about:blank & Only the Best -- Where to start?

First before getting started on the hijackers, you need to run the stuff from "Basic Spyware, Trojan, and Virus Removal" first.

Also do you recognize the two IP address from your O17 line:
217.237.150.33 = [ www-proxy.F2.srv.t-online.de ]
194.25.2.129 = [ dns03.btx.dtag.de ]

If not, you should run HijackThis and put check marks on that O17 line along with the O16 & O18 line shown below and then click fix.

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\kiqkfwxj.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4544A61D-25FF-4950-A0D0-9A76623AE18B}: NameServer = 217.237.150.33 194.25.2.129
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

After running thru all the steps of the Removal tutorial and fixing the lines I gave you above, if you are still having a problem with the hijacks, post a new HJT log attachment but do not reboot or shut down your computer (or the problem will mutate). You can disconnect from the internet but keep your PC running until you here back from me. I will get you pointed in the right direction on using the Generic Solution thread based upon the HJT log you post.

 

Okay that is the typical behavior. These problems are quite stubborn and can look like they are gone for a short while. Then after open and closing a few browsing sessions and or rebooting, it is back again. Don't get frustrated. It sometimes takes multiple attempts and repetition of things already tried a few times to get rid of these issues.

So you now have to use my Generic Solution thread: http://forums.majorgeeks.com/showthread.php?t=38772

Follow directions EXACTLY. Read thru them first and make sure you understand everything before you start. You cannot do partial steps or skip around. You must do everything from beginning to end. The only item you can skip is the one I mention in step 6 but that is only if you do not find the services mentioned running. It is also advisable to do this in one continous flow (as best as you can).

The items from your log that are visible to me (you will have to look for other items indicated in the procedure yourself) :

This process (part of step 8):
C:\WINDOWS\system32\crkj.exe

These R0&R1 lines (needed in step 12):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\esbri.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\esbri.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\esbri.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\esbri.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\esbri.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\esbri.dll/sp.html#12802

Thus the DLL file you will blank out in step 5 is C:\WINDOWS\esbri.dll

Your O2 line BHO is (needed for step 7):
O2 - BHO: (no name) - {574F8EC4-FA78-8A43-7216-A401257D764A} - C:\WINDOWS\system32\sysdd.dll

Your O4 startup process line is (needed for step 8):
O4 - HKLM\..\Run: [crkj.exe] C:\WINDOWS\system32\crkj.exe

In step 12 when you are having HijackThis fix the R0&R1 lines, also add this line to the list to fix:
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

 

Start your own thread please. It is considered rude and confusing to start a problem in someone elses thread. Imagine your in the store waiting at the customer service line and decide to walk right past everyone and just start asking your question while the other person is talking to the customer service rep. That pretty much what you just did

 

You can find Windows Explorer by clicking Start, All Programs, Accessories and you should then see it in the list (I always put a shortcut to it on my desktop). You can also right click on MyComputer (if it is on your desktop) and select Explore. Also, you can right click the Start button and select Explore. There are many ways to bring up Windows Explorer.

In step 5, you are saving it to the same file name you loaded but it is just an empty file.
If you just follow that step exactly as written, it is all taken care of for you. Basically you are loading a file into notepad, deleting all the info in the file, and writing it back out where it came from. The after doing that you need to use Windows Explorer to navigate to the directory where your file is located, right click on it, select properties, and change the attribute to read only. So for the log you gave me, you need to get to the C:\WINDOWS directory and right click on the file esbri.dll.

In step 10, I did not say search but that could be done if you setup the search program to locate hidden files, folders, system files, etc (sort of like I had you do for Windows Explorer in step 2). It would be faster to just use Windows Explorer again though because you can see many files all at once rather that having to search for on at a time. Once found, right click on the file and select Delete.

If you find the Network Security Service and/or the Workstation Netlogon Service running, you just need to note the full path to the filename as I indicated in step 6. In step 10, I specifically stated the /s has nothing to do with the file name. So for my example the full path said C:Windows\system32\javajt32.exe /s , you just need to go to c:\windows\system32 locate the file javajt32.exe and right click on it and select Delete. Don't forget that is an example filename. Yours (if found) will most likely be different.

In step 11, do not use Search. Again it is too slow. Use Windows Explorer.

 

Remember that this Generic Procedure is written for someone going thru the steps by themselves. So they could reboot at that point and get a new HJT log and find all the correct information again.

Since I'm trying to help you bu giving you specific names, if you reboot at that point it could change the names and you will have a problem. So if you have not rebooted or powered down since sending me the log, do not reboot after disabling system restore. Just disable it and click no if asked to reboot. Your reboot will then occur in Step 10 when we boot to Safe Mode.

Make sure you print the information in the Generic Solution. Because it is very important that you do what step 4 indicates:

4) Physically disconnect from the internet (pull your ethernet cable if you have DSL or cable modem. If you have an analog modem, drop your connection and unplug the telephone line to the modem.) Also at this point, you must exit all Internet Explorer sessions (it would be a good idea to exit anything that is not necessary).

