Family Computer- about:blank

my family's computer has a few problems one of them being the about:blank homepage thing. homesearchassistant is in my add/remove programs thing and i cannot remove it. it's a dell with windows xp home edition.

I completed the thread

Sticky: READ & RUN ME FIRST Before Asking for Support

and attempted some of the

Sticky: Special Removal Procedures (the about:blank general fix)

a few notes i took during both procedures were: Spybot did not fix: command service, coolwwwsearch.homesearch, and wildtangent

microsoft antispyware found: alcan worm and winsoftware.winfixer (i believe they were fixed)

everything else went along smoothly and many things were found and fixed. i've attached a hijackthis.log because i know there is more to be found.

i've always appreciated your help!

 

I'm curious to see how this new update works, please follow the below...

Download About:Buster 6.0

Get any updates and run the utility, afterwards reboot and attach a fresh HJT log.

 

wow, i think it's gone, my internet explorer has our own homepage as its default!

the only thing it said after removing countless files was:

It appears a CWS infection has been found on your PC. Would you like to set your explo.... whatever.

new log posted.

thanks.

 

Please see the below thread on how to install and run Ewido Security Suite.

Running Ewido Security Suite ...

 

ok i follows the instructions and scanned, log is posted.

merry christmas!

 

I see you didnt run CCleaner as requested in the Ewido thread, anyway I need a fresh HJT log from normal mode.

 

lol, i'm sorry.

ran ccleaner and HJT.

log posted.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

SpyFighter

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R3 - Default URLSearchHook is missing

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [netlu.exe] C:\WINDOWS\system32\netlu.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [ms-update] scvhost.exe
O4 - HKLM\..\Run: [apirg.exe] C:\WINDOWS\system32\apirg.exe
O4 - HKLM\..\RunServices: [ms-update] scvhost.exe

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Inst all3.0/Installer.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\MsUpdate ←–– Delete this whole folder if it exist!

C:\Program Files\MyWaySA ←–– Delete this whole folder if it exist!

C:\Program Files\SpyFighter ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\netlu.exe

C:\WINDOWS\system32\apirg.exe

scvhost.exe ←–– Search for this file and delete if found!
(Do NOT get this confused with the legit file "SVCHOST.EXE" in the system32 directory.)

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows and finish the final step below...

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After you complete the above, scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Thanks for catching it, I would have caught it when I got a fresh log but glad you got it before.

 

ok, finished the thread.

spybot did not delete command service again,

i did not find some of the things in my HJT log to delete, although i had to run about.buster before i did it, i'm not sure if that may have taken care of anything.

when i open up my internet explorer, it doesn't open to my website, it opens to

http://www.systemwarning.com/

other than that everything was fine.

 

Download Pocket KillBox
(Don't run it yet)

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: Class - {447A2315-B483-39AC-FEB8-AB86EF0FF3D8} - C:\WINDOWS\iegg32.dll (file missing)
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp435F.tmp

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\hp435F.tmp into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and procede with the below...

First, run a scan with Spybot and attach the log. Then procede with the next step...

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.