About:Blank

I've read up on the spyware that sends you to About:Blank and I have it. The only problem is I cant figure out how to remove it. I've done a HJT log and read it over and I personally cant figure out what to do from there. I can post it if necessary but I really need help getting rid of Search Assistant from my computer all together. If anyone can help me that would be greatfully appreciated and I will do whatever it takes to get rid of this menace.

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Here's my Hijack This log, I attempted to turn off all the services as requested in the "READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal" thread but failed to see any of them.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Viewpoint

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

ViewMgr.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: SDWin32 Class - {04EC21A2-DD68-4CBC-AC20-51AF5EF06BEE} - C:\WINDOWS\System32\dusnn.dll (file missing)
O2 - BHO: SDWin32 Class - {107EEED4-64EF-40D0-8AD9-67C241E75220} - C:\WINDOWS\System32\oxsch.dll (file missing)
O2 - BHO: (no name) - {8002F18B-39BC-4769-BACD-35DD5251D5E5} - C:\WINDOWS\system32\pgmg.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O9 - Extra button: Microsoft AntiSpyware helper - {4458FAC4-55F7-4B80-B32A-AEF115E20A7B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4458FAC4-55F7-4B80-B32A-AEF115E20A7B} - (no file) (HKCU)

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O18 - Filter: text/html - {A4A9B58B-ECC6-4073-A15E-ADCE1AD28C9C} - C:\WINDOWS\system32\pgmg.dll
O18 - Filter: text/plain - {A4A9B58B-ECC6-4073-A15E-ADCE1AD28C9C} - C:\WINDOWS\system32\pgmg.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\pgmg.dll

se.dll ←–– Seach for this file and delete if found!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After doing ALL of the above,
Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

thank you very much, so far it seems to be working, here's my new log.

 

Shut down SpySweeper and Microsoft AntiSpyware and do my previous fix again. Do you have system restore disabled??

Skip what does not appear!

 

"For Windows XP:

1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes when you are prompted to restart the computer
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box."

I right click on My Computer and hit properties and there is not system restore tab.

Also I can't set a background on my computer now, this happened when I got the spyware.

EDIT: Okay Nevermind I had to right click it in the startbar.

 

We will get everything in the end, first lets nail this AB hijacker.

 

Okay, I just finished re-applying the fix, took another log and here it is.

 

That looks better, let me check the whole log, one moment!

 

Your log is NOW clean!

Are you having any further problems?

 

The only problem I am noticing right now is that I can't set a desktop background. When I had recieved the spyware it changed something and applied it's own image for the background and now I cant change my image back. There is no longer a tab to do so.

 

Click Start > run > type in regedit

Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

Look for a DWORD value called "NoChangingWallPaper"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Only Should have "NoDriveTypeAutoRun"

Remove This Value "NoActiveDesktop"
Remove This Value "ForceActiveDesktopOn"

Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
There should on be the (default) string here

Remove This Value NoComponents
Remove This Value NoAddingComponents
Remove This Value NoDeletingComponents
Remove This Value NoEditingComponents
Remove This Value NoHTMLWallpaper

 

There was no ActiveDesktop subfolder.

The only thing there was the "NoActiveDesktop" and "NoDriveAutoRun"

None of this was there.

 

Its not called a Subfolder, its called a registry key.

Remove the entry "NoActiveDesktop"

After you remove this entry, reboot and see if problem remains.

 

Heh, didn't know what else to call it.

As far as the removal of it and reboot, I still can't change the desktop background.

 

Is it greyed out?

 

No not greyed out, but I checked the Registry key for

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

and there are some entries:
(Default)
NoDispAppearancePage
NoDispBackgroundPage
Wallpaper
WallpaperStyle

do these have anything to do with it?

 

This key below:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

Should only have Explorer, right click and delete SYSTEM.

 

yes thank you, that worked! Thanks for your help through all of this I really appreciate it.

 

Good!

Are you having any further problems?

 

nope I believe I am all set. Although I'm tryin to figure out how to get IE to block popups again .

 

Good Deal!

You should see this article on How to Protect yourself from malware!