Solved

IE6 Home page keeps changing tot about:blank

Posted on 2004-04-19
26
25,506 Views
Last Modified: 2007-12-19
I had some rogue website try to change my home page a couple of weeks ago.  No big deal I thought.  I have run Norton AV with latest definitions and Spybot with latest definitions and yet I am having strange behavior.

I can go into registry and change all instances of about:blank (Internet Explorer/Main/Start page and Internet Explorer/Main/HOMEoldISP in HKCU and HKLM) to my desired home page, reboot and everything is fine - home gets me home.  I then click on an open window, run File / New Window and a clone of first IE window opens up.  If I hit Home now it has changed back to about:blank in all four registry lines as well as the new IE window.  Where is the switch to stop this??

Thanks

Dave


0
Comment
Question by:dbish
  • 8
  • 4
  • 3
  • +8
26 Comments
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Hi dbish,

First try this tool to remove the traces of most homepage hijackers:
http://www.spychecker.com/program/coolwebshredder.html

If you then still have problems, use this tool and post the logfile:
http://download.com.com/3000-2144-10227352.html

Greetings,

LucF
0
 

Author Comment

by:dbish
Comment Utility
I ran CWS and found anumber of invalid registry keys.  I deleted the values - they came back.  I ran HijackThis and used the program to delete the suspicious keys and they still came back.  The latest log is below.  I rearranged the log so that the known good items are above the dashed line and the keys that look bad or at least I don't recognize are below the dashed line.

Logfile of HijackThis v1.97.7
Scan saved at 10:43:17 AM, on 4/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC PowerChute\mainserv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\FILEBA~1\FileBack.exe
C:\PROGRA~1\COOKIE~1\COOKIE~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\MouseWare\system\em_exec.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Misc\HotC.exe
C:\Program Files\Macro Scheduler\msched.exe
C:\Program Files\PowerDesk\PDExplo.exe
C:\WINDOWS\SYSTEM32\wfxsnt40.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\APC PowerChute\apcsystray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TrayMan\ntstart.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\TrayMan\trayman.exe
C:\WINDOWS\I386\TASKMGR.EXE
C:\WINDOWS\System32\zstatus.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=CookieCop:8100
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [FileBack PC] C:\PROGRA~1\FILEBA~1\FileBack.exe
O4 - HKLM\..\Run: [CookieCop] C:\PROGRA~1\COOKIE~1\COOKIE~1.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - Startup: APC UPS Status.lnk = ?
O4 - Startup: CHANGER action.lnk = C:\Program Files\Misc\CHANGER2.EXE
O4 - Startup: Check for TWS Updates.lnk = C:\Program Files\IB Trader Workstation 4\WiseUpdt.exe
O4 - Startup: Hot Corners.lnk = C:\Program Files\Misc\HotC.exe
O4 - Startup: Macro Scheduler.lnk = C:\Program Files\Macro Scheduler\msched.exe
O4 - Startup: PowerDesk.lnk = C:\Program Files\PowerDesk\PDExplo.exe
O4 - Startup: Task Manager Start.lnk = C:\Program Files\Macro Scheduler\msched.exe
O4 - Startup: WinFax Application Port Starter.lnk = C:\WINDOWS\SYSTEM32\wfxsnt40.exe
O4 - Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O15 - Trusted Zone: *.currentcatalog.com
O15 - Trusted Zone: clearstation.etrade.com
O15 - Trusted Zone: www.expedia.com
O15 - Trusted Zone: http://www.expedia.com
O15 - Trusted Zone: http://www.experts-exchange.com
O15 - Trusted Zone: *.fidelity.com
O15 - Trusted Zone: www.iba-worldwide.com
O15 - Trusted Zone: www.interactivebrokers.com
O15 - Trusted Zone: finance.lycos.com
O15 - Trusted Zone: moneycentral.msn.com
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.pcmag.com
O15 - Trusted Zone: www.precisionrx-online.com
O15 - Trusted Zone: www.prudentbear.com
O15 - Trusted Zone: www.reserveamerica.com
O15 - Trusted Zone: *.wsaccess.com

