about:blank hijack

  1. 02-09-2004  #1
    dmijoe
    dmijoe is offline Newbie

    about:blank hijack

    Hello

    I see you are probably busy (and tired of seeing these types of problems), but I hope you can find some time to look at my issue. I have the default start page for my IE 6 browser set to about:blank. But now when I open it up there is some sort of search page and then spyware ads pop up (this even happens when I go to the MSN.com page and try to search on some of my investments. I've run Adaware and Spybot SD (1.2) several time and the search page still shows up instead of a blank page. I've downloaded Hijackthis and run the program as I seen your request in other threads asking for the log. I would appreciate any help in discovering a way to remove this. I'm running Windows XP Pro with all the latest patches and updates (up to SP2-which I'm waiting on downloading for a few weeks -especially until I try to fix this problem).

    Thank You in advance
    Joe

    Logfile of HijackThis v1.98.2
    Scan saved at 900 AM, on 9/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\qttask.exe
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08. exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Quickenw\Qwdlls.exe
    C:\WINNT\System32\devldr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\download\hijackthis\HijackThis.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\Profiles\george\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINNT\Profiles\george\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\Profiles\george\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINNT\Profiles\george\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINNT\Profiles\george\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINNT\Profiles\george\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir...0&plcid=0x0409
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {FD6AC72D-3587-4091-8DA4-B3B86559005F} - C:\WINNT\System32\ceif.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08. exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
    O13 - WWW. Prefix: http://
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:C:\obulksp.chm::/on-line.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD9B7B7-1AA6-427F-B545-066B7952A329}: Domain = msiunix.net
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD9B7B7-1AA6-427F-B545-066B7952A329}: NameServer = 65.112.119.70,65.112.119.71
    O17 - HKLM\System\CS1\Services\Tcpip\..\{4CD9B7B7-1AA6-427F-B545-066B7952A329}: Domain = msiunix.net
    O17 - HKLM\System\CS1\Services\Tcpip\..\{4CD9B7B7-1AA6-427F-B545-066B7952A329}: NameServer = 65.112.119.70,65.112.119.71
    O17 - HKLM\System\CS2\Services\Tcpip\..\{4CD9B7B7-1AA6-427F-B545-066B7952A329}: Domain = msiunix.net
    O17 - HKLM\System\CS2\Services\Tcpip\..\{4CD9B7B7-1AA6-427F-B545-066B7952A329}: NameServer = 65.112.119.70,65.112.119.71
    O18 - Filter: text/html - {2ACAEA59-D3C8-4621-87B7-2168A765445D} - C:\WINNT\System32\ceif.dll
    O18 - Filter: text/plain - {2ACAEA59-D3C8-4621-87B7-2168A765445D} - C:\WINNT\System32\ceif.dll

  3. 02-09-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    You may want to update to Spybot 1.3 after we have solved your problem, available from www.spybot.info.

    Could you download and install APM from here http://www.diamondcs.com.au/index.php?page=apm

    Download Ad-aware SE from: http://www.lavasoft.de/support/download/

    Install the program to ensure you have the latest version but we won't use it yet.

    Then close all windows, restart Hijack This and put a checkmark next to the following entries and then Click Fix Checked:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\Profiles\george\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINNT\Profiles\george\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\Profiles\george\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINNT\Profiles\george\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINNT\Profiles\george\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINNT\Profiles\george\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {FD6AC72D-3587-4091-8DA4-B3B86559005F} - C:\WINNT\System32\ceif.dll
    O13 - WWW. Prefix: http://
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:C:\obulksp.chm::/on-line.exe
    O18 - Filter: text/html - {2ACAEA59-D3C8-4621-87B7-2168A765445D} - C:\WINNT\System32\ceif.dll
    O18 - Filter: text/plain - {2ACAEA59-D3C8-4621-87B7-2168A765445D} - C:\WINNT\System32\ceif.dll

    Now start APM

    In the top window select explorer.exe
    In the bottom window, find ceif.dll
    Right click this DLL and choose Unload.
    Click OK.

    Now Start Ad-aware...

    First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

    Next, we need to configure Ad-aware for a full scan.

    Click on the Gear icon (second from the left) to access the preferences/settings window

    1. In the General window make sure the following are selected:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
    2. Click on the Scanning button on the left and select :
    • Scan Within Archives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
    • Under Click here to select drives + folders, choose:
    • All of your hard drives
    Click on the Advanced button on the left and select:
    • Include additional process information
    • Include additional file information
    • Include environment information
    Click the Tweak button and select:
    • Under the Scanning Engine:
      • Unload recognized processes & modules during scan
      • Include additional Ad-aware settings in logfile
    • Under the Cleaning Engine:
      • Let Windows remove files in use at next reboot
    Click on Proceed to save the settings.

    Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
    • Use Custom Scanning Options
    Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

    Save the log file when it asks and then click Finish

    When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

    Reboot your computer and post a fresh Hijack This log
    Last edited by owen; 02-09-2004 at 08:44 PM.
+ Reply to Thread
« I've been Hijacked, Log posted, please help! | Hijackthis log -- help please »