A New Member With “OLD” Problem: "About:Blank"

I guess you could say I have been extremely lucky as I have not had any viruses, malware, etc... until a few weeks ago when I attempted to connect to the internet via IE. Mind you, I've been utilizing an IBM version computer and connecting to the internet since the 1200 baud modem was considered fairly fast! My usual home page (my AKO email account @army.mil) was replaced by "about:Blank" on or about 5 Aug 07, according to a log from my SpyBot files, I believe? I have Automatic Windows Updating in which I control which updates and when I want them installed, along with Windows Defender, Symantec Antivirus, Symantec Client Firewall and of course SpyBot - Search and Destroy. These programs are run at a minimum of 2 to 4 times a week, sometimes more. Needless to say, I'm confused as to how this "about:Blank" gained access.
I don't appear to have any other issues, but this "about:blank" is just an IRRITATION, thus far, as I am able to go into IE tools and change my home page back to the one I want.

In addition, I have viewed and read your various memorandums concerning MALWARE REMOVAL GUIDE!; about:Blank and/or HSA Hijacker; How to protect yourself from malware!; GENERIC SOLUTION FOR "Only the Best" aka "HSA" and about:blank HIJACKERS, last updated 10/22/2004 and other Problems, ETC... As I started to follow the above procedures, i.e. CCleaner, it appears MANY, MANY, MANY files will be deleted???? Many of which I didn't think should be. Thus I stopped and decided to discuss it with you folks first!!!

The following line from my latest SpyBot report (see attached) contained:

CoolWWWSearch.Bootconf: IE start page (Registry change, fixed)
HKEY_USERSS-1-5-21-299502267-1547161642-682003330-1003\Software\Microsoft\Internet Explorer\Main\Start Page=about:blank

I reviewed previous SpyBot checks/logs and it appears the first time this line appeared was on 5 Aug 07. However, when placing the curser on the file, I've noticed the file changes in that a number is added to end of the entry.

I've attached the SpyBot-log-1.gif as I could not obtain a text version. I've also attached the fixes log from 5 Aug and the latest hijackthis.log.

I'm sendin the 2nd half of the SpyBot-log-2.gif as the whole gif exceeds the size limit of attached files. Finally, the latest SpyBot Update log attached to the next message for your perusal.

Any and ALL assistance will be greatly appreciated!

Retired Jager :confused

 

Here are the two attachments.

Thanks

 

Hi Retired Jager!

Welcome to Major Geeks!


CCleaner .. a euphimism for Crap Cleaner... takes out a lot of things you don't need on your computer. There are certain things which you might not want to lose, including some of your cookies or your internet history. It removes a lot of logs you don't need as well as your temporary files. Used on a regular basis, it's sort of like giving your computer a daily or a weekly bath. Call it computer hygiene. If you're used to using cookies and history, it might be a good idea to consider bookmarking things, so you don't have to keep all that other stuff. Also, if you don't run CCleaner as per our instructions (with Teatimer deactivated!!!), your logs end up being enormous and it's harder to find things that are wrong with your computer.

I don't think this will be enough, but to begin with, please do the following:

Please run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT

Once you've done this, please go back and follow our standard cleaning instructions in the READ & RUN ME FIRST

Thanks!
abri

 

A quick question and then I'll start the Read & Run Me First instructions. You say to follow the STANDARD cleaning instructions. I've printed all the instructions contained and downloaded all the appropriate pgms, etc.. Am I to assume that the "standard" instructions include all steps from "0" thru "7"???

Standing By!

Retired Jager:confused

 

<grins> (tongue in cheek) ...
Yes!! (perhaps you're the first person who's ever read the directions all the way through before starting! LOL Would that we could get more like you!)

The Special Removal Procedures are generally not applicable unless you happen to know what you have, in which case you might find the right fix early in the procedure. The next one though, with the add/remove programs is an easy one to go through and helps a lot if there happens to be any odd program on your computer that shouldn't be.

abri

 

Completed the Standard Cleaning Procedure as discussed. HSremove took care of 8 files, don't know which or what. About:buster stated: no files found.

Question: I understand in Part 4 after running about:buster and saving the log, I was to immediately reboot in the safe mode or into the safe mode.

