Jump to content



  • Please log in to reply
6 replies to this topic

#1 Dad



  • New Member
  • Pip
  • 3 posts

Posted 26 June 2004 - 06:40 PM


Redirects browser to about:blank search page & immediately pops up ad hawking virus protection.

Renames C:\Windows\Notepad.exe to C:\Windows\Notepad.exe.bmk so that notepad no longer works.

Creates C:\Windows\Temp\sp.html file

Installs randomly named 30kb .dll file in the C:\Windows\System directory

Reinstalls itself - when pc is rebooted, get "setup is updating files" message.

What have I tried so far

Read the article and performed steps as recommended.

1. Ran Hijack This:

Logfile of HijackThis v1.97.7
Scan saved at 5:33:39 PM, on 6/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {68EB1BA2-C771-11D8-A1F2-00A08D1A4378} - C:\WINDOWS\SYSTEM\PFOFFFA.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

I removed all the R1 & R0 entries, and the 02 entry for PFOFFFA.DLL (this is the randomly named dll that reappears upon reinfection). I set my home page in Hijack This to www.fark.com, and all search pages to www.google.com.

No problem accessing Internet Options in IE - I reset the default home page to fark there, too.

No suspicious *.js or *.hta files found.

Ran latest & greatest adaware - found and removed all entries found. Some are labelled as coolweb, so...

Ran cool web shredder - nothing found.

Ran spybot s&d - only thing found was windows media player entry, which I kept.

Deleted all files in C:\Windows\Temp.

Deleted all cookies.

Deleted all internet history.

Used Registrar Lite to poke around looking for anything suspicious in RunOnce & Startup areas; nothing jumped out, but I'm nervous & unsure fussing around in here.

Can cleanup, re-boot pc, home page will be OK for awhile, but at some point (opening 2nd browser window???) about:blank is back with it's taunting ads. The frippin people who come up with these things are dirt! This is the first infection I have not been able to cure myself. Need to somehow prevent this thing from reinstalling via setup on reboot.

Thank you for your consideration!

#2 yankeegirl



  • New Member
  • Pip
  • 3 posts

Posted 26 June 2004 - 07:22 PM

:techsupport: You've described the exact same thing that has happened to my husband's computer. I've "fixed" it twice, but it keeps coming back. We've tried everything, including editing the registry as you've described (in clean start), hijack this, cwshredder, spybot, adaware, panda software's free activescan, etc. I've removed all the .dll files found by panda, removed the sp.html file, emptied windows temp folder, etc.

The last time I fixed it, he had used IE at least 10 times before it came back and we rebooted the computer at least 3 times before it came back. This has been the most irritating problem ever and the only one that I haven't been able to fix. It seems that there are a lot of people with the same problem. A real fix would be a great relief!

Good luck!

Edited by yankeegirl, 26 June 2004 - 07:22 PM.

#3 shaunw



  • Full Member
  • Pip
  • 15 posts

Posted 26 June 2004 - 07:37 PM

Your browser hijack is being run by a virus or trojan and until you get rid of this it
will keep reinstalling the randomly named dll. You need some good anti-virus
software with the latest data files. Scan your c: drive. If it doesn't find anything
then you need some other anti-virus software.
I had an about:blank browser hijack which kept reinstalling itself.
Running McAfee anti-virus software found Mhtredir.gen and StartPage-DU.
After deleting these I used hijackthis to remove the browser hijack and it has not
returned. You must have the latest anti-virus data files.


#4 mme_nrd



  • Full Member
  • Pip
  • 38 posts

Posted 26 June 2004 - 09:31 PM

I had the same problem. This posting helped me solve it:


Hope this helps. Good luck.

#5 yankeegirl



  • New Member
  • Pip
  • 3 posts

Posted 27 June 2004 - 10:17 AM

You need some good anti-virus software with the latest data files. Scan your c: drive. If it doesn't find anything then you need some other anti-virus software.

Just so everyone knows, Norton Antivirus does NOT pick up this trojan and does not appear to have a fix.

Edited by yankeegirl, 27 June 2004 - 10:18 AM.

#6 Dad



  • New Member
  • Pip
  • 3 posts

Posted 27 June 2004 - 09:20 PM

Tried the FindnFix suggestion . . . it found two files:
I hadn't heard of findnfix prior to dealing with this problem, so I've approached it cautiously - I moved & renamed the two files, but have not deleted them yet - from my experience so far with this virus, I've found that my browser can appear ok even after several reboot, then get fouled up again. I'm going to see if I can go a week without it reappearing.

But for now I'm cautiously optimistic that it's gone, and sincerely appreciate the members who offered advice. Thank you!!!

#7 Dad



  • New Member
  • Pip
  • 3 posts

Posted 29 June 2004 - 08:58 PM

Two days later . . . no sign of virus. Looks like the findnfix was the last missing link I needed.
Thanx mme nrd!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button