about:blank spyware. Nothing seems to work
Hi guys, Im running Windows XP with latest updates. My IE6's default home page has been changed to about:blank and directs me to 'Home Search'. Nothing I have tried so far has worked to get rid of this problem, it simply keeps revering back.
Hi guys,
Im running Windows XP with latest updates. My IE6's default home page has been changed to about:blank and directs me to 'Home Search'. Nothing I have tried so far has worked to get rid of this problem, it simply keeps revering back. This is what I have tried so far:
SpyBot Search & Destroy (latest updates) - didnt fix it
Ad-Aware SE personal (latest updates) - didnt fix it
SpySweeper 3.0 (latest updates) - didnt fix it
BHODemon 2.0 - detects each new .dll, but program producing them still exists. (each dll created are just random names)
coolwebsearch remover - "not found on system"
Mcafee viruscan 2004 v8.0 with latest updates - nothing found.
searched for dll's created in the past day or two and deleted from system and also any traces from regisrty - no difference.
This is really starting to annoy me now
This is my hijackthis log:
Maybe Somebody can help me out.
Logfile of HijackThis v1.97.7
Scan saved at 12:55:48 PM, on 8/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\netuy.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\yyali.txt:mdvpi
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Christophe Lebreton\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {50B880E0-130E-F77B-46BB-0062598D56CC} - C:\WINDOWS\system32\mfced.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [EPSON Stylus C41 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P32 "EPSON Stylus C41 Series (Copy 1)" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [netuy.exe] C:\WINDOWS\netuy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] msnmsgr.exe
O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
hmmm, anybody seen that jbqzh.dll or sp.html before? looks weird to me.
Please Help somebody!!
Travstar
Im running Windows XP with latest updates. My IE6's default home page has been changed to about:blank and directs me to 'Home Search'. Nothing I have tried so far has worked to get rid of this problem, it simply keeps revering back. This is what I have tried so far:
SpyBot Search & Destroy (latest updates) - didnt fix it
Ad-Aware SE personal (latest updates) - didnt fix it
SpySweeper 3.0 (latest updates) - didnt fix it
BHODemon 2.0 - detects each new .dll, but program producing them still exists. (each dll created are just random names)
coolwebsearch remover - "not found on system"
Mcafee viruscan 2004 v8.0 with latest updates - nothing found.
searched for dll's created in the past day or two and deleted from system and also any traces from regisrty - no difference.
This is really starting to annoy me now
This is my hijackthis log:
Maybe Somebody can help me out.
Logfile of HijackThis v1.97.7
Scan saved at 12:55:48 PM, on 8/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\netuy.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\yyali.txt:mdvpi
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Christophe Lebreton\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {50B880E0-130E-F77B-46BB-0062598D56CC} - C:\WINDOWS\system32\mfced.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [EPSON Stylus C41 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P32 "EPSON Stylus C41 Series (Copy 1)" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [netuy.exe] C:\WINDOWS\netuy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] msnmsgr.exe
O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
hmmm, anybody seen that jbqzh.dll or sp.html before? looks weird to me.
Please Help somebody!!
Travstar
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
This will not fix the problem. But, apply this program. It is called SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
Whenever the hijacking program attempts to take over it will alert you that your home page has been changed and asks if you want to keep the old value. Again, this will not fix your problem, but it will help you to live with it until you can track down the file that is doing this.
Whenever the hijacking program attempts to take over it will alert you that your home page has been changed and asks if you want to keep the old value. Again, this will not fix your problem, but it will help you to live with it until you can track down the file that is doing this.
Tick this also
O2 - BHO: (no name) - {50B880E0-130E-F77B-46BB-0062598D56CC} -C:\WINDOWS\system32\mfced.dll
Then boot into safe mode, and then delete these.
*C:\WINDOWS\yyali.txt:mdvpi
*C:\WINDOWS\netuy.exe
Then clean these DIRECTORY CONTENTS (Dont Delete The Folder itself)
*C:\Windows\Temp\
*C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <-This will delete all your cached internet content including cookies.
*C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
*C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
*C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
Empty your "Recycle Bin" and restart and post a fresh log.
*Note*
Next time you post your log, move hijack this to its own folder, don't place it in your documnets or your desktop
C:\Documents and Settings\Christophe Lebreton\Desktop\HijackThis.exe<-Incorrect
put it on your root C:
Example:
C:\HJT\HijackThis.exe<-Correct. This is just to make sure we can restore the back ups it creates if needed.
O2 - BHO: (no name) - {50B880E0-130E-F77B-46BB-0062598D56CC} -C:\WINDOWS\system32\mfced.dll
Then boot into safe mode, and then delete these.
*C:\WINDOWS\yyali.txt:mdvpi
*C:\WINDOWS\netuy.exe
Then clean these DIRECTORY CONTENTS (Dont Delete The Folder itself)
*C:\Windows\Temp\
*C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <-This will delete all your cached internet content including cookies.
*C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
*C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
*C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
Empty your "Recycle Bin" and restart and post a fresh log.
*Note*
Next time you post your log, move hijack this to its own folder, don't place it in your documnets or your desktop
C:\Documents and Settings\Christophe Lebreton\Desktop\HijackThis.exe<-Incorrect
put it on your root C:
Example:
C:\HJT\HijackThis.exe<-Correct. This is just to make sure we can restore the back ups it creates if needed.