 

That link will not help! It has no fixes for the about:blank problem. It also implies that CWShredder fixes the problem when it does not and never has. The only tools that have comes closes to fixing true about:blank and HSA hijacks are about:Buster and HSremove and even they don't work most of the time. At least not all by themselves. Thus, that is why I wrote the GENERIC SOLUTION FOR "Only the Best" aka "HSA" HIJACKER . While it initially was for the HSA hijack it can be use for some forms of the about:blank hijack too since there are many similarities between HSA and about:blank.


Edit: Well reading into all those posts a lot further I found some additional posts that did have useful info. But it was the same things I have done here on MGs many times (like erasing AppInit_DLLs value if found in the registry). Nothing new.

 

Re: about:blank & Only the Best -- i got lost?

You are the second person to come in and try to hijack this thread. You need to start your own thread for your problem. We will be more than happy to answer you questions there. So begin a New Thread and post your questions again.

If you don't know how to start a thread, read this: http://forums.majorgeeks.com/showthread.php?t=31333

 

Wow! about:Buster keeps finding a load of crap, doesn't it.

From the HJT log you just gave me, the problem is not yet back in full swing. There were no R0&R1 lines yet. You may need to open and close a few Internet Explorer sessions and then get another HJT log. All that should right now was:

O2 - BHO: (no name) - {EBC21DD1-18C4-74D7-C935-89E653731491} - C:\WINDOWS\ipmb32.dll
O4 - HKLM\..\Run: [crkj.exe] C:\WINDOWS\system32\crkj.exe

As far as finding "C:\WINDOWS\REGULOCS.OLD:bsqtm /s " . This is a new one. Are you sure you were looking at the "Network Security Service" (exact wording). Also, did you find a Workstation Netlogon Service running?

Did you do all the steps in order? Did you have any problems finding or deleting any of the files as required (other than NSS)?

 

It's probably part of this hijack, and if you run another log now you will probably see it running. Running thru the procedure again will most likely remove it too. Check the two services again (NSS and WNS) to see if they are running. You will probably not be able to delete nettk.exe unless you kill the process with Process Explorer. But if other aspects of the hijacker are still running. They will just spawn a new process with a new name.

 

Yes this new process is bad: C:\WINDOWS\apppi.exe

Your new R0 & R1 lines are:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\osfvg.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\osfvg.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\osfvg.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\osfvg.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\osfvg.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\osfvg.dll/sp.html#12802

Thus, the file to edit with notepad is C:\WINDOWS\osfvg.dll

The new O2 BHO line is:
O2 - BHO: (no name) - {EBC21DD1-18C4-74D7-C935-89E653731491} - C:\WINDOWS\ipmb32.dll

And the O4 lines are:
O4 - HKLM\..\Run: [crkj.exe] C:\WINDOWS\system32\crkj.exe
O4 - HKLM\..\Run: [apppi.exe] C:\WINDOWS\apppi.exe


That NSS file "C:\WINDOWS\REGULOCS.OLD:bsqtm /s " is still a new one to me but you do have it disabled. I believe it looks like this because they are using ADS (Alternate Data Streams to hide it). Hopefully about:buster can get rid of it.

If you did not find those items in steps 13b,c, d, l or m or the ones in step 15 that's okay. We always need to check though everytime because you never know when they will occur. Sometimes about:Buster cleans them up for us.

Run thru the process again from start to finish with the new information. Sometimes it just takes repetition to beat this sucker.

 

My step by step procedure mentions emptying the Recycle Bin & Prefetch in steps 11, 13g, and in 13i Ccleaner should also empty the recycle bin.

Yes, if fixed, only the best popups should be gone.

Leaving the show system files is a personal preference. I always have it that way. It does not hurt to leave it that way. It is sort of a Windows protecting you from yourself thing but I do not like anything hidden.

Scanning suggestions:
Ad-aware <--- make sure it is Ad-aware SE and run a scan bi-monthly unless you do lots of surfing, then do it weekly. If you only surf very little, you could make it monthly.
Spybot S&D <--- Same as above
HSRemover <--- only when needed for HSA hijacks
about:Buster <--- only when needed for HSA or About:Blank hijacks
HijackThis <--- only when instructed unless you want to save a snapshot of a good system and compare periodic scans to see if anything has been added that you did not know about.
Ccleaner <--- Periodic as with Ad-aware based on surfing habits
ProcessExplorer <--- only when instructed (unless you want to watch the Processes running on your system)
SpywareBlaster <--- if you installed this and enable its protecting features, just leave it be and periodically check for updates. It is not a scanner, it is a blocker.

If the problem comes back, stay in this thread.
Right now you log looks clean. Hope it stays that way.

And you're welcome!