---------------------------------------------------------------------------

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A48F37B3-CBC1-4E1A-8DA6-6C6CF49579C8} - C:\WINDOWS\System32\fkkb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3817584D-A489-412C-AB44-DB8B2D7DEF63}: NameServer = 63.200.183.70 206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{3817584D-A489-412C-AB44-DB8B2D7DEF63}: NameServer = 63.200.183.70 206.13.28.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{3817584D-A489-412C-AB44-DB8B2D7DEF63}: NameServer = 63.200.183.70 206.13.28.12

When I ran HijackThis the first time I deleted the items related to res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated) and rebooted.  The hijacking came back.  I assume that some other of the items is a hidden master switch that repopulates the bad fkkb related keys.  I do have a fkkb.dll in my windows\system32 directory but no sp.html if found anywhere.

The date on the fkkb.dll file is 4/16/04 which ties to about when the problems started.

Suggestions?

Thanks

Dave
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Tick the checkbox in front of these lines and click "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fkkb.dll/sp.html (obfuscated)
O2 - BHO: (no name) - {A48F37B3-CBC1-4E1A-8DA6-6C6CF49579C8} - C:\WINDOWS\System32\fkkb.dll

The last one is the culprit of all your problems.
0
 

Author Comment

by:dbish
Comment Utility
This one was like a vampire - HijackThis killed it and it came back - etc.  Finally, the last time it is dead.  Manually checked Windows Explorer and Registry - it is gone.  Changed all my Start page references back to where I want them.

Thank you.

I am using XP Home (with SP1) and IE 6 (with SP1).  In researching this problem - I came across the following Registry hack.  Change:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ HomePage
to 1 to gray out the home page buttons and prevent hijackings.  Do you:
1) Recommend this hack
2) Doesn't work?
3) Negative ramifications elsewhere?

Thanks

Dave

P.S. - BTW i bumped points on this question
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
1) No, I can't reccommend it as it is something in your computer you don't want to have
2) Yes, it should work
3) Except for not being able to change your homepage in a normal way, I believe not.

What I suggest you to do is to update windows (http://windowsupdate.microsoft.com) as this homepage hijack is a security flaw in Microsoft VM. After you've updated windows, run hijackthis again, post the logfile and I'll try to figure out again what is bugging you.

LucF
0
 

Author Comment

by:dbish
Comment Utility
I had already run all latest Windows Updates.  I just thought that since I was hijcked (either once or twice) in the last month this would be a way to stop the bad guys and I would have one less worry.  What is the reasoning for not recommending it (it is something in your computer you don't want to have)?

Log file below:
Logfile of HijackThis v1.97.7
Scan saved at 2:27:55 PM, on 4/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC PowerChute\mainserv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\FILEBA~1\FileBack.exe
C:\PROGRA~1\COOKIE~1\COOKIE~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MouseWare\system\em_exec.exe
C:\Program Files\Misc\HotC.exe
C:\Program Files\Macro Scheduler\msched.exe
C:\Program Files\PowerDesk\PDExplo.exe
C:\WINDOWS\SYSTEM32\wfxsnt40.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TrayMan\ntstart.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\APC PowerChute\apcsystray.exe
C:\PROGRA~1\TrayMan\trayman.exe
C:\WINDOWS\I386\TASKMGR.EXE
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Misc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=CookieCop:8100
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = my.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [FileBack PC] C:\PROGRA~1\FILEBA~1\FileBack.exe
O4 - HKLM\..\Run: [CookieCop] C:\PROGRA~1\COOKIE~1\COOKIE~1.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - Startup: APC UPS Status.lnk = ?
O4 - Startup: CHANGER action.lnk = C:\Program Files\Misc\CHANGER2.EXE
O4 - Startup: Hot Corners.lnk = C:\Program Files\Misc\HotC.exe
O4 - Startup: Macro Scheduler.lnk = C:\Program Files\Macro Scheduler\msched.exe
O4 - Startup: PowerDesk.lnk = C:\Program Files\PowerDesk\PDExplo.exe
O4 - Startup: Task Manager Start.lnk = C:\Program Files\Macro Scheduler\msched.exe
O4 - Startup: WinFax Application Port Starter.lnk = C:\WINDOWS\SYSTEM32\wfxsnt40.exe
O4 - Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: *.currentcatalog.com
O15 - Trusted Zone: clearstation.etrade.com
O15 - Trusted Zone: www.expedia.com
O15 - Trusted Zone: http://www.expedia.com
O15 - Trusted Zone: http://www.experts-exchange.com
O15 - Trusted Zone: *.fidelity.com
O15 - Trusted Zone: www.iba-worldwide.com
O15 - Trusted Zone: www.interactivebrokers.com
O15 - Trusted Zone: finance.lycos.com
O15 - Trusted Zone: moneycentral.msn.com
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.pcmag.com
O15 - Trusted Zone: www.precisionrx-online.com
O15 - Trusted Zone: www.prudentbear.com
O15 - Trusted Zone: www.reserveamerica.com
O15 - Trusted Zone: *.wsaccess.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3817584D-A489-412C-AB44-DB8B2D7DEF63}: NameServer = 63.200.183.70 206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{3817584D-A489-412C-AB44-DB8B2D7DEF63}: NameServer = 63.200.183.70 206.13.28.12

0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 125 total points
Comment Utility
Clean logfile :)

As you updated windows to the fully, I can only suggest to stop clicking "Yes" on webpages to install things in case you're only worried a bit.
One thing I'll suggest you, get rid of those things in your trusted zone, all webpages are viewable with default settings without any problems.
0
 

Author Comment

by:dbish
Comment Utility
I actually have good habits regarding letting bad things on my computer - I never let web pages install things, Have a good virtual port/cookie blocker, never open attachemnts without scan, etc.  Not sure how the bad guys got in.

BTW - I have found some web pages that do not load correctly - I think they have poorly written .jsp or .asp code and the page only partially loads.  The I trust the sites and have found that the easiest way to get the pages to fully load is to put the few of them into the Trusted zone.

Thanks for all your help.

Dave

0
 
LVL 2

Expert Comment

by:racy1
Comment Utility
The problem you had is caused by a utility called Cool Web Search, among other things.  And you are right, you do not need to agree or install anything on a web page to get it.  There are numerous websites out there (pornography especially) that will install this on your computer simply from visiting their page.  You can up the security block settings in IE but that becomes too annoying.  You definitely want to uncheck the entry for install on demand (other) under browsing options/internet options.  Make sure it is gone because when/if it installs itself from a hidden file in your system it will change this setting back.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
In case you want some info on what happened.

Java.ByteVerify.exploit
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=36725

Microsoft Security Bulletin MS03-011
Flaw in Microsoft VM Could Enable System Compromise (816093)
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;816093

This info will make it easier for you to prevent these kind of things in the future.
0
 

Expert Comment

by:joebrez
Comment Utility
I had the same issue on a users laptop and it turned out to be a certificate that was bad.  The user had picked up a certficate and accepted it.

I compared certificates from another user and deleted the ones not needed.

That solved the problem.

0
 

Expert Comment

by:henckelj
Comment Utility
I have the same problem but I am far from an expert.  all of this information is like gibberish to me... none the less I have the about:blank problem... how does an idiot get rid of it?

Jef
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Jef,

You should create your own question, there you can explain short what is bugging you and include a hijackthis logfile. I'll try to help you there.

Asking Questions:
http://www.experts-exchange.com/help.jsp#hs3

Or a direct link to ask your question:
http://www.experts-exchange.com/Operating_Systems/askQuestion.jsp

Greetings,

LucF
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Expert Comment

by:wardc72
Comment Utility
I have had numerous users end up with this same problem.  The way I fixed the problem was run Adaware 6, update it, and let it run.  Select all of the items it returns and quarentine them.  If some will not quarentine, answer yes when it asks you if you would like to run Adaware at the next reboot.  Again select all items found and quarentine them.  This has solved the problem every time.

Ward
0
 
LVL 10

Expert Comment

by:stevenshealthcare
Comment Utility
AdAware and the Spybot have fixed this problem for me on multiple systems. Run them one after the other for best results.
0
 
LVL 2

Expert Comment

by:racy1
Comment Utility
There is a utility called cwshredder.exe readily findable on the internet that will remove the newest versions of coolwwwsearch that spybot can't get rid of without them coming back.  If you can't find it, email me and i will send you a copy.  racy@adelphia.net
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
racy1, didn't I allready post a link to CWShredder in my first comment?
http://www.spychecker.com/program/coolwebshredder.html

Also, did you read the guidelines before posting? You should never, ever post your e-mailaddres in a question, for several reasons:
1) It's not allowed at EE
2) All the world can view it...
3) Spamspiders have allready harvested your e-mailaddres to send you spam, by posting your addres at more and more places, you'll get more and more spam.

Greetings,

LucF
0
 

Expert Comment

by:techietech
Comment Utility
Hi,

If u still have the problem follow this document and make the necessary changes.


http://support.microsoft.com/default.aspx?scid=kb;en-us;320159&Product=ie600

If this does not work, u can try a repair of ur windows.

Hope it works



TECHIETECH
0
 
LVL 2

Expert Comment

by:racy1
Comment Utility
lucf.  Sorry.  I had not checked back to the earlier comments again.  I read your post almost a month ago and forgot you had told him that already.  And his recent comments suggested to me he had need of the cwshredder still (or again).  I have had this thing come back even after running the shredder.  It does not take much to get it back and even the updated shredder needed to be run twice to get rid of it the last time I used it.

 As for the email address, that I did not know or forgot a long time ago. so thanks.  On the other hand, if you can't post them here, the harvesters probably aren't looking here.  What would be the point?  My spam hasn't increased so I guess I dodged the bullet this time anyway.
0
 

Expert Comment

by:landhoho
Comment Utility
To remove the About:Clear virus -- (basically Luc's method, re-numbered)

1. Scan with HighJackThis (HJT)
2. Look in the HK__ (registry) results for multiple (typically, 6, or more) occurrences of the form: "...\System32\xxxxx.dll" where xxxxx is 3 to 7 random alpha characters long and is completely unrecognizable as belonging anywhere. Write down "xxxxx.dll". Quit HJT.
3. Create a "kill" directory (something like, C:\~kill).
4. Go to Windows\System32, find the file xxxxx.dll, and drag it to your ~kill directory. The reason for this is that Windows will reject any attempt to directly delete xxxxx.dll.
5. Re-boot. First thing, before doing anything else, open the ~kill directory and delete xxxxx.dll.
6. Re-scan with HJT and put a check in every entry that contains either xxxxx.dll or "...=about:clear"
7. Close all browser instances and run HJT's Fix-Checked. (HJT will remind you to close all browsers, etc. before it deletes the BHO entry.)
8. Re-run HJT and scan to make sure you got everything.
9. Before doing anything else, run the MS-Windows Security Updates to eliminate the expploitaion that allowed the About:Clear problem entry into your machine. Otherwise, it'll be back -- real soon!
0
 

Expert Comment

by:Zuks
Comment Utility
There is a setting in Spybot stop your homepage being changed/hijacked.

I'm assuming you are running Spybot V1.3.

On the menu bar, pick Mode, the make sure advanced is checked, the on the side bar, Pick Tools, then IE Tweaks. There are 3 boxes here that all mention locking things. Make sure they are all unchecked.

Next time you start IE, it should be fine.


Good luck!!
0
 

Expert Comment

by:ssmudgers
Comment Utility
Hi

I have followed this thread and it is very similar to my own problem that started a couple of days ago.  My default home page (normally google) is now locked horribly into  res://thnjd.dll/index.html#37680.

I did try to download the coolweb shredder but for some reason I cold not connect.

