about:blank, sp.html hijack problem

mrfrerichs · Jan 8, 2005

I have tried all the normal things to rid myself of this insidious evil, but I am at a loss. I have included my complete HJT log file in hopes that you mighty geeks can help this poor lost, lacking geek.

Thanks in advance for all of your help.

I hope you guys can help!

Thanks,

Chad Frerichs

mrfrerichs · Jan 8, 2005

about:blank sp.html problem will not go away

Hey guys,

I am having a huge problem getting rid of an about:blank hijack. I am not a rookie at getting rid of these things but I cannot get this one to go away. I read the thread 'When all else fails - Generic Solution to HSA (Only the Best) & About:Blank hijack' , but my hijack is the one that it refers to as not fixing. It uses the sp.html file. Please can someone help?

Thanks,

Chad Frerichs

chaslang · Jan 8, 2005

Re: about:blank sp.html problem will not go away

Please do not start new threads for a problem you have already posted. I'm merging back to your original thread. You really should start by running ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal While it normally not fix about:blank infections, it does typically fix other problems that can make moving these hijackers more difficult.

In you other thread you posted a HijackThis log already. There are guidelines on posting HJT logs:
Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

You need to install yours properly. You have it installed exactly where we say not too. You have it here:
C:\Documents and Settings\John Hilsabeck\Desktop\hijackthis\HijackThis.exe

Fix that before continuing.

Did you install this UpromiseRemindU stuff (see the two lines below)? If not, look in Add/Remove programs for an unintall.
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (HKCU)

chaslang · Jan 8, 2005

Re: about:blank sp.html problem will not go away

Let's try this, download Pocket KillBox and unzip it to its own directory. But do not run it yet we will run later.

Print these instructions or save them locally because after this sentence I want you to have all programs (especially browsers like IE) closed and I want you to physically disconnect (unplug cable) from the internet.

OK exit programs & do physical disconnect now.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JOHNHI~1\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JOHNHI~1\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {C7EE4395-64D3-482E-AF89-F156F5765A8E} - C:\WINDOWS\system32\kbfc.dll
O15 - Trusted Zone: http://www.windowsupdate.com
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O18 - Filter: text/html - {95E009F4-8B07-4011-AECD-E0694F5254D3} - C:\WINDOWS\system32\kbfc.dll
O18 - Filter: text/plain - {95E009F4-8B07-4011-AECD-E0694F5254D3} - C:\WINDOWS\system32\kbfc.dll

After clicking Fix, exit HJT.

Run Pocket Killbox. Select the option to Replace on Reboot.
Copy and Paste C:\WINDOWS\system32\kbfc.dll into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot but boot into Safe Mode.

Boot into safe mode and use Windows Explorer to delete (if found):
c:\filter.log
C:\WINDOWS\system32\kbfc.dll <--- just double checking to make sure it's gone

Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

mrfrerichs · Jan 8, 2005

Re: about:blank sp.html problem will not go away

First of all I apologize for the first post. I had been up for about a day and a half and was not thinking straight. When I realized what I had done I tried to delete the post but was unable. So, I contacted the admins and they have now deleted it.

Second, this is a friends computer. I was also suspicious of the Upromise stuff but when I asked them they said they used it. I ahve removed hijacks before, so this is not my first one. I have tried all of the normal things. Some things may have reappeared since I last looked at it, but many were gone once. EXCEPT this sp.html thing.

I will post a HJT logfile attachment in a bit, I am eating lunch at the minute.

Thanks,

Chad Frerichs

mrfrerichs · Jan 8, 2005

Ok, everything seems to be working now. But, that is what happened before. I would fix it, almost exactly as we have here, and be rid of it for a day and several reboots, and then it comes back. Again, it is not my computer, so it very well could be a user related problem. We will see if this works. I hope so. I am getting tired of fixing this one. Attached is my HJT log.

mrfrerichs · Jan 8, 2005

forgot to say thanks very much for your time.

chaslang · Jan 8, 2005

You're welcome. If you have rebooted a couple of times and ran a few Internet Explorer sessions (opened and closed at a minimum), you are probably okay. If you want to make it less likely that problems like this from will happen, you need to do all of the steps in the below thread. Make sure you use FireFox instead of IE.

How to Protect yourself from malware!

Log in or Sign up

about:blank, sp.html hijack problem

mrfrerichs Private E-2

Attached Files:

hijackthis.txt

mrfrerichs Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

mrfrerichs Private E-2

mrfrerichs Private E-2

Attached Files:

hijackthis.log

mrfrerichs Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member