About:Blank and **** Re-direct

When I am on the internet (Earthlink, IE6 ) My main page is constantly reset to About:Blank with ads. Also, I randomly get redirected to **** sites. I have ran SpyBot AdAware, and CWShredder, but none of the work. I don't know if it will help, but heres my log from HijackThis-

Logfile of HijackThis v1.98.2
Scan saved at 3:45:37 PM, on 9/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\vgltjeme.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\System32\cmpi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search123.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: MyObj Class - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINDOWS\msopt.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll (file missing)
O2 - BHO: (no name) - {B7081811-1776-40C4-9AEE-62E96034064F} - C:\WINDOWS\qsysmsg.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [jfscqm] C:\WINDOWS\System32\vgltjeme.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll ",Load
O4 - HKLM\..\Run: [cmpi] C:\WINDOWS\System32\cmpi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094583998764

 

Hello
Your running Hijackthis from a temp and it still hasnt been unzipped, neither is a good idea.
Create a new folder, for instance C:\AntiSpyware
Download the exe from here to that new folder. There is a new Version 1.98.2
http://radiosplace.com/
This is necessary to ensure you have backups should anything go wrong

Start Hijackthis and place a check next to these items,
Dont fix the homepage (R0's and R1's)
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders) Then Hit fix checked.
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: MyObj Class - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINDOWS\msopt.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll (file missing)
O2 - BHO: (no name) - {B7081811-1776-40C4-9AEE-62E96034064F} - C:\WINDOWS\qsysmsg.dll
O4 - HKLM\..\Run: [jfscqm] C:\WINDOWS\System32\vgltjeme.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll ",Load
O4 - HKLM\..\Run: [cmpi] C:\WINDOWS\System32\cmpi.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031
==================

Restart the PC

Put in place a hosts file such as this
http://www.mvps.org/winhelp2002/hosts.htm

Are you familur with regedit ?
Why do we not see an Antivirus program ?

 

Yes I am familiar with regedit.

I'm not sure why no anti spyware programs show up.....I have insatalled Spybot, AdAware, CWShredder, and RegSeeker

I think I did it right...... This is what was on HijackThis after I changed things around


Logfile of HijackThis v1.98.2
Scan saved at 4:09:31 PM, on 9/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\eep in touch with HPk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Anti-Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {5DD7B6B2-910D-4653-9B10-B7CD167112B0} - C:\WINDOWS\System32\pcmhb.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [eep in touch with HPk] C:\WINDOWS\System32\eep in touch with HPk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094583998764

 

Hello

I ment Anti virus software, where is it ?

But since you mention antispyware, i have to ask what version they are.
SpyBot 1.3 updated ? Ad-Aware SE 1.4 ? Cwsredder 1.59.1 ?

I suggested NOT fixing those R0's and R1's yet !!

since you had msopt look at these loaction's and tell use which are there and not
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A8DADD4-5A25-4D41-8599-CB7458766220}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\icoo]
[HKEY_CLASSES_ROOT\CLSID\{4A8DADD4-5A25-4D41-8599-CB7458766220}]
[HKEY_CLASSES_ROOT\Image.Image]
[HKEY_CLASSES_ROOT\Image.Image.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Image.Image]
[HKEY_LOCAL_MACHINE\SOFTWARE\Image.Image.1]
=======================================
also Take a peek at this location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Double click on AppInit_DLLs in the right panel to open a "Data Editor" properties window,
if "Value" contains a .dll file
Take note of where it is. ??

Post the name and location of it back here in your next reply
this needs to be checked by experts do not do anything with it yet!!


=======================================
Make a new Folder for example C:\Dllconpare
http://download.broadbandmedic.com/DllCompare.exe
Download DllCompare.exe to that folder


Start Program and Click the Run Locate.com and wait a few seconds til the scan says complete.
(default settings usually are sufficient)

Click the Compare button to start the sorting process.

Files in the upper portion have been verified to "exist" as where Files in the bottom section have some form of problem being accessed.
There will be only minimal, if any files listed there... once that Compare scan is complete, and you find you have a few files listed in the lower box.

Click on any of the listed entries to select it.. Right click the mouse and use the Option Rescan Like This

This will run the file through the standard Windows Find and if it does exist, will be removed from the list (to further filter the found objects) Like This

After that if you are left with files that are still not found, click the Make a Log of what was found button, and post that log.