Why the question? As I was already in the safe mode as stated in Part 2. Am I confused or reading something wrong?

I changed the home page to MajorGeeks.com and after rebooting, everything is working as before 5 Aug. Really appreciate all your assistance and patience, however, I probably will follow-up and utilize CCleaner as you suggested.

Any other advice?

Have a GREAT Day!:wave

 

Hi Retired Jager!

It sounds like you resolved the problem. If you want to post the logs from all your efforts, we'll look at them to make sure your computer really is clean. After determining that, if there is nothing left to do, we would post back one last time to ask you to remove some of the software you installed for the READ & RUN ME, have you set a new system restore point and then refer you for general tips to the How to Protect Yourself from Malware thread listed at the end of the READ & RUN. The logs you should have are:

Counterspy
Panda (activescan)
BitDefender
ShowNew (newfiles)
GetRunKeys (runkeys)
HijackThis

As per your question:

You lost me here, because I wasn't sure if you were referring to Part 2 and Part 4 in the READ & RUN ME FIRST or in one of the linked guides to the other removal procedures you were following. A reboot is sometimes required whether you're booting from safe mode or normal mode. Safe mode is where you want to end up after you reboot, regardless of where you were. If there's an unnecessary or redundant step in the instructions, we'd make a note of it, but I simply wasn't able to understand what you were referring to.

abri

 

Sorry about the confusion, even older retired folks are not always clear!

I went back and reread the thread (74508), titled: about:Blank and HSA Hijacker - Simplified Removal. Part 2 ONLY stated to disconnect from the internet and exit browsers! However, apparently I assumed that I should also be in the safe mode. Sorry about the confusion!

I had downloaded the following files:
Ad-Aware
ADSSpy
AVG
About:Buster
CCleaner
CounterSpy
Hijackthis
HSRemover

However, the only files I utilized were:
About:Buster
HSRemover
HijackThis
and started, but cancelled CCleaner operation.

In the Read & Run Me First, I was given the option to go to the Special Removal Procedures sticky thread. That's probably why I have not yet run some of the aforementioned programs.

I have some Honey-Do's to take care of now, so if things could be made clearer, when I get back to this machine?? I'll run the aforementioned pgms, after clearly reading the instructions, of course. Now I have not finished running CCleaner either, but it is not on the above list. Shall I also run CCleaner?

Later - Have a GREAT Day!

 

Hi Retired Jager,
Honey-Do's I never heard that one!

I probably misunderstood some things as well. When you mentioned that your computer was running as well as it was before August 5th, I thought you had run through the whole READ & RUN ME scans with all their accompanying logs. However, if you only ran one thing and it fixed the problem, there is a fairly good chance you caught the culprit and defeated it early on in this whole process. If that is the case, then anything you do further is optional.

The only way for us to know for sure if your computer is really virus free, is for us to look at the logs of the six scans. If it seems to be running better, you could let it stand as it is for a few days and see if any of the problems you were experiencing seem to be coming back.

Alternatively, you could complete the READ & RUN ME scans and post the logs to us and we'll look through them and see if anything was missed.

The logs we need are 1) Counterspy (or AVG Antispyware if you can't run Counterspy), 2) Panda Active Scan (activescan.txt) 3) BitDefender 4) ShowNew (newfiles.txt) 5) GetRunKeys (runkeys.txt) and 6) HijackThis (following the instructions to place it in the right folder and to rename the program before running it to analyse.exe.

You mentioned in an earlier post that you were worried about the many things CCleaner would delete. Therefore I want to emphasize that it should be installed and left at the default settings, run in Safe Mode for each user on your computer, and only run with the Windows tab on top and with the default settings checked. It will not remove items which are not checked. You should not use any of the side tabs. Just double click on the CCleaner icon, after the CCleaner window opens push the button in the lower right-hand corner that says Run Cleaner, it will post a message to you that this is going to permanently delete folders and do you really want to do this, and then say okay. If you look through the list of checked items on the Windows tab and see things you don't want to part with, ask us about them. Some people depend heavily on their internet browsing history. I'm not sure which things you are worried about.

Our reason for deleting these temp files and temporary internet files and logs from your computer is that they harbor things that like to hide and then come back to attack your system.

abri