|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
02-24-2005, 09:46 AM
|
#1 |
|
Member (4 bit)
Join Date: Oct 2004
Posts: 12
|
"search for..." opens instead of about:blank.
When opening a new MS internet explorer browser, I get to see this "search for..." page. I uploaded a screenshot of it:
http://members.home.nl/thijswestera/searchfor.jpg Also, since I first saw this page, I'm getting annoying popups now and then (also when I'm not surfing the web). How do I get rid of it this seacrh page (and the popups altogether)? My virusscan cannot detect it, and I can't find anything manually. I have checked the html source of the page that appears, but cannot find anything of any use but this: |script src="http://toolbar.cc/index.js?pin=681"||/script| || being < > brackets. So, toolbar.cc has something to do with it. Any constructive comments are highly appreciated. Thanks in advance. Last edited by Archaeopterix; 02-24-2005 at 10:19 AM. |
|
|
|
02-24-2005, 10:44 AM
|
#2 |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,956
|
Read this : http://forum.pcmech.com/showthread.php?t=103171
Download and run the advised spyware scans and visit Housecall and then, if necessary, post a Hijack log.
__________________
Asus M4A77D, 64 X2 6000+, 4 GB Corsair DDR2 800 ram, Radeon 5770. |
|
|
|
|
02-24-2005, 01:56 PM
|
#3 |
|
Forum Administrator
Staff
Premium Member
Join Date: May 2000
Location: Joplin MO
Posts: 41,345
|
|
|
|
|
|
02-27-2005, 03:32 PM
|
#4 |
|
Member (4 bit)
Join Date: Oct 2004
Posts: 12
|
Thanks. I have tried pretty much all anti-spy/adware programs out there - metaforically speaking - but it still hasn't been removed.
I have found another symptom, of which I'm pretty sure it started happening at the same time I got this search intro page: notepad instantly prints and shuts down again right after opening it. I found out about this when trying to read a readme file of some virusscanner. Any clue? |
|
|
|
|
02-27-2005, 03:59 PM
|
#5 |
|
Lest we forget
Join Date: Jun 2003
Location: Ontario, Canada
Posts: 1,870
|
Can you post a hijackthis log?
__________________
redqueen: Antec Sonata, Pentium-D 2.5GHz, MSI G31M3-L, 2GB ram, 320 GB HDD, OpenBSD hal9000: Lenovo T61, 2GB ram, 120 GB HDD, FreeBSD |
|
|
|
|
02-28-2005, 11:26 AM
|
#6 |
|
Member (4 bit)
Join Date: Oct 2004
Posts: 12
|
|
|
|
|
|
02-28-2005, 12:12 PM
|
#7 |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,956
|
Get rid of these : R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank |
|
|
|
|
02-28-2005, 02:22 PM
|
#8 |
|
Member (4 bit)
Join Date: Oct 2004
Posts: 12
|
Thanks. The search intro page remains there though.
Everytime I start a new browser, in the task manager I see that "iexplore" is running in the background. This doesn't happen when I open the browser by clicking a desktop shortcut. iexplore, once started, doesn't shut down when I shut down the browser. Also, a new iexplore starts when I start the browser again, which makes two. |
|
|
|
|
02-28-2005, 07:02 PM
|
#9 |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,956
|
Also dump this : C:\WINDOWS\SYSTEM\NVSVC.EXE
and this is malware not a legit process :\WINDOWS\SYSTEM\MPREXE.EXE iexplorer comes in 3 varieties, a system process (legit), a browser plug-in (maybe legit) and a trojan (yeecchh). http://www.liutilities.com/products/...rary/iexplore/ and read the paragraph. Go over to TrendMicro and run housecall :http://housecall.trendmicro.com/ If it turns up it's a trojan, which I what I think yours is. Also get these guys : O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme 4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme BHO: ProxyReset Class - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\SYSTEM\AHIEHELP.DLL O4 - Startup: PowerReg SchedulerV2.exe Post back with a fresh hijack log. |
|
|
|
|
03-01-2005, 12:31 AM
|
#10 |
|
Forum Administrator
Staff
Premium Member
Join Date: May 2000
Location: Joplin MO
Posts: 41,345
|
Did you run Aboutbuster yet?
|
|
|
|
|
03-02-2005, 02:48 PM
|
#11 |
|
Member (4 bit)
Join Date: Oct 2004
Posts: 12
|
Yes, I have run aboutbuster.