I did download the the hijack software and the log is below;

Logfile of HijackThis v1.98.0
Scan saved at 20:56:38, on 04/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\d3tv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\winuk32.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
J:\My Download Files\IE Protection Software\Hi Jacked\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\thnjd.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://thnjd.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://thnjd.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\thnjd.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\thnjd.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://thnjd.dll/index.html#37680
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {285D732C-1D4D-CDA2-C38F-3F1B9E0B70A9} - C:\WINDOWS\ntgf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winuk32.exe] C:\WINDOWS\system32\winuk32.exe
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\System32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKLM\..\RunOnce: [d3tv.exe] C:\WINDOWS\d3tv.exe
O4 - HKLM\..\RunOnce: [sysit32.exe] C:\WINDOWS\system32\sysit32.exe
O4 - HKLM\..\RunOnce: [javazi32.exe] C:\WINDOWS\system32\javazi32.exe
O4 - HKLM\..\RunOnce: [msbv.exe] C:\WINDOWS\system32\msbv.exe
O4 - HKLM\..\RunOnce: [sysjz32.exe] C:\WINDOWS\sysjz32.exe
O4 - HKLM\..\RunOnce: [sdknk.exe] C:\WINDOWS\sdknk.exe
O4 - HKLM\..\RunOnce: [mspf32.exe] C:\WINDOWS\mspf32.exe
O4 - HKLM\..\RunOnce: [cryx32.exe] C:\WINDOWS\cryx32.exe
O4 - HKLM\..\RunOnce: [appsg.exe] C:\WINDOWS\system32\appsg.exe
O4 - HKLM\..\RunOnce: [atlgu32.exe] C:\WINDOWS\system32\atlgu32.exe
O4 - HKLM\..\RunOnce: [msra32.exe] C:\WINDOWS\msra32.exe
O4 - HKLM\..\RunOnce: [ieut32.exe] C:\WINDOWS\ieut32.exe
O4 - HKLM\..\RunOnce: [javafq.exe] C:\WINDOWS\javafq.exe
O4 - HKLM\..\RunOnce: [d3bj.exe] C:\WINDOWS\d3bj.exe
O4 - HKLM\..\RunOnce: [ipvd32.exe] C:\WINDOWS\ipvd32.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

I have tried checking the offending files I recognised in Hijack and clearing out the offending IP address from the registry but it returned when I opened up the second browser page.

I could re-load a ghost but don't want to be beaten!

Please help

Smudger



0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
ssmudgers,

Please create your own question, you have a lot of mess on your computer, that's for sure :(

LucF
0
 

Expert Comment

by:ssmudgers
Comment Utility
Hi Lucf

This computer is shared amongst 5 members of my family so it gets abused!

Sorry, what I wanted was to be able to keep my home page as it is set in IE options and not have it overwritten each time I open up Internet Explorer with "home search" which has the address "res://wzsmk.dll/index.html#37680"


0
 

Expert Comment

by:landhoho
Comment Utility
I finally got rid of my about:blank problem after using DLLFIX (start.bat results) which yields an output info sheet which includes a line: "Scanning for main Hijacker:" which I removed manually. In my case, THAT identified and eliminated the repetitive culprit; I don't think I would've ever found it without dllfix.

Your HT file shows the obvious multiple occurences of "thnjd.dll/index.html#37680" - but if removing them doesn't help, I'd think maybe it's time to try dllfix. Since I did so, I've only been using ordinary anti-spyware (Spy Sweeper, SpywareBlaster [truly concatenated!], Ad-Aware, etc.) and haven't had any highjacks succeed. (I've rejected using SpyBot 1.3 because it keeps objecting to the site I use for my home page...)

According to a Security Forums note, DLLFIX can be found at http://downloads.subratam.org/dllfix.exe
or http://tools.zerosrealm.com/dllfix.exe . Usage is pretty obvious.

Good Luck!
0
 

Expert Comment

by:ssmudgers
Comment Utility
Hi Landhoho & Lucf

Thanks for the help. DLLFIX/hijackthis sorted it out. It took two attempts and the second time it worked.

I was a bit unclear what you meant about the start.bat results, but did not need to worry as on the second attempt my home page was back to normal (as if any computer can be described as normal)!

Once again thanks for the time replying.

Regards, Smudger
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Occasionally Windows/Microsoft Updates will fail to update. We have found a code that will delete all temporary files and re-register all dll's related to Windows/Microsoft Updates! This works 99% of the time to get the updates working again! The…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now