about:blank - it's got me too

I've been looking at threads in the forum, and it sounds like I'm not the only one with this trojan. It keeps changing the home page back to about:blank and putting sex and other sites in Favorites on my XP Pro station.

I've got thru everything in the "Read Me First" documentation, up to and including HiJack This. (All I did with HiJack This is install it, run a scan, and create a log. I'm a novice and would have NO other idea what to do!) By the way, it installed in a C:\unzipped folder when I extracted the ZIP file. Is that okay?

What next? Be patient with me -- our tech guy left in Sept, and I'm winging it here by myself at a 40-user office!

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Yes, I did run those items in the READ ME FIRST thread. Attached is the HiJack This log (I hope).

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\effgp.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\effgp.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = microweb

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [addtd32.exe] C:\WINDOWS\system32\addtd32.exe

O15 - Trusted Zone: http://*.travelers.com
O15 - Trusted Zone: http://*.travelerspc.com
O15 - Trusted Zone: http://*.travelers.com (HKLM)
O15 - Trusted Zone: http://*.travelerspc.com (HKLM)

Are you familiar with these entries?? If so, leave them as is. If you do NOT know them, have HJT fix them.

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\effgp.dll

C:\WINDOWS\system32\addtd32.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.



NOW:
Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Followed instructions in your earlier post - no problems. Attached is HJT log.

When I opened IE, the about:blank homepage did NOT load. Also, two of the three of the Favorites that had placed themselves were gone. I just deleted the last one, closed the browser and reopened and it did not come back.

Could this actually be fixed??!!

By the way, re: the items you had in a quote box in your last post: As I'm not the regular tech person, I don't know about those. I was reluctant to touch them, so I did not fix them with HJT.

 

Log looks clean to me!

Are you having any further problems?

 

I'm positively WEAK with relief...and gratitude! I'd offer you my first-born, but you probably wouldn't want him.

You are the best. Many thanks...

I take it I should put System Restore back on?

 

Yes, its Safe to re-enable System Restore.

Also, You should see this article on How to Protect yourself from malware!

Browse Safely!