Thanks pam, I did what you suggested and here's the new log. http://members.home.nl/thijswestera/...islog_03-02-05 (I noticed that one of the searchassistant lines wasn't fixed...) |
|
|
|
|
03-02-2005, 03:27 PM
|
#12 |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,956
|
Yeah, I see it now : R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
Get the little pest manually. Also get this : R0 - HKCU\Software\Microsoft\InternetExplorer\Toolbar,LinksFolderName = Koppelingen And google drew a blank for this one, which shouldn't have happened : O2 - BHO: (no name) - {45221F21-8675-11D9-AFFB-000BCE01B72B}C:\WINDOWS\SYSTEM\CDBM.DLL so I say it's not legit. How does your computer run now? |
|
|
|
|
03-04-2005, 11:46 AM
|
#13 | |
|
Member (4 bit)
Join Date: Oct 2004
Posts: 12
|
Quote:
|
|
|
|
|
|
03-04-2005, 01:59 PM
|
#14 |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,956
|
This is the dread command start>run>regedit.
Read through this carefully : http://www.pchell.com/support/aboutblank.shtml It seems to have been your luck to get the latest version of about:blank . Last edited by pam123; 03-04-2005 at 02:24 PM. |
|
|
|
|
03-05-2005, 06:15 AM
|
#15 |
|
Member (4 bit)
Join Date: Oct 2004
Posts: 12
|
I've got windows 98
 The url links me to a fixing method for windows NT+.EDIT: Ah wait, I guess my brain wandered off for a moment. I fixed it manually now. Last edited by Archaeopterix; 03-05-2005 at 06:19 AM. |
|
|
|
|
03-05-2005, 06:35 AM
|
#16 |
|
Member (4 bit)
Join Date: Oct 2004
Posts: 12
|
I'm pretty sure I succeeded at removing the search assistant. Still, a thing called "iexplore" starts up when I start internet explorer, and it keeps running in the background even after I shut down the internet explorer...
EDIT: "iexplore" isn't active if I open a browser through a webby shortcut, instead of opening the browser itself. |
|
|
|
|
03-05-2005, 11:09 AM
|
#17 |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,956
|
From previous post :
iexplorer comes in 3 varieties, a system process (legit), a browser plug-in (maybe legit) and a trojan (yeecchh). http://www.liutilities.com/products...brary/iexplore/ and read the paragraph. Go over to TrendMicro and run housecall :http://housecall.trendmicro.com/ Did the computer scan turn up clean? If it did then worry about something else. |
|
|
|
|
03-07-2005, 03:46 AM
|
#18 |
|
Member (4 bit)
Join Date: Oct 2004
Posts: 12
|
Yes, I checked that page, and housecall turned up clean.
*worries about something else* Also, the about hijacker has returned. So I've looked over a file. |
|
|
|
|
03-07-2005, 07:48 AM
|
#19 | |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,956
|
Quote:
Digging that thing out is a major hassle. What file? |
|
|
|
|
|
03-07-2005, 08:12 AM
|
#20 |
|
Member (10 bit)
Join Date: Mar 2004
Location: California
Posts: 936
|
Hi Archaeopterix
if you Download StartDreck Unzip to its own folder and start the program: Press 'Config' Press 'Unmark All' Check the following boxes only: Registry -> Run Keys System/drivers> Running processes Press 'Ok' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. |
|
|
|
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Linear Mode
