about blank problems!

[Omar]

I wake up this morning and my computer has been taken over by about blank!

What can be done to get rid of it!



MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT BROADBAND\HELP\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netbreeze.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://lookfor.cc?pin=28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by netbreeze
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: (no name) - {14AD1554-E61D-7CB6-8753-60550DF17F1D} - C:\WINDOWS\SYSTEM\POY.DLL (file missing)
O2 - BHO: (no name) - {9996DB24-669A-343E-EC58-3A7615695597} - C:\WINDOWS\SYSTEM\JOPHFW.DLL (file missing)
O2 - BHO: (no name) - {E2398A2B-DB23-11D9-B62D-0090EE48C824} - C:\WINDOWS\SYSTEM\IBJJ.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft QMGR] msnqmgr.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Windows Shell Command] loadsh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NTL\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Microsoft QMGR] msnqmgr.exe
O4 - HKLM\..\RunServices: [Windows Shell Command] loadsh.exe
O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: NTLSignup - https://register.tesco.net/tesco/NTLSignup.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4410/mcfscan.cab
O18 - Filter: text/html - {151F6681-E628-11D9-B62D-0090F7202CBF} - C:\WINDOWS\SYSTEM\IBJJ.DLL
O18 - Filter: text/plain - {151F6681-E628-11D9-B62D-0090F7202CBF} - C:\WINDOWS\SYSTEM\IBJJ.DLL
_________________

[Eddy]

Follow the instruction HERE

[DavidR]

1. if you are going to post the contents of a HJT log file, then post the complete contents (including the headers).

2. Try another browser that is not as susceptible to these browser hijacks, firefox is one.

Check out this - About:Blank Homepage Hijacker Removal Instructions and Help

[Omar]

Thanks for those insrructions!

About blank is now gone

[DavidR]

Now all you have to do is keep it that way and IE is more vulnerable to these browser hijacks

[Starfighter]

I had this about.blank problem too...   the tell tale sign: registry files linking to sp.dll and se.dll

I tried both CWShredder and hijackthis (taking out the registry associations etc)... it helped, but not completely.

The only thing that really cleaned it out for me was to use the cleaning program at this site:

http://www.derbilk.de/404.html

and by downloading the applicable file for the OS....

Windows 95/98/ME
SpSeHjfix109.zip

Windows 2000/XP
SpSeHjfix112.zip

I suggest you still run the above file spsehjfix, because you may think you got rid of the infection, but trust me, it may come back in a couple of days... the sp/se thing is a really persistant and evil browser hijacker.

Run the application in safe mode, empty the temp folders and temp internet files etc., and empty the recycle bin before rebooting back into normal mode  etc...  Oh, and if you're using WinXP etc., turn off system restore before you clean your computer .. then aftewards, turn system restore back on.   I'm sure Eddy may chime in here if he has any other great tips   

p.s. nice to see you back Eddy! 

[DavidR]

Starfighter you link is to a page not found error page 'error 404 is page not found' so there are no programs there.

Besides that, the link that I gave seems to get the job done.

[Starfighter]

DavidR --

The link does work (try it!)...  even though it says file not found, 404, if you look below on that page, it does have the files listed... whomever created that webpage didn't do it very properly.       However, the files are on that webpage.

Direct links:  for the Win9X & ME version click here: http://www.derbilk.de/SpSeHjfix109.zip

And for the Win 200 and XP version, click here:
http://www.derbilk.de/SpSeHjfix112.zip

I highly recommend the above program -- it does help get rid of the sp / se about.blank hijacker...

[DavidR]

Sorry I don't look any further after getting the customised 404 error page, even though it was in front of my face

[Starfighter]

No problem DavidR   

here's the link that describes this file...it's the Bablefish translated version (from German to English):

http://babelfish.altavista.com/babelfish/trurl_pagecontent?lp=de_en&trurl=http%3a%2f%2fwww.trojaner-info.de%2fanleitungen%2fhijackthis%2fabout_blank.html

If that doesn't work, the German version (their homepage) is here:

http://www.trojaner-info.de/anleitungen/hijackthis/about_blank.html

Anyway, as said, this sphjfix program fixed it for me ...