?
Solved

Adware Popups and About Blank homepage hijack

Posted on 2005-05-09
10
Medium Priority
?
647 Views
Last Modified: 2008-03-10
I keep getting these popups.  So far I have done the following:
1. Deleted all temp\temp internet files
2. Updated and ran in Safe Mode - Spybot 1.3, MS AntiSpyware, Adware 6, CWShredder and PestPatrol
3. Virus scan with updated defs (none found)
4. msconfig - turned off all startups and rebooted to Windows

In Add Remove programs there is:
Home Seach Assistent and Shopping Wizard.  When I try to uninstall, it takes me to the following sites:
http://looking-for.cc/uninstall/HomeSearchAssistant.html
http://looking-for.cc/uninstall/ShoppingWizard.html

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:51:48 PM, on 5/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\syscx32.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\iezm.exe
\Mis-01\cdroms\Adware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bskpa.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bskpa.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bskpa.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bskpa.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bskpa.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bskpa.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {867653BB-CBDA-5ADF-86A5-ECF1FB3432E2} - C:\WINDOWS\netuz32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iezm.exe] C:\WINDOWS\system32\iezm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099071065851
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Acadm 6\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Acadm 6\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Acadm 6\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Acadm 6\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hsml.local
O17 - HKLM\Software\..\Telephony: DomainName = hsml.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hsml.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hsml.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\syscx32.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

0
Comment
Question by:mmacdougall
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 1400 total points
ID: 13961715
about:blank Removal

Automated Removal
Download http://66.38.1.249/helpdesk/tools/AboutBuster.zip
Then unzip all files from the zip folder to a folder or your desktop. Start it and hit ok. Then hit update. A new screen should popup. On that screen hit Check for Updates. If it says it found an update hit Download Updates. If it doesnt it will automatically tell you and exit. Now for the scanning part. Hit start and then Ok. The program should start scanning. Then hit exit and reboot. Once rebooted run AboutBuster 4.0 once more to make sure everything is ok. The database will be updated very frequently so check your versions once a day.

OR

Remove about:blank Buddy is a powerful tool to get rid of about:blank home page parasites. Remove about:blank Buddy lets you keep about blank home page from changing by disabling home page hijackers and restoring original configuration. http://www.scosoft.com/RemoveAboutBlankBuddy.exe

Manual Removal
About:Blank Homepage Hijacker Removal Instructions and Help
http://www.pchell.com/support/aboutblank.shtml
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13961717
Browser Hijacking/Spyware/Adware/Malware Removal instructions

Full removal and Prevention instructions are available on my website,

http://www.petenetlive.com/Tech/Browsers/hijack.htm

Please don't "Gum up" the TA's here by posting Hijack This Logs
go here and have it analysed.
http://www.hijackthis.de/index.php?langselect=english

The EE Official Link to info is,
 http:Q_20975384.html#10973783
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13961725
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 

Author Comment

by:mmacdougall
ID: 13961745
Pete, I had it analised and tried to fix it thanks, but although I delete what I should, it keeps coming back, thats why I posted.

Mike
0
 
LVL 29

Assisted Solution

by:blue_zee
blue_zee earned 400 total points
ID: 13961751

Adware Away claims cleaning up that nasty, and people on EE have confirmed that:

http://www.adwareaway.com/

The trial version usually is fully active for some sessions:

http://www.adwareaway.com/download/AdwareAway.exe

Good luck,

Zee
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13961763

And instructions on how to do it:

http://www.adwareaway.com/aboutblank.htm

Zee
0
 
LVL 9

Assisted Solution

by:woodendude
woodendude earned 200 total points
ID: 13961899
XP....disable system restore, boot in safemode the use the removal tools.
0
 

Author Comment

by:mmacdougall
ID: 13962810
Great job guys
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13963087
ThanQ
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13963123

Thanks!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Finding a job can be stressful - searches, resume tweaks, and networking events can be super boring. Luckily we're here to help you land your dream job!
With the shift in today’s hiring climate (http://blog.experts-exchange.com/ee-blog/5-tips-on-succeeding-in-the-new-gig-economy/?cid=Blog_031816), many companies are choosing to hire freelancers to get projects completed efficiently and inexpensively…
Notifications on Experts Exchange help you keep track of your activity and updates in one place. Watch this video to learn how to use them on the site to quickly access the content that matters to you.
Where to go on the main page to find the job listings. How to apply to a job that you are interested in from the list that is featured on our Careers page.
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question