"about:blank" homepage -- can't fix

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

dwshorn

Thread Starter
Joined
Apr 19, 2004
Messages
9
Logfile of HijackThis v1.97.7
Scan saved at 9:01:48 PM, on 4/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\jetsuite\DLLCMD32.EXE
C:\Program Files\Red Chair Software\Dudebox Explorer\dudemgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\jetsuite\jsdaemon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73%74%6f%72%65%7b%33%31%34%31%34%36%37%35%2d%36%63%62%65%2d%34%36%33%39%2d%38%66%36%37%2d%38%63%32%65%33%39%35%64%37%36%38%33%7d%5c%72%70%39%34%32%5c%61%30%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73%74%6f%72%65%7b%33%31%34%31%34%36%37%35%2d%36%63%62%65%2d%34%36%33%39%2d%38%66%36%37%2d%38%63%32%65%33%39%35%64%37%36%38%33%7d%5c%72%70%39%34%32%5c%61%30%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73%74%6f%72%65%7b%33%31%34%31%34%36%37%35%2d%36%63%62%65%2d%34%36%33%39%2d%38%66%36%37%2d%38%63%32%65%33%39%35%64%37%36%38%33%7d%5c%72%70%39%34%32%5c%61%30%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73%74%6f%72%65%7b%33%31%34%31%34%36%37%35%2d%36%63%62%65%2d%34%36%33%39%2d%38%66%36%37%2d%38%63%32%65%33%39%35%64%37%36%38%33%7d%5c%72%70%39%34%32%5c%61%30%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73%74%6f%72%65%7b%33%31%34%31%34%36%37%35%2d%36%63%62%65%2d%34%36%33%39%2d%38%66%36%37%2d%38%63%32%65%33%39%35%64%37%36%38%33%7d%5c%72%70%39%34%32%5c%61%30%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73%74%6f%72%65%7b%33%31%34%31%34%36%37%35%2d%36%63%62%65%2d%34%36%33%39%2d%38%66%36%37%2d%38%63%32%65%33%39%35%64%37%36%38%33%7d%5c%72%70%39%34%32%5c%61%30%
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=localhost:1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {986490F3-3C3F-49CA-8F14-81A1C65BABAE} - c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp942\a0040630.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DFB0A387-2DC3-4402-8BC8-1C8C05FAE6EB} - C:\WINDOWS\_MWUTB.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Merriam-Webster Unabridged - {D0711285-ABC9-4DFA-81BF-89E6B5A9E0EF} - C:\WINDOWS\_MWUTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Dudebox Manager.lnk = C:\Program Files\Red Chair Software\Dudebox Explorer\dudemgr.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Unabridged Dictionary - res://C:\WINDOWS\_MWUTB.DLL/23/227
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Collegiate &Dictionary - res://C:\WINDOWS\_MWUTB.DLL/23/219
O8 - Extra context menu item: Collegiate &Encyclopedia - res://C:\WINDOWS\_MWUTB.DLL/23/235
O8 - Extra context menu item: Collegiate &Thesaurus - res://C:\WINDOWS\_MWUTB.DLL/23/220
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: S&panish-English Dictionary - res://C:\WINDOWS\_MWUTB.DLL/23/236
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/dell/site/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {18B35742-FEF5-4DE3-8928-8CAA34C1FEEA} (Merriam-Webster Unabridged Toolbar) - http://unabridged.merriam-webster.com/toolbar/install/webinstall.cab
O16 - DPF: {3B5A8FBB-833C-4A8C-B171-BA1BC027B3C2} (Installer Class) - http://www.readysyncgo.com/RSGInstall.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaversion/005/latest/twophase.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37574.8713888889
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://a19.g.akamai.net/7/19/7125/1239/ftp.coupons.com/brxpdf5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.149/code/iPIX-ImageWell-ipix.cab
 

dwshorn

Thread Starter
Joined
Apr 19, 2004
Messages
9
By the way, I've tried Ad-Aware and CWS several times, but the about:blank homepage keeps reappearing.
 
Joined
Feb 18, 2004
Messages
68
that about:blank thing is my problem too. hijack this does nothing for it cuz as soon as you fix the entry it reappears when u restart. i have no clue.
 
Joined
Dec 9, 2000
Messages
45,855
Would you do this, open Explorer, navigate to the c:\windows\system32 folder. Select Search > Advanced. Search for all files that have been MODIFIED during a date range when you first encountered this problem.

Let me know the names of any DLLS that have been modified in that date.

Also, while this won't resolve the problem it might get us an unobfuscated hijack that will give more info.

>> restart in Safe Mode by running msconfig and enabling /safeboot under the boot.ini tab. You will have to uncheck this to return to normal.

