about:blank Help required please!

If you have run ALL the steps the Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal and you are still having a problem, follow steps below.

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Hopefully things have not mutated since you posted your log. If you have problems finding the stuff I indicated below, you will need to post a new log and then DO NOT REBOOT. These infections spread and mutate during reboots.

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 23.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Now run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\David\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\David\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {18D349EE-29EA-4C22-AF7E-A23010194ED7} - C:\WINDOWS\system32\nkanaa.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

Did you put this URL in your Trusted Zone? If so, are you really sure you absolutely must have this or something will not work? My opinion is nothing belongs there and less the world will come to an end without it. If you did not add it or do not need it, fix it.
O15 - Trusted Zone: http://www.tesco.com

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/244a30e01d9011825f05/netzip/RdxIE601.cab
O16 - DPF: {A5C76BEB-C8A9-4F59-BB90-52A821EAB9C9} (Desktop Object) - https://sib1.od2.com/sib16/start/pages/cman/cman.dll
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O18 - Filter: text/html - {F468AB59-7FFC-46A0-983B-D9E901BD05C9} - C:\WINDOWS\system32\nkanaa.dll
O18 - Filter: text/plain - {F468AB59-7FFC-46A0-983B-D9E901BD05C9} - C:\WINDOWS\system32\nkanaa.dll

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete:
C:\DOCUME~1\David\LOCALS~1\Temp\se.dll <--- actually try to delete all files and subfolders in this Temp folder. If you get any errors, note them and move on.

C:\WINDOWS\system32\nkanaa.dll

If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes you read that correctly! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

Looks good so far! Is everything still OK?

You did not answer my comment about:
O15 - Trusted Zone: http://www.tesco.com

 

You're welcome. You should now perform the steps indicated in the below thread to help avoid future problems:

How to Protect yourself from malware!