about:blank has defeated me!

Your not beat, follow these steps in case you have other issues:

http://forums.majorgeeks.com/showthread.php?t=35407

And check back if that does not work with an attached Hijack This logfile.

 

Sadly, theres a whole nother tutorial for that, get ready:

http://forums.majorgeeks.com/showthread.php?t=38772

I hate to do this, but if you could run that, we can go back to Hijack This. I can see that Hijack now in these lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hhwxg.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hhwxg.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hhwxg.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hhwxg.dll/sp.html#29126

 

MA,

Moosic did try the Generic Solution once (mention in his first message as a link). Sadly it is going to have to be run again. However the first thing that must be done is to get the proper version of HijackThis. 1.97.7 is out of date.

Moosic, get version 1.98.2 of HJT and post another HJT log and we will point out the problem lines. Also not I added some more details into the steps today on an RPC Helper service that must now be check for.

After posting the new log, do not shutdown or reboot your PC. This typically can cuase mutation of the filenames making the HJT log useless. You can disconnect your PC from the internet (physically if need be) but no reboots.

 

You do not need to go anywhere else to get CWShredder. It is right here on MG's. In fact if you had read and executed everything we gave you in the READ ME FIRST tutorial, you should already have it.

Even more importantly you should always use our links because they are for current versions. The link IT_eagle supplied is way out of date and is definitely not what you should be using. CWShredder does not fix about:blank or HSA hijack problems. Even the creator of the application will tell you that. It does not hurt to run it though since you could have other CWS problems.

 

While you are welcome to try what IT_eagle indicated worked, I don't think it will resolve true about:blank or HSA hijacks. In addition while the lines Kodo has pointed out are indeed part of the problem several items are missing in particular:

C:\WINDOWS\vmmreg32.dll:afwda
O2 - BHO: (no name) - {C6A80F1C-5BB1-CC67-601F-59499EF2AC5B} - C:\WINDOWS\crns.dll

These are both part of th hijack. However simply fixing this line with HijackThis will do nothing to fix the problem. It will just cause more files to be created on your PC with new names. You must follow the steps in the Generic Solution thread and insert the appropriate lines at the correct places. You must also search as indicated in the Generic Solution for NSS, WNS, and RPC Helper services to find any additional hidden processes that can respawn the problem.

If you do not know what lines to use in what steps of the Generic Solution, just ask and I will help you. The key is to follow ALL the steps exactly as written (skipping nothing) from beginning to end without rebooting or connecting to the internet during the procedure unless specified. You must also have the correct versions of all programs linked in the Solution.

 

You need to be providing feedback on the steps in the generic solution. You should be indicating whether you found any of the 3 services running (NSS, WNS, or RPC Helper) . You should be posting the About:Buster logs along with the HJT log. You should be telling me whether each step executed properly or if there were any problems. For example, when you were suppose to be deleting particular files, did you have problems finding them or deleting them.

 

These two lines are part of the problem:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hhwxg.dll/sp.html#29126
O2 - BHO: (no name) - {F28B1256-59AF-E0AE-9F80-A3E878D7AC87} - C:\WINDOWS\system32\apiyr32.dll

You need to fix them too. But that will now work just by clicking fix in HijackThis. I would bet by now if you have opened and closed a few Internet Explorer sessions that you have more R0 & R1 lines and an O4 line too. If not, they will probably be there after a reboot.