about:blank new case

Well I would not say the online scans did not work, they did find a lot of viruses which is one of the reasons we want you to run them. All of recommended steps/scans may not always fix the exact problem you have. However, they do typically find additional problems (like in your case) that require fixing which will max the additional cleanup steps .go smoother.

If you have performed all the steps of the READ ME FIRST and you still have a problem, follow the guidelines below and post your HJT log.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

You have two antivirus applications installed and running. You must choose one and uninstall the other. They will conflict with each other and will eat up valuable system resources.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
D:\WINDOWS\System32\evosys.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Did you want your start page to be set to about:blank? If so, skip the next two lines. Otherwise fix them and set your home page manually in Windows Explorer.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [blah service] evosys.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msams.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [blah service] evosys.exe
O23 - Service: Win32 USB2.0 Driver - Unknown - D:\WINDOWS\System32\w32usb2.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
D:\WINDOWS\System32\evosys.exe
D:\WINDOWS\System32\mssw32.exe
D:\WINDOWS\System32\msams.exe

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

I want you to do something to check you Virus application out:

Start Norton AntiVirus from “Start \ Programs \ Norton AntiVirus”. If Norton AntiVirus comes up without problems, then you are probably okay and the BootWarn.exe entry in your HJT can be fixed.
It was left behind by mistake and is no longer needed now that Norton AntiVirus is fully installed and opens without error messages (you don't get any error messages do you)?

Do you have SpywareBlaster or any other programs installed that may be blocking your home page from being changed?

Try this:

Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to www.majorgeeks.com (leave it at that for the time being we can change it to what you may want later). Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now post a new HJT log.

 

Your home page is set to www.majorgeeks.com as I had you change it.

Just have HJT fix the below entry:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


Check out message #14 in this thread:
http://forums.majorgeeks.com/showthread.php?t=51474

You may have the same issue.

 

You need to uninstall all of your antispyware programs and popup blockers and then reboot. Do not reinstall them yet. I would be careful with using Microsoft Antispyware anyway. It has problems with false positives and some items it will clean up will were put into your system to protect you from malware.

Now use the method I gave at the end of message # 6 to Reset Web Settings. Now get a new HJT log and post it here.

 

Spybot S&D <--- uninstall
Ad-aware SA <--- you can leave this as long as it is not the purchased version
Pop-up Away <--- uninstall
Microsoft AntiSpyware <--- uninstall, has too many false positives anyway
AboutBuster <--- not an antispyware scanner program and is not installed
LSPFix.exe <--- not an antispyware scanner program and is not installed
CWShredder.exe <--- not an antispyware scanner program and is not installed
HijackThis.exe <--- not an antispyware scanner program and is not installed
Stinger.exe <--- not an antispyware scanner program and is not installed


Are you sure you do not have SpywareBlaster installed? If you do, uninstall it too.

 

Yes! As long as everything is still uninstalled, do the below!

Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now open and close a couple of IE sessions! Then get a new HJT log and post it.

By the way you did not answer the below question before:

Are you sure you do not have SpywareBlaster installed? If you do, uninstall it too.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixhome.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fixhome.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Now get another HJT scan. Then run IE a couple time and see what happens.

 

Are there other user accounts on this PC?

If so, have you checked each of them out?

Please get a copy of the below file into a ZIP file and post it here as an attachment:

D:\Windows\Inf\IERESET.INF

The I want you to do the steps of message #16 again except at the end DO NOT run HJT or run any browsers. In fact make sure when you run the steps, every application especially browsers are closed. The as soon as you finish merge into the registry. Do the following (yes you are reading it corretly):

pull the power plug to your computer!!! The object is to not have a graceful Windows shut down. Malware can respawn during a shut down. Wait a minute and then power back up.

Now see what happens.

 

If still having a problem after the kill power step, download the below tools (only run what I specify though)


Pocket KillBox

VX2.BetterInternet Finder XP/2k - Version Msg126

Generic Find It Tool - NT/2000/XP


Extract all the files from the Generic Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment.

 

Do you use or did you ever use a program call ReGet ( see http://deluxe.reget.com/en/)?

I see something in the output.log that I'm wondering about. This is what I'm referring too:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"iebar"=""

I'm not sure if iebar is valid or not. A search brings up the above link and also:
http://computercops.biz/clsid-694.html

 

We don't need to use VX2finder or Killbox for anything yet.

Copy the contents of the bold print in the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Then get another find.bat log and post it. Also check if you still get the extra -

 

Okay! I'm not sure what is causing this. Are you sure you have no other programs loaded/installed that try to protect your home page?

Do you have system restore disabled?


Download ProcessExplorer: http://www.sysinternals.com/files/procexpnt.zip
Now leave one Internet Explorer session running (like this one).

Unzip ProcessExplorer and now run it and lets configure some options first:
Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on iexplorer.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
Now click on File and then Save As. And save the process list. Post it back here as an attachment. Also, from now on if I say to kill a process, use ProcessExplorer instead of Task Manager. Sometimes ProcessExplorer can kill things that Task Manager and HijackThis's process manager cannot.

After that create a StartUp List Log using HijackThis.
Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

Also download one more item AppRead:
http://www10.brinkster.com/expl0iter/freeatlast/FNF/AppRead.zip

Unzip AppRead.zip to a folder. Double click on the regread.exe file. Don't run the other program call runread.exe. regread.exe will create a file in the same directory it was run from called regread.log Upload regread.log here too. That will require an additional message because you can only have two attachments in a message.

 

Go to here first:

http://www10.brinkster.com/expl0iter/freeatlast/FNF/

then scroll down the page until you see:

>>AppRead.zip-AppInit_Viewer made by IMM(2K/XP only!)<<

Click on it to download AppRead.zip. The follow my previous instructions.

I also see a DLL file attaching to Iexplore.exe that I don't like the looks of. Please do the following:

Click Start, Search and the Select "All files and folders"
In the "All or part of the file name:" box, enter ppc.dll
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

Tell me exactly what matches you get. It could be:
C:\WINDOWS\SYSTEM\ppc.dll
or
c:\Program Files\PPC Advertor\ppc.dll << I'm guessing this one.

I need the results of the above before continuing on the about:blank problem but there is another entry I just noticed in your HJT log that should be fixed.

Run HJT and fix the below entry:
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nl/nl/games6.cab

 

Okay. Thats what I suspected! Follow the steps below.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u D:\Program Files\PPC Advertor\ppc.dll
then click OK. If a dialog box confirming this action appears, click OK.

Then reboot in safe mode and make sure no browsers or other applications ar running.
Run Windows Explorer and navigate to and delete:
D:\Program Files\PPC Advertor <---- the whole folder

Let me know if you run into any problems doing this.

If that all worked, then reboot in normal mode and Reset Your Web Settings as we tried before. Let me know how things look now.

 

That's okay just continue and let me know what happens.

 

You're welcome!

Yes, get all you programs back in now! Make sure you have follow this too:
How to Protect yourself from malware!