about:blank spyware. Nothing seems to work

[Travstar 0]

Hi guys,

 

Im running Windows XP with latest updates. My IE6's default home page has been changed to about:blank and directs me to 'Home Search'. Nothing I have tried so far has worked to get rid of this problem, it simply keeps revering back. This is what I have tried so far:

 

SpyBot Search & Destroy (latest updates) - didnt fix it

Ad-Aware SE personal (latest updates) - didnt fix it

SpySweeper 3.0 (latest updates) - didnt fix it

BHODemon 2.0 - detects each new .dll, but program producing them still exists. (each dll created are just random names)

coolwebsearch remover - "not found on system"

Mcafee viruscan 2004 v8.0 with latest updates - nothing found.

 

searched for dll's created in the past day or two and deleted from system and also any traces from regisrty - no difference.

 

This is really starting to annoy me now

 

This is my hijackthis log:

 

Maybe Somebody can help me out.

 

Logfile of HijackThis v1.97.7

Scan saved at 12:55:48 PM, on 8/09/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\netuy.exe

C:\Program Files\Messenger\msmsgs.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\yyali.txt:mdvpi

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\Program Files\BHODemon 2\BHODemon.exe

C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Documents and Settings\Christophe Lebreton\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqzh.dll/sp.html#10213

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqzh.dll/sp.html#10213

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jbqzh.dll/sp.html#10213

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqzh.dll/sp.html#10213

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqzh.dll/sp.html#10213

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jbqzh.dll/sp.html#10213

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jbqzh.dll/sp.html#10213

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {50B880E0-130E-F77B-46BB-0062598D56CC} - C:\WINDOWS\system32\mfced.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [EPSON Stylus C41 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P32 "EPSON Stylus C41 Series (Copy 1)" /O6 "USB001" /M "Stylus C41"

O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M "Stylus C41"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [netuy.exe] C:\WINDOWS\netuy.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Microsoft Update] msnmsgr.exe

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

hmmm, anybody seen that jbqzh.dll or sp.html before? looks weird to me.

 

Please Help somebody!!

 

Travstar

[Sampson 0]

This will not fix the problem. But, apply this program. It is called SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html

Whenever the hijacking program attempts to take over it will alert you that your home page has been changed and asks if you want to keep the old value. Again, this will not fix your problem, but it will help you to live with it until you can track down the file that is doing this.

[iq454 0]

I have solved this HERE, read it carefully.

[iq454 0]

Tick this also

 

O2 - BHO: (no name) - {50B880E0-130E-F77B-46BB-0062598D56CC} -C:\WINDOWS\system32\mfced.dll

 

Then boot into safe mode, and then delete these.

 

*C:\WINDOWS\yyali.txt:mdvpi

*C:\WINDOWS\netuy.exe

 

Then clean these DIRECTORY CONTENTS (Dont Delete The Folder itself)

 

*C:\Windows\Temp\

*C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <-This will delete all your cached internet content including cookies.

*C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

*C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\

*C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

 

Empty your "Recycle Bin" and restart and post a fresh log.

 

*Note*

Next time you post your log, move hijack this to its own folder, don't place it in your documnets or your desktop

C:\Documents and Settings\Christophe Lebreton\Desktop\HijackThis.exe<-Incorrect

 

put it on your root C:

Example:

C:\HJT\HijackThis.exe<-Correct. This is just to make sure we can restore the back ups it creates if needed.

 

 

[iq454 0]

Yeah, could've been working for microsoft and making millions, or creating his own programs that maybe saves lives, pilots, controlled or anything. I guess he/she has nothing better to do, and gets a rush from it.

 

Thanks for that acknowledgment though.