 

lpdrummer,

This is like the 3rd or 4th thread you have started asking for help in cleaning up your machine. I have yet to see you follow thru with the previous instructions given, as given, and I am beginning to feel that we are wasting our time trying to help you. I know that your own website/forum must keep you very busy, but please follow thru with the help that you are being given here. There are other things that need to be done on your machine AFTER cleaning out the junk, such as Windows Updates and installing some other protective applications, but if you do not follow thru with the recommendations already given to clean up, these things will do no good. I personally will not respond to anymore requests for help on future related threads until you stick with this one long enough to get an 'all clean' confirmation from one of our members (possibly myself) trying to help.

 

Hey I have been getting the same problem and i found this extensive solution for it. I naturally have my home page as about:blank but then one day my about:blank had stuff on it and it was blocking pop ups. Im using FireFox at the moment because I havent found time to fix the problem.

http://www.securiteam.com/securityreviews/5RP0L0UD5U.html

That is the adress that has the solution to this mystery.

NeoSpawn

PS: Even thought it says XP: Home Edition, Professional should be the exact same.

 

I didnt fix any R0 and R1s yet. All my antispyware is up to date. I have Norton Anti-virus, but it dosent do anything.

I dont have any of the above regestry apps on my computer.

 

Sry, I didn't know that ya had to get an "All Clean" to be able to stop posting....And I always follow thru with the instructions, but after my computers clean, I just forget to reply back sayin I fixed it.

I think I have it fixed the pop-ups, but my browser still is set to ad infected about:blank

 

If you have the latest version of CWShredder.exe, close ALL other windows and click fix. Reboot and run another HijackThis scan and post the log. If it's not the latest, v1.59.1, then get it from here, saving it to your desktop.

 

Here ya go-


Logfile of HijackThis v1.98.2
Scan saved at 2:33:45 PM, on 9/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ezseti.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Anti-Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ezseti] C:\WINDOWS\System32\ezseti.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094583998764

 

I see this to remove. It is a new item, and was not present in your earlier log. I could not find what it is on Google.
O4 - HKLM\..\Run: [ezseti] C:\WINDOWS\System32\ezseti.exe

 

Just did that. Thanks

 

Fix these two also.

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


See the following link for cleanup of the BHO.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AE&VSect=T

If you haven't already done so, delete the ezseti.exe file. Then empty the recycle bin.

Reboot, then visit Windows Update. Accept all critical updates.
Reboot and go back to Windows Update until there are no more criticals offered.

Do you have Spybot Version 1.3? If not, download it from my signature and install. Allow it to load SD Helper. Open it up and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install and update. Check for updates weekly.
Then download and install IESpyad.

That will give you an added layer of protection against unwanted parasites.

Reboot again and post one more HJT log.

 

Yeah i just got the CWSShreader and it took care of the problem for me. And now my about:blank is well....blank =^-^=(v)

NeoSpawn

 

Fixed 'em!

Hmmm....that site just tells you what it is, not how to get rid of it. And whats this 'ezseti' thing?

I have the latest SpyBot Already but I dont see a 'SD Helper' And I installed the IE spyad, but am not sure how to use it.

 

The link shows the registry entries that are created, which you need to search for and delete if present. It also tells the files created/dropped and the location. Search for them and delete if present.

It is a malware file. Delete it.

In Spybot, click tools in the left pane, then resident and check the box for SD Helper.

Open the IESpyad folder and double click the IE-ADS.REG file. It will merge the information to the registry. Done.

Did you install the Windows Updates?

Once done, reboot and post one more HJT log.

 

OK I don't know where to find the ezseti thing, and my spryot dosent have a thing in the left pane that says 'tools'

And yes, its the current version.

 

Make sure the shortcut that starts Spybot is like this one
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /advancedmode
If not using the /advancemode switch you won't see some options.

Odd. You said in post #12 that you had already removed it.

 

So I have....Explains why I couldn't find it! Thanx!

I don't see SD Helper anywhere...I've done immunize, it says "All bad products are already blocked" and I have no idea what the green + is let alone where to find it

I Checked the resident category, but there was no SD Helper

Thats not there either...

 

Unsure as to why you are unable to locate the ie-ads.reg file, or the SDHelper option in Spybot. I just downloaded IESpyad.exe (<<< direct download), and after opening the new folder created when double clicked, ie-ads.reg was right there. I have also attached pictures of Spybot showing default mode, advanced mode, SDHelper option and version information.

If you have completed the Windows Updates too, please post another fresh HijackThis log.