The original version of this page can be found at : http://forum.bullguard.com/forum/8/Aboutblank_10785.html
Posted By : GpatEire - 3-5-2005 10:55
Hello,

I've got a problem that has taken over Internet Explorer. Every time I open IE I am redirected from my original homepage to the following homepage (image screenshot shown on about.blank.gif attachment). I have tried to use Spybot Search and Destroy and it locates files in the registry and warns of possible hijack, but never is able to get rid of it. Just recently this problem has gotten worse and now it shoots a pop-up like the one shown in the "pop-up.gif" attachment every 5 minutes or so. I saw Emilio post Highjack This after searching for LSPfix.exe.

Here is the log from Highjack This

Logfile of HijackThis v1.99.1
Scan saved at 1:41:51 PM, on 3/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINNT\system32\rundll32.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\WINNT\explorer.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\GAVINP~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\GAVINP~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.airamericaradio.com/pub/globalDefault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B8C88910-38A4-4CAB-9D3B-F0DE847DFCC7} - D:\WINNT\system32\ploof.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [sp] rundll32 D:\DOCUME~1\GAVINP~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O18 - Filter: text/html - {2B1DA376-8A08-403C-821D-68F3851FE669} - D:\WINNT\system32\ploof.dll
O18 - Filter: text/plain - {2B1DA376-8A08-403C-821D-68F3851FE669} - D:\WINNT\system32\ploof.dll
O19 - User stylesheet: (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe


Thank you kindly for the time and help!

Posted By : Emilio (SVK) - 3-6-2005 2:14
Hi GpatEire

---------------------
Show hidden files:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Safe mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
--------------------

Download Ad-Aware SE
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

Download Spybot search&destroy
http://www.safer-networking.org/en/download/index.html

Download ScanSpyware(Serial: 5426-7451-2543)
http://www.scanspyware.net/download.htm

Download SysClean (sysclean.com file)
http://www.trendmicro.com/ftp/products/tsc/sysclean.com
Download pattern file for SysClean (unpack and copy with sysclean.com to the same folder)
http://www.trendmicro.com/download/pattern.asp

Download Security Task Manager
http://www.neuber.com/

1.REBOOT TO THE SAFE MODE

2.SHOW HIDDEN FILES

3.RUN HIJACKTHIS:
Check:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\GAVINP~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\GAVINP~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {B8C88910-38A4-4CAB-9D3B-F0DE847DFCC7} - D:\WINNT\system32\ploof.dll
O4 - HKLM\..\Run: [sp] rundll32 D:\DOCUME~1\GAVINP~1\LOCALS~1\Temp\se.dll,DllInstall
O18 - Filter: text/html - {2B1DA376-8A08-403C-821D-68F3851FE669} - D:\WINNT\system32\ploof.dll
O18 - Filter: text/plain - {2B1DA376-8A08-403C-821D-68F3851FE669} - D:\WINNT\system32\ploof.dll
O19 - User stylesheet: (file missing)
FIX CHECKED....

4.RUN SECURITY TASK MANAGER
find and remove this process:
D:\DOCUME~1\GAVINP~1\LOCALS~1\Temp\se.dll,DllInstall

5.FIND AND DELETE THESE FILES:
D:\DOCUME~1\GAVINP~1\LOCALS~1\Temp\se.dll (rundll32.exe)
D:\WINNT\system32\ploof.dll

6.SCANS:
run scan with Ad-AwareSE (full system scan)
run scan with SpyBot
run scan with ScanSpyware (docomplete scan)
run scan with SysClean

7.CLEANING
run CCleaner (analyze---run cleaner)

8.REBOOT

let me know if it wotked....

Emilio24



Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard