about:blank hijack

spectrumvoid · Mar 6, 2005

I did everything the tutorial advised (turning off system restore, enabling viewing of hidden files, the online scans, starting in Safe mode with networking etc), downloaded/downloaded the updates all the recommended software, scanned my whole system in the process. (and removed a couple of spyware along the way.) OS: Windows XP Home, have been using Firefox but recently needed to use IE because of some Firefox incompatible webpages. Also have Norton Anti-virus installed in addition to the programs mentioned in the tutorial.

Basically, my IE's still hit with the about: blank hijack. After doing all the above, the 1st page IE shows says something like the congrats, ''' has been removed, and I proceed to reset my homepage. However, after I restart my computer, the hijack hits again, totally disabling my IE.

Additional Notes:
1) I removed the Network Security Service from services. (step 1/2 in tutorial I believe)
2) I ran HijackThis (not from Desktop/Documents and Settings/temporary file), and read the official tutorial. I'm unable to delete O15, and R3. (As in I clicked Fix, then it fixes, and when I scan again it reappears.) And some of the 'suspicious' no.s within the brackets I couldn't find in Tonyk's BHO list (and another list) , so I didn't remove any. Basically, I just removed some startup programs using Autoruns.exe
3) I'm not sure if this is related. Each time I run Spybot's 'immunize function', they say 1299 bad products already blocked, 1044 additional protections possible. Naturally, I immunize. Then when I restart Spybot, the exact same message appears.
4) Something similar to 3) happens with Spyware blaster. Under Protection > Status, Restriction Sites protection is enabled: 1539 items have protection disabled. Again, I click enable all protection. When I restart my computer, viola! The same msg reappears.

I'd be really grateful to anyone who provides some aid. Though this isn't a major issue for me at the moment, I'd prefer having a Hijack-free computer. Thanks once again in advance.

spectrumvoid · Mar 6, 2005

I don't know how to edit a post after it's been posted, but I just wanted to add that I'm using Sunjava, and that the spywares I removed are HomeSearchAssistant and Shopping Wizard. And I downloaded and scanned all the programs without a problem.

RayDunne · Mar 6, 2005

Did you do this? >>> http://forum.majorgeeks.com/showthread.php?t=38772 <<<

RayDunne · Mar 6, 2005

Also this thread may help if it relates to your particular situation. That's about all I can do as far as pointing you in the right direction. If you still can't get rid of it, repost and one of the experts can assist you, they are very good, helped me get clean Good luck. http://forum.majorgeeks.com/showthread.php?t=55933&page=7&pp=20

chaslang · Mar 6, 2005

Okay let's see what type of infection you have.

If you have run ALL steps from the READ ME FIRST,andyou still have a problem:- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message.(Do NOT copy/paste the log into your post).

spectrumvoid · Mar 6, 2005

I ran AdSspy and ProcessExplorer for Win XP (as suggested by http://forum.majorgeeks.com/showthread.php?t=38772). My computer crashed, with this msg appearing when I restart it: The system has recovered from a serious error. A log of this...And under more info:
BCCode : ea BCP1 : 82282020 BCP2 : 8258BF60 BCP3 : 82556008
BCP4 : 00000001 OSVer : 5_1_2600 SP : 1_0 Product : 768_1

I'm currently not using my computer at the moment as I'd like to know if it's safe to continue, and run Hijackthis to get the log. As a side-note, the earlier post did not help as the items mentioned do not appear under my Hijackthis log, but thanks anyway.

chaslang · Mar 7, 2005

The Generic Solution to HSA is much more complex than just running AdsSpy and Process Explorer. So exactly what did you do with the Generic Solution. And when did this error message begin.

If you want help, you must post your HijackThis log. about:Blank and HSA hijacks do show in a log. They may be many variations of how they show, but they do show.

The error message you posted seems more like a hardware or software conflict message.

spectrumvoid · Mar 8, 2005

Problems I had with the tutorial:
1) Couldn't remove network security service. I removed it, but it reappeared.
2) Page was not accessible for both virus and security scans for Symantec. However, I do have Symantec/Norton software on my computer, and I ran the scan, and deleted some trojan horses.
3) Trend Micro's Free Online Scan could detect but couldn't remove another chunk of viruses, so I used the sysclean offline scanner on Trend Micro's page, and removed a few more viruses/horses. However, there were some errors, where file access was denied, but the program managed to remove all detected ones.
4) Spybot's Immunize function still doesn't work. It immunizes about 2000+, then when I restart Spybot, it states that it has not been immunized. I have the latest Spybot version, and the patch.

Extra info:
1) I didn't go on to Generic solution, as I stopped after installing Process Explorer (in the preparatory step), and I didn't use that either.
2) I have tried removing O15 trusted zones, but it can't be removed.
3) I open Internet Explorer, the msg said that my Homepage can now be reset. However, when I open Tools>Options, IE "suffers a critical error" (error message that pops up) and crashes. Then after reopening IE, about: blank hits again.

Hijackthislog was taken before I opened IE, after going through the tutorial. hijackthislog2 was taken after I opened IE, (after disconnecting from the internet.)

OS: XP Home

chaslang · Mar 8, 2005

It is very important to always remember to exit ALL browsers before running HijackThis. You had the below running:
C:\Program Files\Mozilla Firefox\firefox.exe

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000004
Click to expand...

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 23. The download only comes with version 19 which is out of date. You must update.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Now we need to use HijackThis to remove the Network Security Service!

Please run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side.
A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:
Network Security Service (NSS)
If that does not work try entering the short name: ? 6QÔõ'ª´ÆÐ8
Then reboot and let's see if the service is truly gone.

You should use cut and paste to copy the above info into HJT since you cannot easily enter the above characters from your keyboard.

After fixing doing the above the following steps will continue to work on fixing the hijack problem. Hopefully your log has not changed. These hijackers quite often mutate and rename or recreate new problem files.

Now still with HJT running select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\atlyj.exe
C:\WINDOWS\nthw.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xjewp.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xjewp.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xjewp.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xjewp.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xjewp.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xjewp.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {831707D7-0820-512C-1A76-D057092ABDCD} - C:\WINDOWS\system32\apitq32.dll
O4 - HKLM\..\Run: [nthw.exe] C:\WINDOWS\nthw.exe
O4 - HKLM\..\RunOnce: [atlyj.exe] C:\WINDOWS\atlyj.exe
O16 - DPF: {B4F32846-56DD-4CF5-94FD-17DE1A12E9EB} - http://t058.com/cabtest/counter.cab

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others):
C:\WINDOWS\system32\xjewp.dll
C:\WINDOWS\system32\apitq32.dll
C:\WINDOWS\atlyj.exe
C:\WINDOWS\nthw.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, that is what I said. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice or had problems with.

spectrumvoid · Mar 10, 2005

I already had about:Buster updated, it’s currently at 25. I tried entering both Network Security Service (NSS) and the short name (using Copy and paste), but it said “service 6QÔõ 'ª´ÆÐ8 was not found in the registry. Killed process C:\WINDOWS\atlyj.exe, couldn’t find C:\WINDOWS\nthw.exe, couldn’t find O4 - HKLM\..\Run: [nthw.exe] C:\WINDOWS\nthw.exe. Couldn’t find C:\WINDOWS\system32\xjewp.dll and C:\WINDOWS\system32\apitq32.dll. Found n_dtjntn.dat, and some Visual Basic-related files modified at the same date as C:\WINDOWS\atlyj.exe. Deleted atlyj.exe and nthw.exe. Do you mean ab1.log or ab1.txt? I saved it in txt, because there was a msg saying if the file extension was changed, the file may become unusable.

I changed the IE homepage, but I didn’t move on to plugging back to the internet, and opening IE, as I haven’t removed the Network Security Service.

Note: I'm now using my brother's computer, NOT my own.

chaslang · Mar 10, 2005

You forgot to post a new HJT log. Please do not reboot or shutdown after posting the log or problem files could mutate making any suggested fixes non-useful.

spectrumvoid · Mar 12, 2005

I'm going for a 2-day camp, so I can't leave the computer running after posting the log. I'll redo the steps when I get back. Thanks for the info!

chaslang · Mar 12, 2005

Okay! Talk with you later. Hope it's warm where you are going. It's snowing here.

spectrumvoid · Mar 15, 2005

Hm... I think the hijack is gone now, I had no problems closing and reopening IE. Everything I said in the earlier post about the kind of files that I couldn't find still applies. And I merged the move.reg file, but the trusted zone entry reappears. About Buster shows the same log file each time I run the scan.

It's approximately 31 degrees here (not sure how much that is in Farenheit, but the normal human temperature's about 36-37 in degrees celsius.) No snow :'(

chaslang · Mar 15, 2005

Have HijackThis fix this one below entry (left over from running HSremove).
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

we need to do the registry merge one more time! Overwrite the previous move.reg file with the below.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000004

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000002

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000004
Click to expand...

spectrumvoid · Mar 15, 2005

It's done. I ran hijackthis again, and the trusted zone line didn't appear. And IE's working fine. Thanks a lot for all the help!

chaslang · Mar 15, 2005

You're welcome. You should now perform the steps in the below link to help prevent future problems:

How to Protect yourself from malware!

Log in or Sign up

about:blank hijack

spectrumvoid Private E-2

spectrumvoid Private E-2

RayDunne Corporal

RayDunne Corporal

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

spectrumvoid Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

spectrumvoid Private E-2

Attached Files:

hijackthis.log

hijackthis1.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

spectrumvoid Private E-2

Attached Files:

ab1.txt

ab2.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

spectrumvoid Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

spectrumvoid Private E-2

Attached Files:

AB LogFile.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

spectrumvoid Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member