about:blank

Hi,
It has been awhile since I have posted here and this one is a known one and definetely the most aggravating...I am trying to remove the home page hijacker called "about:blank "...I have used almost every adware,spyware,malware, etc, etc program out there to remove it and you guessed it, still alive and doing well...The programs used are; adware/se - spy sweeper - hijack this - cws shredder (by Merlin) - CWS (by Intermute) - trojan scanners - AVG Virus scan - about buster and none of them were successful...I looked in several registry areas and found it in the start page...I changed it back to ISP name and it goes right back after I back out...I have also checked WINNT folder due to numerous trojans (51) that got removed...Even thou the computer is not getting any pop up's and seems to be free of spyware, with the exception of a couple of trojans that will not delete and can not find, the only issue pending basically is finding and removing about:blank...I have read numerous postings about how the newer version of about:blank is the most difficult to remove and there is no known removal available, I am still optimistic someone out there will have a solution (atleast I hope anyways)...Thanks

 

Please do post back and let us know if the newly updated AboutBuster does the trick (curious and hopeful ). If it doesn't, post a HijackThis log and we'll help with manual removal.

 

Hi,
Thank you for the new About Buster and yes I will post back on how well it does later this afternoon...

 

Hi,
I downloaded about buster to a floppy and that did not remove the about:blank...I even changed the start page in the registry to the local ISP being used and downloaded it right into the computer and that did not work either I am sorry to say...I have even ran before, in between and after the following: Spybot - HijackThis - AdwareSE - SpySweeper and that did not help either...Still hopefull for a solution...

 

Scan saved at 8:07:52 PM, on 6/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\winji.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\apixf.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fdgtd.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fdgtd.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\fdgtd.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fdgtd.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fdgtd.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fdgtd.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fdgtd.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D58F9B0F-C993-872B-8E58-9568DBE13DF7} - C:\WINNT\system32\appyn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [apixf.exe] C:\WINNT\apixf.exe
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Support - {53F17333-A26B-48AB-B915-00A35E848683} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {819B5C9B-C2AD-419B-AA61-B2ADCD63EF4D} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {86F04C5E-43A9-4E36-9A00-E21DC39AD3C3} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100049027453
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÃ„Ö`I) - Unknown owner - C:\WINNT\system32\winji.exe" /s (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

 

Create a new folder on the deskop named HJT and move HijackThis.exe to it.

Download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

Put a shortcut to Housecall on the desktop.

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

Check for updates to Ad-aware.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fdgtd.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fdgtd.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\fdgtd.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fdgtd.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fdgtd.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fdgtd.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fdgtd.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D58F9B0F-C993-872B-8E58-9568DBE13DF7} - C:\WINNT\system32\appyn.dll
O4 - HKLM\..\Run: [apixf.exe] C:\WINNT\apixf.exe
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} - http://www.errorguard.com/installation/Install.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÃ„Ö`I) - Unknown owner - C:\WINNT\system32\winji.exe" /s (file missing)


Then start APM.
In the upper window select explorer.exe
In the lower window find and right click the appyn.dll entry.
Select Unload DLL and click OK on the prompts that follow.

Reboot to safe mode.

Do a search for and delete the filecmd32.exe if found.
Open C:\WINNT and delete the file apixf.exe
Open C:\WINNT\system32 and delete the file winji.exe
Open C:\Windows\Prefetch, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

Open Ad-aware and run in full scan mode. Delete all it finds.

Open HijackThis to the misc tools section. Click Delete an NT Service and type in RPC then click OK. You should get a 'succeeded' message.

Reboot and click the Housecall shortcut. Check the box to autoclean and do a full system scan. Copy the report and post it here if any files were uncleanable.

Post a new HJT log.

 

Hi,
Once again I thank you for your assistance...This was the first time I have had to post a "Hijack log" and the directions you gave me looks intense and challenging...I will soon be signing up for "boot camp" (spywareinfo.com) so I can learn more and how to read these logs with expertise in due time...

 

Hi,
I tried the steps you gave me and it got frustrating...I looked at another hijack log and all appears the same...I will just have my friend take this computer to a computer store and let them worry about it...Unless there are less complicated measures to take to remove this about:blank..

 

Those instructions are pretty straightforward. Did you print them out? This method is a bit more involved than running AboutBuster, which as you already know won't remove this new strain, but it's less complicated than the other methods I've seen. Take it one line at a time and it should go like clockwork.

Unless you take those instructions along to the computer store also, they'll probably just wipe the drive, or post in at a forum and ask for help. This is a tough infection to remove otherwise.

 

Hi,
Thank you for your understanding...I did print them out and checked each step off as I went along but had difficulty getting the IEspyad.exe to run and set up the Housecall Icon for some reason...An error message came up that I can't recall what it was now so I by-passed them and went on but when all was done and finished, the same problem was there...

The question I have at this point is, if I did a format will that solve this problem...Computer is a Windows Xp...

 

Yes. If you're not installing XP with SP2, then you at least need to first enable the Windows Firewall before connecting that new installation to the internet. Installing a third party firewall (and antivirus) from cd would be a better option though. A clean install can be re-infected within seconds without some protection.

 

Okay, thank you..It is Xp with SP2..I will post back in a few days or so approx and let you know how I made out...

 

Your most welcome.

 

Update....I tried to do a format and it would not let me do so...Then I'm not so sure on what happened but the desktop settings changed (to 16 bit). So I advised the owner I reached my limit and it was best to take it to a computer store where they have more toys to work with and see what they say. At this point, my guess is a new hard drive will be installed and Xp re-installed...

 

Update;
I made one more attempt, by taking the Operating System CD, installed it by creating another folder and all went smooth as silk...Then I took the Gateway CD and re-installed the drivers and all looks like day one...Could not ask for anything better right now...During the next few days I will be trying to reinstall their ISP and pray for the same results...Hopefully I did not create an unknown situation that will surface at some point by doing it this way but like everything else "give it time and we shall see "...

 

Hi,
It has been a few weeks since I posted any follow ups on this situation but here's the latest...When the computer boots up, one of the first few screens to appear shows (1st one) listed as Microsoft Windows XP Home Edition, the (2nd one) shows C:/WINNT/Windows Xp...I can click on either one as the operating system of choice but the first one listed takes me to the About:Blank and the second one will not accept the reinstall of the ISP...The problem(s) are gradually becoming extremely techincal and I am worried about compounding the problem(s)... I have searched high and low for info as well to remove the second one which I created by accident...The About:Blank hijacker (newest version) is still dormaint and I've yet to find any info on how to remove it...I have tried several techniques as well as suggested removers with no luck...It's probably best at this point to just put in a new hard drive and reinstall Windows Xp but the owner of this computer has friends that are playing monday night quarterback and wanted to seek further advice from this post before resting my case...Thanks again.