• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Dad

about:blank

7 posts in this topic

Symptons

 

Redirects browser to about:blank search page & immediately pops up ad hawking virus protection.

 

Renames C:\Windows\Notepad.exe to C:\Windows\Notepad.exe.bmk so that notepad no longer works.

 

Creates C:\Windows\Temp\sp.html file

 

Installs randomly named 30kb .dll file in the C:\Windows\System directory

 

Reinstalls itself - when pc is rebooted, get "setup is updating files" message.

 

 

What have I tried so far

 

Read the article and performed steps as recommended.

 

1. Ran Hijack This:

Logfile of HijackThis v1.97.7

Scan saved at 5:33:39 PM, on 6/26/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: (no name) - {68EB1BA2-C771-11D8-A1F2-00A08D1A4378} - C:\WINDOWS\SYSTEM\PFOFFFA.DLL

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

I removed all the R1 & R0 entries, and the 02 entry for PFOFFFA.DLL (this is the randomly named dll that reappears upon reinfection). I set my home page in Hijack This to www.fark.com, and all search pages to www.google.com.

 

No problem accessing Internet Options in IE - I reset the default home page to fark there, too.

 

No suspicious *.js or *.hta files found.

 

Ran latest & greatest adaware - found and removed all entries found. Some are labelled as coolweb, so...

 

Ran cool web shredder - nothing found.

 

Ran spybot s&d - only thing found was windows media player entry, which I kept.

 

Deleted all files in C:\Windows\Temp.

 

Deleted all cookies.

 

Deleted all internet history.

 

Used Registrar Lite to poke around looking for anything suspicious in RunOnce & Startup areas; nothing jumped out, but I'm nervous & unsure fussing around in here.

 

Can cleanup, re-boot pc, home page will be OK for awhile, but at some point (opening 2nd browser window???) about:blank is back with it's taunting ads. The frippin people who come up with these things are dirt! This is the first infection I have not been able to cure myself. Need to somehow prevent this thing from reinstalling via setup on reboot.

 

Thank you for your consideration!

Share this post


Link to post
Share on other sites

:techsupport: You've described the exact same thing that has happened to my husband's computer. I've "fixed" it twice, but it keeps coming back. We've tried everything, including editing the registry as you've described (in clean start), hijack this, cwshredder, spybot, adaware, panda software's free activescan, etc. I've removed all the .dll files found by panda, removed the sp.html file, emptied windows temp folder, etc.

 

The last time I fixed it, he had used IE at least 10 times before it came back and we rebooted the computer at least 3 times before it came back. This has been the most irritating problem ever and the only one that I haven't been able to fix. It seems that there are a lot of people with the same problem. A real fix would be a great relief!

 

Good luck!

Edited by yankeegirl

Share this post


Link to post
Share on other sites

Your browser hijack is being run by a virus or trojan and until you get rid of this it

will keep reinstalling the randomly named dll. You need some good anti-virus

software with the latest data files. Scan your c: drive. If it doesn't find anything

then you need some other anti-virus software.

I had an about:blank browser hijack which kept reinstalling itself.

Running McAfee anti-virus software found Mhtredir.gen and StartPage-DU.

After deleting these I used hijackthis to remove the browser hijack and it has not

returned. You must have the latest anti-virus data files.

 

:techsupport:

Share this post


Link to post
Share on other sites
You need some good anti-virus software with the latest data files. Scan your c: drive. If it doesn't find anything then you need some other anti-virus software.

 

Just so everyone knows, Norton Antivirus does NOT pick up this trojan and does not appear to have a fix.

Edited by yankeegirl

Share this post


Link to post
Share on other sites

Tried the FindnFix suggestion . . . it found two files:

C:\WINDOWS\SYSTEM\STREAMCI.DLL

C:\WINDOWS\SYSTEM\WDMPMEM.DLL.

I hadn't heard of findnfix prior to dealing with this problem, so I've approached it cautiously - I moved & renamed the two files, but have not deleted them yet - from my experience so far with this virus, I've found that my browser can appear ok even after several reboot, then get fouled up again. I'm going to see if I can go a week without it reappearing.

 

But for now I'm cautiously optimistic that it's gone, and sincerely appreciate the members who offered advice. Thank you!!!

Share this post


Link to post
Share on other sites

Two days later . . . no sign of virus. Looks like the findnfix was the last missing link I needed.

Thanx mme nrd!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0