In Safe Mode run HijackThis and check and fix the following entries, then reboot and post a fresh Scanlog:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%20%69%6e%66%6f%72%6d%61%74 %69%6f%6e%5c%5f%72%65%73%74%6f%72%65%7b%33%31%34%31%34%36%37%35%2d%36%63%62 %65%2d%34%36%33%39%2d%38%66%36%37%2d%38%63%32%65%33%39%35%64%37%36%38%33%7d %5c%72%70%39%34%32%5c%61%30%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%20%69%6e%66%6f%72%6d%61%74 %69%6f%6e%5c%5f%72%65%73%74%6f%72%65%7b%33%31%34%31%34%36%37%35%2d%36%63%62 %65%2d%34%36%33%39%2d%38%66%36%37%2d%38%63%32%65%33%39%35%64%37%36%38%33%7d %5c%72%70%39%34%32%5c%61%30%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%20%69%6e%66%6f%72%6d%61%74 %69%6f%6e%5c%5f%72%65%73%74%6f%72%65%7b%33%31%34%31%34%36%37%35%2d%36%63%62 %65%2d%34%36%33%39%2d%38%66%36%37%2d%38%63%32%65%33%39%35%64%37%36%38%33%7d %5c%72%70%39%34%32%5c%61%30%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%20%69%6e%66%6f%72%6d%61%74 %69%6f%6e%5c%5f%72%65%73%74%6f%72%65%7b%33%31%34%31%34%36%37%35%2d%36%63%62 %65%2d%34%36%33%39%2d%38%66%36%37%2d%38%63%32%65%33%39%35%64%37%36%38%33%7d %5c%72%70%39%34%32%5c%61%30%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%20%69%6e%66%6f%72%6d%61%74 %69%6f%6e%5c%5f%72%65%73%74%6f%72%65%7b%33%31%34%31%34%36%37%35%2d%36%63%62 %65%2d%34%36%33%39%2d%38%66%36%37%2d%38%63%32%65%33%39%35%64%37%36%38%33%7d %5c%72%70%39%34%32%5c%61%30%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://%63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%20%69%6e%66%6f%72%6d%61%74 %69%6f%6e%5c%5f%72%65%73%74%6f%72%65%7b%33%31%34%31%34%36%37%35%2d%36%63%62 %65%2d%34%36%33%39%2d%38%66%36%37%2d%38%63%32%65%33%39%35%64%37%36%38%33%7d %5c%72%70%39%34%32%5c%61%30%
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=localhost:1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {986490F3-3C3F-49CA-8F14-81A1C65BABAE} - c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp942\a0040630.dll (file missing)
 

dwshorn

Thread Starter
Joined
Apr 19, 2004
Messages
9
Rog,

Thanks for helping out. I searched for recently modified dll's in the System32 folder. The only one is called "pmole.dll".

But I didn't take your next step because I have a new HijackThis log, and it's different now. Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 11:43:12 PM, on 4/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\jetsuite\DLLCMD32.EXE
C:\Program Files\Red Chair Software\Dudebox Explorer\dudemgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\jetsuite\jsdaemon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pmole.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pmole.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pmole.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pmole.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pmole.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pmole.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=localhost:1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9ED19D5B-E74C-4D12-AD51-40435B597960} - C:\WINDOWS\System32\pmole.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DFB0A387-2DC3-4402-8BC8-1C8C05FAE6EB} - C:\WINDOWS\_MWUTB.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Merriam-Webster Unabridged - {D0711285-ABC9-4DFA-81BF-89E6B5A9E0EF} - C:\WINDOWS\_MWUTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Dudebox Manager.lnk = C:\Program Files\Red Chair Software\Dudebox Explorer\dudemgr.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Unabridged Dictionary - res://C:\WINDOWS\_MWUTB.DLL/23/227
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Collegiate &Dictionary - res://C:\WINDOWS\_MWUTB.DLL/23/219
O8 - Extra context menu item: Collegiate &Encyclopedia - res://C:\WINDOWS\_MWUTB.DLL/23/235
O8 - Extra context menu item: Collegiate &Thesaurus - res://C:\WINDOWS\_MWUTB.DLL/23/220
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: S&panish-English Dictionary - res://C:\WINDOWS\_MWUTB.DLL/23/236
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/dell/site/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {18B35742-FEF5-4DE3-8928-8CAA34C1FEEA} (Merriam-Webster Unabridged Toolbar) - http://unabridged.merriam-webster.com/toolbar/install/webinstall.cab
O16 - DPF: {3B5A8FBB-833C-4A8C-B171-BA1BC027B3C2} (Installer Class) - http://www.readysyncgo.com/RSGInstall.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaversion/005/latest/twophase.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37574.8713888889
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://a19.g.akamai.net/7/19/7125/1239/ftp.coupons.com/brxpdf5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.149/code/iPIX-ImageWell-ipix.cab
 
Joined
Dec 9, 2000
Messages
45,855
Ok as you can see from some of the other "about:blank" threads I've responded to, I don't have the solution at this time, just some things to try.

There is a long discussion on another forum and the offer of a tool which might help; I have no experience with it, but you should give the thread a read:

http://www.computercops.biz/postx24263-0-30.html

In the meantime I'd like you to boot to Safe Mode and delete pmole and run HijackThis and check and "fix" all the pmole entries. You should have a notepad copy of these instructions to read in Safe Mode as we don't want Internet Explorer running even if you could connect.

In Safe Mode, run cmd and at the command prompt enter:

del C:\WINDOWS\System32\pmole.dl

Run HijackThis and check and "fix":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pmole.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pmole.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pmole.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pmole.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pmole.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pmole.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {9ED19D5B-E74C-4D12-AD51-40435B597960} - C:\WINDOWS\System32\pmole.dll

>> Still in Safe Mode, run regedit

Make sure the "file tree" is collapsed; click Edit > Find and enter:

{9ED19D5B-E74C-4D12-AD51-40435B597960}

Hit Find Next. Right click on and delete every hit you get. Hit F3 to continue the search until finished.

Reboot and post another Scanlog. This might provide some temp relief. Also see the Recent Security Updates thread in this forum and install those recent ones. You should also check Windows Update for any others you need.
 

dwshorn

Thread Starter
Joined
Apr 19, 2004
Messages
9
Rog, you just might be a genius.

I used HJT to fix all those entries. I later ran regedit and tried that search, but no entires were found. Anyway, I reset my IE homepage, and so far so good -- no "about:blank" b.s.

I'm keeping my fingers crossed that this will hold up. Thanks very much for your help.
 
Joined
Dec 9, 2000
Messages
45,855
Well, good to hear, but you need to cross fingers and knock on wood too. The experiences I was reading concerning this one is it is somehow configured to return once a day. Let us know, perhaps you got lucky.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top