1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: MY BROWSER HAS BEEN HIJACKED(about blank)

Discussion in 'Virus & Other Malware Removal' started by kjscpc1, Jan 31, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. kjscpc1

    kjscpc1 Thread Starter

    Joined:
    May 27, 2004
    Messages:
    41
    My browser has been hijacked, It keeps changing itself to "about blank". I can completely clear my hijack this log and it imediatly reinstalls itself. Spy-bot doesn't touch it nor does ad-aware I also tried cw schredder.
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Please do this:

    First create a permanent folder somewhere like in My Documents and name it Hijack This.

    Now Click here to download Hijack This. Download it and click "Save". Save it to the Hijack This folder you just created.

    Click on Hijackthis.exe to launch the program. Click on the Do a system scan and save a logfile button. It will scan and then ask you to save the log. Click "Save" to save the log file and then the log will open in notepad.

    Click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. kjscpc1

    kjscpc1 Thread Starter

    Joined:
    May 27, 2004
    Messages:
    41
    Logfile of HijackThis v1.99.0
    Scan saved at 7:10:55 AM, on 2/1/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\Explorer.EXE
    C:\Artios\ArtiosCAD5.20en\Program\artioscad.exe
    C:\Documents and Settings\jdullum\My Documents\HIJACK\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\jdullum\LOCALS~1\Temp\sp.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\jdullum\LOCALS~1\Temp\sp.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {6D351F24-8913-47C3-B1D6-4AB5ACC2811C} - C:\WINNT\system32\ekpp.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O18 - Filter: text/html - {EA3BAE41-9EEA-4BB8-A161-F814AE78EA2F} - C:\WINNT\system32\ekpp.dll
    O18 - Filter: text/plain - {EA3BAE41-9EEA-4BB8-A161-F814AE78EA2F} - C:\WINNT\system32\ekpp.dll
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common files\WinTools\WToolsS.exe (file missing)
     
  4. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    It doesn't look like you posted the full log. You only have 3 running processes?

    I would run HijackThis again and post it back on this thread. (y)
     
  5. kjscpc1

    kjscpc1 Thread Starter

    Joined:
    May 27, 2004
    Messages:
    41
    rechecked the hijack log and it came out the same.
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Go here and download Adaware SE. Install the program then in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files. but don't run it.

    Also click here to download CWSinstall.exe. CWSinstall.exe file and it will install CWShredder, but don't run it yet either.

    Set your folder options to show hidden files like so:

    Click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"


    Now copy these instructions to notepad and save them to a convenient location like your desktop. You will need them to refer to in safe mode.

    Restart into Safe mode.

    How to start your computer in safe mode

    Do all of the following in safe mode:


    Run Hijack This and put a check by all of the following entries then click the "Fix Checked" button.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\jdullum\LOCALS~1\Temp\sp.dll/sp.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\jdullum\LOCALS~1\Temp\sp.dll/sp.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {6D351F24-8913-47C3-B1D6-4AB5ACC2811C} - C:\WINNT\system32\ekpp.dll

    O18 - Filter: text/html - {EA3BAE41-9EEA-4BB8-A161-F814AE78EA2F} - C:\WINNT\system32\ekpp.dll

    O18 - Filter: text/plain - {EA3BAE41-9EEA-4BB8-A161-F814AE78EA2F} - C:\WINNT\system32\ekpp.dll

    O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common files\WinTools\WToolsS.exe (file missing)[/b]

    Find and delete this file:

    C:\WINNT\system32\ekpp.dll

    Also in safe mode navigate to the C:\WINNT\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin


    Run CWShredder Click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    Next run Adaware according to these insrructions:

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.
     
  7. kjscpc1

    kjscpc1 Thread Starter

    Joined:
    May 27, 2004
    Messages:
    41
    I did everything you said. It seemed to clear it up. I found out the computer didnt have any antivirous on it so I installed AVG. It picked up 18 trojan hoarse installers. It got rid of 17 ot them but wont get rid of, c:\winnt\system32\sql.dll. I have done everything I can but cant find that file on the computer to delete. Do you have any sugestions.
     
  8. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    sql.dll is probably the super hidden CWS infection reinstaller.

    Try this file and see if it takes care of the problem:

    https://beta.activeupdate.trendmicro.com/fixtool/fixagentv1.0007.zip

    Unzip the Folder contained in the zip and follow the directions given in the readme.txt you will find there.

    Restart the computer. Run AVG on the system32 folder to be sure it is gone.


    Run hijackthis and post the new log.
     
  9. gotrootdude

    gotrootdude

    Joined:
    Feb 19, 2003
    Messages:
    8,812
    Hit start/run, type "cmd"
    Type cd \windows\system32 and press Enter

    Type the following line to remove the read-only characteristic
    ATTRIB -R -h sql.dll
    and press Enter
    Then type
    Rename sql.dll badfile.dll
    and press Enter

    Then reboot, and search for badfile.dll and delete. If you still can't find it, then apparently one of the tools must'ave removed it.
     
  10. kjscpc1

    kjscpc1 Thread Starter

    Joined:
    May 27, 2004
    Messages:
    41
    I fixed it with hijack this. Then searched for it. This time it showed up and I was able to delete it. Ill check the computer tomorrow and see if it shows up again.
    Thanks
     
  11. kjscpc1

    kjscpc1 Thread Starter

    Joined:
    May 27, 2004
    Messages:
    41
    Seems to be done. You can close this thread.
    Once again thank you very much.
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Glad we were able to help! :)

    I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved BROWSER BEEN
  1. bj nick
    Replies:
    0
    Views:
    669
  2. Brigham
    Replies:
    1
    Views:
    586
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/325312

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice