About:Blank homepage hijacking
Hi,
Just reciently I have noticed that my homepage has been hijacked. Whenever I open Internet Explorer it opens this about:blank stuff and I have found that my homepage is set to that and returns when I change the address. Adaware detects the problem and removes it but it keeps coming back. I have run Adaware6 with the updates and Spybot Search and Destroy with their updates and I have posted my Hijackthis log.
Any help would be greatly appreciated. Thanks
Logfile of HijackThis v1.98.2
Scan saved at 1:03:57 PM, on 2/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
C:\WINDOWS\winyj32.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\apvxdwin.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE
C:\WINDOWS\sdkxv32.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CD982133-C8CB-ADFC-ECDA-3AFE92ABDA8E} - C:\WINDOWS\crwi32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [*msvcdb] C:\WINDOWS\Config\msvcdb.exe
O4 - HKLM\..\Run: [*tcpmc] C:\WINDOWS\AppPatch\tcpmc.exe
O4 - HKLM\..\Run: [*syshard] C:\WINDOWS\msagent\chars\syshard.exe
O4 - HKLM\..\Run: [*hardbak] C:\WINDOWS\msagent\hardbak.exe
O4 - HKLM\..\Run: [*acrun] C:\WINDOWS\system32\DirectX\acrun.exe
O4 - HKLM\..\Run: [*mp3xml] C:\WINDOWS\java\mp3xml.exe
O4 - HKLM\..\Run: [*svcdvd] C:\WINDOWS\ServicePackFiles\svcdvd.exe
O4 - HKLM\..\Run: [*expwin] C:\WINDOWS\Cursors\expwin.exe
O4 - HKLM\..\Run: [*odbcnut] C:\WINDOWS\system\odbcnut.exe
O4 - HKLM\..\Run: [*tcplib] C:\WINDOWS\Config\tcplib.exe
O4 - HKLM\..\Run: [*msvcad] C:\WINDOWS\Config\msvcad.exe
O4 - HKLM\..\Run: [winyj32.exe] C:\WINDOWS\winyj32.exe
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\System32\system.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll (file missing)
O9 - Extra button: Corel Network monitor worker - {896DC91E-63B1-47A2-86E3-EE817401D8D8} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {896DC91E-63B1-47A2-86E3-EE817401D8D8} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Corel Network monitor worker - {896DC91E-63B1-47A2-86E3-EE817401D8D8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {896DC91E-63B1-47A2-86E3-EE817401D8D8} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} - http://www.20x2p.com/5639bd89/enter.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/274686ded72bbd882b18/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094650698828
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
Just reciently I have noticed that my homepage has been hijacked. Whenever I open Internet Explorer it opens this about:blank stuff and I have found that my homepage is set to that and returns when I change the address. Adaware detects the problem and removes it but it keeps coming back. I have run Adaware6 with the updates and Spybot Search and Destroy with their updates and I have posted my Hijackthis log.
Any help would be greatly appreciated. Thanks
Logfile of HijackThis v1.98.2
Scan saved at 1:03:57 PM, on 2/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
C:\WINDOWS\winyj32.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\apvxdwin.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE
C:\WINDOWS\sdkxv32.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pvcuz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CD982133-C8CB-ADFC-ECDA-3AFE92ABDA8E} - C:\WINDOWS\crwi32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [*msvcdb] C:\WINDOWS\Config\msvcdb.exe
O4 - HKLM\..\Run: [*tcpmc] C:\WINDOWS\AppPatch\tcpmc.exe
O4 - HKLM\..\Run: [*syshard] C:\WINDOWS\msagent\chars\syshard.exe
O4 - HKLM\..\Run: [*hardbak] C:\WINDOWS\msagent\hardbak.exe
O4 - HKLM\..\Run: [*acrun] C:\WINDOWS\system32\DirectX\acrun.exe
O4 - HKLM\..\Run: [*mp3xml] C:\WINDOWS\java\mp3xml.exe
O4 - HKLM\..\Run: [*svcdvd] C:\WINDOWS\ServicePackFiles\svcdvd.exe
O4 - HKLM\..\Run: [*expwin] C:\WINDOWS\Cursors\expwin.exe
O4 - HKLM\..\Run: [*odbcnut] C:\WINDOWS\system\odbcnut.exe
O4 - HKLM\..\Run: [*tcplib] C:\WINDOWS\Config\tcplib.exe
O4 - HKLM\..\Run: [*msvcad] C:\WINDOWS\Config\msvcad.exe
O4 - HKLM\..\Run: [winyj32.exe] C:\WINDOWS\winyj32.exe
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\System32\system.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll (file missing)
O9 - Extra button: Corel Network monitor worker - {896DC91E-63B1-47A2-86E3-EE817401D8D8} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {896DC91E-63B1-47A2-86E3-EE817401D8D8} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Corel Network monitor worker - {896DC91E-63B1-47A2-86E3-EE817401D8D8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {896DC91E-63B1-47A2-86E3-EE817401D8D8} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} - http://www.20x2p.com/5639bd89/enter.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/274686ded72bbd882b18/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094650698828
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
0
This discussion has been closed.
Comments
Make sure they are set to clean automatically:
http://www.bitdefender.com/scan/licence.php
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
If there are files that can not be removed by the scans please include that information in your next post. Let me know what each virus scan finds.
Reboot and post a new hijackthis log.
I ended up looking at dexter's HSA hijack fix thread and followed those instructions. Everything seems to be working good right now so I think I'm all set. Thanks a lot for the reply though. You guys do good work here... Thanks again