about:blank solution!?!

I personally would not trust it to begin with. Unless I had a test PC I could evaluate it on, I would be careful. See the links below which dicuss the uninstall.exe. Some success, some failures, some short term success. But who knows who is doing the posting.

http://www.computing.net/security/wwwboard/forum/12814.html
http://miataru.computing.net/cgi-bin/printer.pl?12874|security
http://www.computing.net/windows95/wwwboard/forum/158464.html

It's up to you if you would like to be the beta tester! Otherwise you will need to work thru this the long way.

 

Okay! Let me understand this. You had about:blank problems and you downloaded the program from that link and ran it and problems appear to be gone?

How about posting a HijackThis log as an attachment so I can see what it looks like?

Melomano,
The decision is yours. But if you are going to try it, please save a HijackThis log from before and after running it. And post them here as text attachments.

 

Aledrinker,

Okay I expected that. And do not post inline HJT logs. Only text file attachments. Note your HJT is way out of date.

Please follow all the steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal >

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


NOTE: You should read the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File > Do not post a HijackThis log until we ask you to and when we do it must be text document attachment to your message.

Update! Due to Hijack This logs destroying search engine and web site searches, we now ask you do not post your Hijack This log file unless requested by us. It is for advanced users, so if you do not understand how to use it, you do not need it....yet. Instead, please tell us in your post what symptoms you are experiencing so we can try and resolve it that way. When, and if, we ask you to post your log file, please attach it as a file. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!


Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT


Start by giving the results of all the above.

 

The cure is here on MG's! I have fixed literally 100's of these. The problem is that they keep mutating or coming out with newer and more insidious types all the time. And they impact each OS type a little different. Makes it difficult, but not impossible yet, to cure. It requires some detailed steps and quite often repetition. If it were easy, all of the virus and spyware protection software companies would already have a fix. So as you can see, it is almost impossible to predict the exact solution. That is why all of these companies with all the people working for them have not been able to find a true solution for this problem.

 

If you have a problem you need to work, please start a new thread for your issue. And follow the guidelines I just posted for Ale.

Hmmm! Aren't we already working that with you somewhere?

 

Okay I search for your other thread. I found it. And now I see you just bumped it by adding some more info. I'll be there shortly. Very busy day today.

 

You are running HijackThis from the ZIP file. My instructions specifically said not to do that. Please install it into its own directory as I indicated in message # 10.

What about McAfee Stinger and the online scans? You did not run them.

Do you still have Panicware - Pop-Up Stopper installed? It appear that at lease one file is missing and also BHO Demon has disabled it. Do you still want to use it?

What is your expect home page?
www.majorgeeks.com or http://uk.yahoo.com

Before continuing, I need you to get HijackThis in its own directory and I need answers to my questions. Right now you do not show True about:blank hijack problems.

 

The file you are donwloading is a compressed ZIP file. You need to extract the hijackthis.exe file out of the ZIP file into its own directory. What you are missing is the fact that you are not extracting it from the ZIP file. You are running it from the ZIP file.

If you cannot figure out how to do that with WinXP's built-in ZIP viewer, download and install WinZip from here: http://www.majorgeeks.com/download525.html
Now when you double click on a ZIP file WinZIP will come up and you can tell it what to do. Tell to extract and then browse to the directory where you want to extract it. You can even create a directory (folder) if it does not exist already.

Your home page changed from majorgeeks to google due to running About:Buster (I assume you must have run it.)

 

Yes, you can do the scans in safe mode. You just have to choose Safe Mode with Networking Support as the tutorial indicates.

 

You never answered my questions from message # 17

"Do you still have Panicware - Pop-Up Stopper installed? It appear that at lease one file is missing and also BHO Demon has disabled it. Do you still want to use it?
"

I see some problems to clear up in your log but first we have to hunt for some possible hidden problems.

1) go here and download Registrar lite and install it: http://www.majorgeeks.com/download469.html
2) Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls and tell me exactly what you see in the Value field:

By the way the below is not a bad file. You just do not need it to be run at startup cluttering the System Tray and wasting resources. So have HijackThis fix this line. Alternately you can most likely do it by running WinZip and selecting Options and Configuration.
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
Also fix this line with HJT since the file is missing:
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

We will get to the rest of the problem lines later. I'm noting those lines below. Do not do anything with them yet. I need the above info from Registrar Lite first. I just want to save what I'm looking at thus far.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A8020BB6-8B6B-4D8A-86C6-7C3CB0A75A1C} - C:\WINDOWS\System32\bbpahaa.dll
O18 - Filter: text/html - {158E9F40-1C34-4C55-A95B-1F5516FB7394} - C:\WINDOWS\System32\bbpahaa.dll
O18 - Filter: text/plain - {158E9F40-1C34-4C55-A95B-1F5516FB7394} - C:\WINDOWS\System32\bbpahaa.dll

 

You mean you keep using HJT to fix the line but it comes back? Disabling is something else (which BHO Demon can do). We need to work on the AppInit_DLLs line.

