Hi guys,

Im running Windows XP with latest updates. My IE6's default home page has been changed to about :blank and directs me to 'Home Search'. Nothing I have tried so far has worked to get rid of this problem, it simply keeps revering back. This is what I have tried so far:

SpyBot Search & Destroy (latest updates) - didnt fix it
Ad-Aware SE personal (latest updates) - didnt fix it
SpySweeper 3.0 (latest updates) - didnt fix it
BHODemon 2.0 - detects each new .dll, but program producing them still exists. (each dll created are just random names)
coolwebsearch remover - "not found on system"
Mcafee viruscan 2004 v8.0 with latest updates - nothing found.

searched for dll's created in the past day or two and deleted from system and also any traces from regisrty - no difference.

This is really starting to annoy me now

This is my hijackthis log:

Maybe Somebody can help me out.

Logfile of HijackThis v1.97.7
Scan saved at 12:55:48 PM, on 8/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\netuy.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\yyali.txt:mdvpi
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Christophe Lebreton\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {50B880E0-130E-F77B-46BB-0062598D56CC} - C:\WINDOWS\system32\mfced.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [EPSON Stylus C41 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P32 "EPSON Stylus C41 Series (Copy 1)" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [netuy.exe] C:\WINDOWS\netuy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] msnmsgr.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

hmmm, anybody seen that jbqzh.dll or sp.html before? looks weird to me.

Please Help somebody!!

Travstar

This will not fix the problem. But, apply this program. It is called SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
Whenever the hijacking program attempts to take over it will alert you that your home page has been changed and asks if you want to keep the old value. Again, this will not fix your problem, but it will help you to live with it until you can track down the file that is doing this.

I have solved this HERE, read it carefully.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jbqzh.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jbqzh.dll/sp.html#10213

* Those are the problem ones I would have said, & I read your other explanation in the other page & it seems I was right about that much...

(However, the machinations of that (what was it you said it was called in the other thread? Let me check again, brb) they're called "Serach Extender", "ShoppingWizard" and "Home Search Assistant" (from your last post on other page) are pretty intense!)

You're right about one thing on the other page here:

http://www.ntcompatible.com/thread27764-2.html#145340

The person who made this? Pretty clever, but too bad they're using their "cleverness" for something as bogus as bad Browser Helper Objects (BHO's)...



APK

P.S.=> By the way, nice job tagging it down & figuring out how that sucker works, good job! apk

Tick this also

O2 - BHO: (no name) - {50B880E0-130E-F77B-46BB-0062598D56CC} -C:\WINDOWS\system32\mfced.dll

Then boot into safe mode, and then delete these.

*C:\WINDOWS\yyali.txt:mdvpi
*C:\WINDOWS\netuy.exe

Then clean these DIRECTORY CONTENTS (Dont Delete The Folder itself)

*C:\Windows\Temp\
*C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <-This will delete all your cached internet content including cookies.
*C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
*C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
*C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

Empty your "Recycle Bin" and restart and post a fresh log.

*Note*
Next time you post your log, move hijack this to its own folder, don't place it in your documnets or your desktop
C:\Documents and Settings\Christophe Lebreton\Desktop\HijackThis.exe<-Incorrect

put it on your root C:
Example:
C:\HJT\HijackThis.exe<-Correct. This is just to make sure we can restore the back ups it creates if needed.

Yeah, could've been working for microsoft and making millions, or creating his own programs that maybe saves lives, pilots, controlled or anything. I guess he/she has nothing better to do, and gets a rush from it.

Thanks for that acknowledgment though.