Browser Hijack, about:blank Search, sp.html, and friends
A little history on my problem of the last few days. Basically my IE homepage has been changed to a search page. Even though it's still shown as my regular start page of about:blank, it still shows the search page.
A little history on my problem of the last few days. Basically my IE homepage has been changed to a search page. Even though it's still shown as my regular start page of about:blank, it still shows the search page. I get bombarded with ad popups if I'm not using a blocker.
I've tried the following (all updated versions of each):
1) Ran AVG numerous times, been clean all but twice: BackDoor.Agent.BA and Downloader.Swizzor.AH. Noticed Swizzor was coming from C:\ProgramFiles\C2Media. Manually deleted that directory.
2) Ran Adaware, Spybot, NoAdware: All found nothing
3) Cleared with Tracks Eraser Pro, which had cleared off lop.com awhile ago. Nothing.
4) Re-ran Spyware Blaster. Nothing.
5) Noticed Class3SoftwarePublishers keeps re-adding itself into TempIntFiles.
6) Tried System Restore from an earlier safe point, all 3 safe points failed to restore.
7) Checked Startup via MSconfig, running processes, Add/Remove Programs, and saw nothing unusual.
8) Ran CWS Shredder. Nothing.
9) Stopped using IE, which I should have done awhile ago
Anyways, here is my log:
Logfile of HijackThis v1.97.7
Scan saved at 10:07:34 PM, on 7/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\RUNSERVICE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {9C4B1A91-BE9B-48E5-8E33-EC6205F0A2B1} - C:\WINDOWS\SYSTEM\PHKNA.DLL
O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [systemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c...ymmapi.dll
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...5301388889
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Shared.../cabsa.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Thanks for any help.
I've tried the following (all updated versions of each):
1) Ran AVG numerous times, been clean all but twice: BackDoor.Agent.BA and Downloader.Swizzor.AH. Noticed Swizzor was coming from C:\ProgramFiles\C2Media. Manually deleted that directory.
2) Ran Adaware, Spybot, NoAdware: All found nothing
3) Cleared with Tracks Eraser Pro, which had cleared off lop.com awhile ago. Nothing.
4) Re-ran Spyware Blaster. Nothing.
5) Noticed Class3SoftwarePublishers keeps re-adding itself into TempIntFiles.
6) Tried System Restore from an earlier safe point, all 3 safe points failed to restore.
7) Checked Startup via MSconfig, running processes, Add/Remove Programs, and saw nothing unusual.
8) Ran CWS Shredder. Nothing.
9) Stopped using IE, which I should have done awhile ago
Anyways, here is my log:
Logfile of HijackThis v1.97.7
Scan saved at 10:07:34 PM, on 7/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\RUNSERVICE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {9C4B1A91-BE9B-48E5-8E33-EC6205F0A2B1} - C:\WINDOWS\SYSTEM\PHKNA.DLL
O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [systemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c...ymmapi.dll
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...5301388889
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Shared.../cabsa.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Thanks for any help.
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
iq454, you are an utter GENIUS!!
I used the "Search for files of 96, 91, 64 and 32Kb" method, then deleted SE, SW and HSA from the Registry and now my internet connection is restored and zooms along just fine!
There aren't enough words to express my thanks to you, so I'll have to come round to your house and prostrate myself at your feet!
MUCHAS, MUCHAS GRACIAS!
VIELEN DANKE!
Chris
Varium et mutabile semper Excel
I used the "Search for files of 96, 91, 64 and 32Kb" method, then deleted SE, SW and HSA from the Registry and now my internet connection is restored and zooms along just fine!
There aren't enough words to express my thanks to you, so I'll have to come round to your house and prostrate myself at your feet!
MUCHAS, MUCHAS GRACIAS!
VIELEN DANKE!
Chris
Varium et mutabile semper Excel
I just spent a miserable three months hammering weekly at the Lavasoft "help" site trying to get rid of the About:Blank hijack. I'm on a Win2K box running SP4, IE6 SP1.
Everything they suggested (repeatedly, whether it worked at all or not) did nothing. Or at least nothing permenant.
This is what I did to get rid of it, and it seems to work like a champ:
****************
Run AdAware current version and delete all the crap it finds.
Run About:Buster's latest version.
After running the A:B, I rebooted. The boot into Win2K was interreupted by a messagebox asking me if I wanted to run a .dat. I said no ("cancel") - the machine finished booting and the IE home page was still "About:Blank", but actually blank.
I went to my system32 directory (C:\WINNT\system32), and sorted by file type. I found about 20 .dat files with seemingly random file names, all 6 chars long. I then sorted by file size, and deleted (actually, I just moved them to a new directory first, then deleted after another successful reboot) every .dat that was 91k in size.
Everything is back to normal now, after resetting my home page to the one I wanted.
Seems a lot simpler than running HJT! and AB a zillion times, don't it?
Hope this helps, gang...
c.
Everything they suggested (repeatedly, whether it worked at all or not) did nothing. Or at least nothing permenant.
This is what I did to get rid of it, and it seems to work like a champ:
****************
Run AdAware current version and delete all the crap it finds.
Run About:Buster's latest version.
After running the A:B, I rebooted. The boot into Win2K was interreupted by a messagebox asking me if I wanted to run a .dat. I said no ("cancel") - the machine finished booting and the IE home page was still "About:Blank", but actually blank.
I went to my system32 directory (C:\WINNT\system32), and sorted by file type. I found about 20 .dat files with seemingly random file names, all 6 chars long. I then sorted by file size, and deleted (actually, I just moved them to a new directory first, then deleted after another successful reboot) every .dat that was 91k in size.
Everything is back to normal now, after resetting my home page to the one I wanted.
Seems a lot simpler than running HJT! and AB a zillion times, don't it?
Hope this helps, gang...
c.
I got that nasty spyware/virus a while back and it took me FOREVER to get rid of it! Extremely obnoxious!!! Here is a site w/ instructions I found on how to get rid of it. Sounds like the same thing I had so hopefully this will work for you also.
http://www.akadia.com/services/about_blank_virus.html
http://www.akadia.com/services/about_blank_virus.html
I found that page about two months ago. It refers to registry keys that do not exist and a registry editing tool which does not perform as described in the text.
It's useless.
It's useless.
Ok, while this program SUCKS, I came up with a non techie solution. I had run Adaware....of course to no avail, and Norton....no help there either.....
Then.... I saw the *.dll file that was screwy, which Adaware found but could not delete. I went into my computer for a manual delete, but it wouldnt let me delete it. It did however let me rename it. So I renamed the .dll file and now it cant be found to be accessed. Browser is no longer being hijacked!!!!
Then.... I saw the *.dll file that was screwy, which Adaware found but could not delete. I went into my computer for a manual delete, but it wouldnt let me delete it. It did however let me rename it. So I renamed the .dll file and now it cant be found to be accessed. Browser is no longer being hijacked!!!!
Your browser isn't being hijacked, but you can bet you sitll have the stuff on your system sending out info ...
If a file won't delete, all you have to do is go to safe mode to delete it...
And also make sure if you have xp to turn off system restore, clean everything, make sure it's clean, then turn system restore back on and create new restore point. Then guard yourself like Alec§taar said, and even try those new browsers, they're safer. You might only need IE for special cases.
iq
If a file won't delete, all you have to do is go to safe mode to delete it...
And also make sure if you have xp to turn off system restore, clean everything, make sure it's clean, then turn system restore back on and create new restore point. Then guard yourself like Alec§taar said, and even try those new browsers, they're safer. You might only need IE for special cases.
iq
hi today i had the same problem cw chredder came out with a new version 2.1 ran it and fix took out about blank. hope this helps.
http://www.majorgeeks.com/download3019.html
http://www.majorgeeks.com/download3019.html
Dude I fought with that bewitched sp.html & sp.htm about blank hijacking problem for months. Hijack this and adaware would get rid of it only temporarily.
I ran this tool and it is completely gone. It has been well over a week and no problems.
http://securityresponse.symantec.com/avcenter/FxAgentB.exe
they have some instructions for running it here.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.removal.tool.html
Hope you have success. I know this also worked for one other guy. Yet another guy ran it and it did not work for him.
I would delete all your temp files and run spyware tools first.
leave a post here if it works.
I ran this tool and it is completely gone. It has been well over a week and no problems.
http://securityresponse.symantec.com/avcenter/FxAgentB.exe
they have some instructions for running it here.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.removal.tool.html
Hope you have success. I know this also worked for one other guy. Yet another guy ran it and it did not work for him.
I would delete all your temp files and run spyware tools first.
leave a post here if it works.
OMG somebody please help me. Im soo frustrated and I am about to start crying. I have the about:blank spyware and its just messing up Internet Explorer. Ive looked and tried to follow the instructions, but they are too difficult or I cant find it. Ive done the security response, Spybot Search and Destroy, and Ive tried to manually delete it, but I just cant do it. ;(
