0

Hello there,
I have a hijacked IE homepage (about::blank) title-Search For...,
I have tried using a combination of adaware, spybot S&D, and CWshredder to remedy this problem. Sometimes it works depending on the order of spyware used but everytime the hijack is back after restarting the computer or at a later time. Needless to say I have not been able to fix this problem. I have even tried the solution that suggested using APM but could not find a .dll file that was missing from APM but on HJT. This is my first day using HijackThis, so bear with me. Here is my logfile of HijackThis.....

Logfile of HijackThis v1.98.2
Scan saved at 3:32:57 PM, on 23/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\WINDOWS\System32\NDrv.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\HPCENT~1\137903\Program\BACKWE~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\APM\apm.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ca7.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {72A7D3AA-2A41-425D-9763-2A7C300DA6C7} - C:\WINDOWS\System32\onp.dll
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Filter: text/html - {C6263CBB-42C5-41A9-A0B5-8AE7AEDF3073} - C:\WINDOWS\System32\onp.dll
O18 - Filter: text/plain - {C6263CBB-42C5-41A9-A0B5-8AE7AEDF3073} - C:\WINDOWS\System32\onp.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\wdm.dll

This problem is driving me insane.....
ENELdisciple

5
Contributors
4
Replies
5
Views
13 Years
Discussion Span
Last Post by crunchie
0

First of all, you shouldn't run hjt from your desktop, you should put in a folder like c:\hjt\hijackthis.exe.

Next, clean out all temporary folders for all users. Also do a search for *.tmp and delete all those as well.

Reboot, close any open windows, scan with hjt, and post a new log.

0

yay theres a simple workaround to the aboutblank problem if u dont mind a few cons! i did not do this personally, my brother was the one who figured it out, but just download mozilla firefox. its another internet explorer that u can get for free that does not have the defect in it that allows about blank. just use firefox instead of your normal ie. sadly i dont know where u can download firefox cuz i didnt do that personally, but it should be easy enough to find it. hope u find this helpful :)

1

Firefox is available from: http://www.mozilla.org/products/firefox/

However, if someone breaks in through your front door, you don't just stop using it and use the back door. Similarly, I strongly reccomend getting the problem fixed properly in accordance with dlh's instructions (those currently there and those that will follow).

0

Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.