf661d805/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.co.uk/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003031901/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37953.480462963
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash5/cabs/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C8CE445-796E-424C-BBE7-3C83E8DB4C6A}: NameServer = 194.74.65.86 194.72.9.44


Thanks
Jimster

Comments

  • DexterDexter Vancouver, BC Canada
    edited April 2004
    Did you try the technique linked in my reply in this thread:

    http://www.short-media.com/forum/showthread.php?p=130163#post130163 ?

    Please try that advice first, then let us know what happens.

    Dexter...
  • edited April 2004
    Thanks, I have now seen that thread and I believe I have solved the problem, I traced the relevent .dll file (in my case "gffdfca.dll") and used hijackthis to kill all the relevant bits and bobs, also used the regedit to check the Appinit_dlls I found only 0's so hopefully I am cured.

    Thanks for the help this is the first time I have had this type of problem how prevalent is it and what is the best advice to prevent reinfection

    Regards
    jimster
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited April 2004
    The best advice to prevent reinfection is to scan regularly with Ad-Aware and/or Spybot S&D, use SpywareBlaster to immunize your machine, use a hosts file, and above all, use common sense in watching what sites you visit and what programs you download.
This discussion has been closed.