I want you to Run Registrar lite again but this time do the following:
- copy the following into the address bar or expand the same key by hand:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

- Rename the Folder Windows to NotWindows (in the left hand pane of reglite)
- Double Click "AppInit_DLLs" again and clear the data value:
C:\windows\system32\logejkh.dll < delete this line , 'Apply' and 'ok' to set.
- Rename the NotWindows folder back to its original name Windows
- Double check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs entry to make sure the logejkh.dll file has not returned. If it has change the folder name to NotWindows again, delete the data value again, but do not change the folder name back to Windows. Just continue with the next step.
- Restart computer in safe mode
- This should make the file visible if we could not find it before. So run use Windows Explorer and go to C:\windows\system32 and locate the file logejkh.dll and delete it.
- Also while in safe mode. Run HijackThis again and have it fix all of these lines from before (if still there):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A8020BB6-8B6B-4D8A-86C6-7C3CB0A75A1C} - C:\WINDOWS\System32\bbpahaa.dll
O18 - Filter: text/html - {158E9F40-1C34-4C55-A95B-1F5516FB7394} - C:\WINDOWS\System32\bbpahaa.dll
O18 - Filter: text/plain - {158E9F40-1C34-4C55-A95B-1F5516FB7394} -
C:\WINDOWS\System32\bbpahaa.dll

Now delete C:\WINDOWS\System32\bbpahaa.dll

Now reboot in normal mode and let's see a new HJT log.

 

Re: about:blank continues to plague me

Sorry about that. You slipped down so far on he pages that I missed seeing your message. It's been exceptionally busy here. It's getting tuff to keep up. And the problems are becoming more and more difficult to remove thus make the open thread count increase while there are still dozens of new threads coming in daily.

I merged your post back into your previous thread (which is now what you are reading). It is better to always keep all correspondence on this problem in one thread. We need to be able to see the history.

 

Re: about:blank continues to plague me

You need to post a another HJT log and do not shutdown or reboot your PC until I can get back to you with some things to try. You problem may change filenames upon reboot and that may be the reason you did not see the files I asked you to delete.

So get me that HJT this log and do these steps again (do not do any editing or mods on your own)

1) Run Registrar lite & click on the word Registry in the top of the left Window
2) Copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls and tell me exactly what you see in the Value field:


Don't forget DO NOT reboot or reset. You can disconnect from the internet by what ever means necessary (unplug cables etc) but no reboots.

 

Okay this is part of the reason the problem keeps coming back. In message # 24 you told me you found the logejkh.dll but in message #26 where you were supposed to be deleting the line from AppInit_DLLs you said it was not there. Now it is back again. You have to make sure you find it and fix it this time.

Print the below instructions or save them locally and disconnect from the Internet (unplug you analog phone line or ethernet cable to your PC) and DO NOT RUN ANY BROWSERS again until told to.

I want you to Run Registrar lite again and do the following:
- start by click on the word Registry in the top of the left Window pane to make sure you are at the beginning of the registry.
- copy the following into the address bar or expand the same key by hand:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
- Rename the Folder Windows to NotWindows (in the left hand pane of reglite)
- Double Click "AppInit_DLLs" again and clear the data value:
C:\windows\system32\logejkh.dll < delete this line , 'Apply' and 'ok' to set.
(YOU HAVE TO MAKE SURE THIS WORKS. IF IT DOES NOT THE WHOLE PROCEDURE WILL NOT WORK.)
- Rename the NotWindows folder back to its original name Windows
- Double check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs entry to make sure the logejkh.dll file has not returned. If it has, change the folder name to NotWindows again, delete the data value again, but do not change the folder name back to Windows. Just continue with the next step.
- Restart computer in safe mode
- This should make the file visible if we could not find it before. So run use Windows Explorer and go to C:\windows\system32 and locate the file logejkh.dll and delete it. (THIS TOO MUST BE COMPLETED CORRECTLY. THE FILE MUST BE DELETED).
- Also while in safe mode. Run HijackThis again and have it fix all of these lines (if still there):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {7031E96F-0F5E-4D12-8A01-BF91C20BCA58} - C:\WINDOWS\System32\pfcanga.dll
O18 - Filter: text/html - {9F431CDC-A73C-4C46-9799-DE8943AD11C6} - C:\WINDOWS\System32\pfcanga.dll
O18 - Filter: text/plain - {9F431CDC-A73C-4C46-9799-DE8943AD11C6} - C:\WINDOWS\System32\pfcanga.dll

Use Windows Explorer to locate and delete C:\WINDOWS\System32\pfcanga.dll

Reset Web Settings by clicking Start, Control Panel (for some systems it may be Start, Settings, Control Panel) and select Internet Options. Then click Programs and click the Reset Web Settings button. Then go back to the General tab and set your home page back to what you like (i.e., www.majorgeeks.com).

Empty your recycle bin and also empty your c:\windows\Prefetch folder.

You should run similar procedures on all user login accounts on this PC. In fact, if you have not done so the whole READ ME FIRST tutorial steps should be run for each user account.

Now reboot in normal mode with you internet connection hooked back up. Post a new HJT log and tell me how all the steps went and how things look.