Can't get rid of About:Blank, Trojan Startpage virus

Hi,

I've been trying unsuccessfully to get rid of About:Blank and/or the Trojan Startpage virus.

I've run the Basic Spyware, Trojan and Virus Removal as best I could. I couldn't run the Trend Micro's Free Online Virus Scan nor Symantec Security Check due to Active X Control problems (even after tried to fix them under my Security settings under tools including adding these to my Trusted sites). Also, I downloaded every version of about:Buster from this website but none of them opened - said the database was corrupted.

I've run Hijack This and fixed everything I should accorting to the Official Hijack This Tutorial, except the O3 and O4 items because I couldn't figure out how to find them in the lists from the links provided (eg TonyK's BHO & Tookbar List). On re-running Hijack This after fixing several items, some keep re-appearing such as the R1 containing about:blank.

Is anyone able to help? I have a few Hijack This log files saved.

Thanks so much.

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs. TIP: Create a folder on your C:\ drive for the tools/utilities you will need to use. For example: Navigate to your Program Files directory, right click on a blank spot in the window > choose New > Folder. Name this folder Spyware Tools. Now you can save the needed tools to this folder and if you prefer, create sub-folders named for each individual utility.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

To Repeat: Please be sure to reply in this thread if you need further assistance or have any questions. Someone WILL be along to help you as soon as they can. You can help us help you by following the above instructions and providing detailed information as to the difficulties you are having and/or continuing to have after you have completed the Basic Spyware, Trojan And Virus Removal tutorial. Just telling us you followed the tutorial does not give us enough information. You need to let us know the results...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

We all recognize that if you are here asking for help you are probably frustrated and maybe even angry that your computer has been taken over by some malicious program. Rest assured, we want to help you but that we get frustrated too when we are not given the requested information or when instructions are not followed. Don't be afraid to ask for additional help if you don't understand something! There is no such thing as a dumb question and we do not expect everyone who comes here to have vast computer knowledge, however you will be more educated and better prepared to prevent re-infestation when you leave here!

Good luck!

 

Thanks so much for your help and patience.

I was able to download and complete all the tools/scans in the Basic Spyware, Trojan and Virus Removal tutorial except Trend Micro's Free Online Virus Scan, Symantec Security Check, and about:Buster (reasons described in my first post). Everything was negative except Adaware quarantined and deleted 93 objects and CW Shredder did the same with about 20. I didn't write them all down (sorry).

Hijack This showed I had some R1s with about:blank and se.dll, O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll,
O15 - Trusted Zone: http://housecall-beta.trendmicro.com, O18 - Filter: text/html - {F366DF8A-26F7-4DD0-8D02-FF8324D86563} - C:\WINNT\System32\empc.dll
O18 - Filter: text/plain - {F366DF8A-26F7-4DD0-8D02-FF8324D86563} - C:\WINNT\System32\empc.dll, and some O23s that weren't discussed in the Tutorial. I fixed all of the above except the O23s. I also had a bunch of O2s, O3s, and O4s that I didn't touch because I didn't know which were good/bad.

That's where I am now.

Thanks so much once again.

 

Please attach a current HJT log as per my request in my previous post.

 

I've saved 4 log files so I'll send them in 2 postings.

 

thanks again

 

Why did you attach 4 logs? Whats different about each one?

Can you attach me just 1 HJT log from normal mode.

 

The first log is what I got after I ran HJT the first time. I've run it 4 subsequent times and attached each of those logs for you. All 4 scans were run in normal mode. The last log is the most recent one.

 

Just to make sure and confirm, will you attach one current HJT log.

 

Sorry for the inconvenience. Thanks again.

 

First:

The first thing I notice is that your Operating System is out dated. After we get your system cleaned up I would recommend your going to Windows Updates and getting updated to Service Pack 4. Also, You need to upgrade to IE 6 SP1 for security purposes.

Second:

Please make sure ALL browsers are closed when using HJT.

C:\Program Files\Internet Explorer\iexplore.exe

Third:


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Selina1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Selina1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://my.utoronto.ca/scgi-bin/login.cgi?reason=login
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {132DDBA1-6AE1-4C49-B7E1-E815AD24D8F0} - C:\WINNT\System32\empc.dll

O4 - HKLM\..\Run: [Run32dll] c:\winnt\system32\taskmngr.exe
O4 - HKLM\..\Run: [exhrdbopl] C:\WINNT\System32\gpgeoe.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Selina1\LOCALS~1\Temp\se.dll,DllInstall

O18 - Filter: text/html - {CD0272FE-F87B-473D-921F-388E0498B3B9} - C:\WINNT\System32\empc.dll
O18 - Filter: text/plain - {CD0272FE-F87B-473D-921F-388E0498B3B9} - C:\WINNT\System32\empc.dll


Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\System32\empc.dll

C:\WINNT\System32\taskmngr.exe

C:\WINNT\System32\gpgeoe.exe

C:\WINNT\System32\empc.dll

se.dll ←–– Search for this file, and delete if found!

Fourth:

While still in Safe Mode to finish the cleanup process, please do the following:
Go to Start --> Run and type Regedit then click Ok.

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_3

If any are listed, right-click that entry in the right pane and choose Delete.


Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

and highlight Root in the Left Pane. In the right pane, look for these entries:

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3

If you find it, right-click it in the right-pane and choose delete.


Now navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Workstation
NetLogon Service

If Workstation NetLogon Service exists , right click on it and choose delete from the menu.

Now navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Workstation NetLogon Service

If LEGACY_Workstation NetLogon Service exists then right click on it and choose delete from the menu.

Now navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Procedure Call (RPC) Helper

If Remote Procedure Call (RPC) Helper exists, right click on it and choose delete from the menu.

Now navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Remote Procedure Call (RPC) Helper

If LEGACY_Remote Procedure Call (RPC) Helper exists, right click on it and choose delete from the menu.

Fifth:

NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Hi,

You've been such a big help. I think things are ok now (when I open IE, my normal homepage appeared after I typed it into Tools and Internet Options).

I followed all of your instructions. When I ran CCleaner, I wasn't sure what to have checked/unchecked, so I checked everything under Internet Explorer, nothing under Windows Explorer, and Empty Recycle Bin and Temporary Files under System. 574.2 MB were removed. When I ran the cleanmgr, I chose the C:.

I've attached my latest log to this post.

Thanks.

 

Again, I will point out that your Operating System is out dated. Now that we have your system clean, I would recommend your going to Windows Updates and getting updated to Service Pack 4. Also, You need to upgrade to IE 6 SP1 for security purposes.

Microsoft Windows Updates


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.



Are you currently experiencing any further problems?

 

No problems at all. Thank you SO much. I can't believe how helpful and patient you've been. I've learned alot through this experience.

 

Im glad everything is running better for you and happy you have learned things. Good Luck in the future!

To stay Malware free, please see this thread on How to Protect yourself from malware!

Browse Safely!