Another about:blank case

I'm infected with the about:blank spyware...
1- Homepage is always reset to about:blank
2- When I go to Yahoo or Google, it opens another search page (http://search-to-find.com) and gives me unwanted pop-ups.
I have search the web extensively in search for a cure to that problem. I have scan/reboot several times with Ad Aware, SpyBot, and CWShredder, but the problem is still there. Could you help me? Below you will find the logfile done with Hijack this.

Any help would be very very appreciated!!!

Thank you,
Maggie

Edit by chaslang: Inline log changed to an attachment

 

Thank you very much for these specific instructions. You are right, I shouldn't have post my logfile at that time - especially considering that I am quite clueless about computers. I want to take time to do this correctly, and I will do exactly as told on your messages and stricky threads. I don't have much time right now, but tomorrow night (in +/- 20 hours), I'll work into that and follow all the instructions. My reply/comments will be posted then.

Maggie

 

Hi again!!!

I am now back from work and will follow all the steps in the standard procedure. This will take me a long time as I am quite clueless about computers. I'll be posting on updates asap!

Maggie

 

First steps

I didn't get to the Generic Solution yet. I'm not even done with step 1 of the "general comments"!

The first instruction you gave me was this one: First, we need to get rid of this WebSearch Toolbar: O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
Click Start, Run, and in the open box enter the below and hit OK!
C:\PROGRA~1\Toolbar\TBPS.exe uninst

I did exactly that, and Windows give me this mesage: "C:/PROGRA~1/Toolbar refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure the disk is properly inserted, or that you are connected to the Internet, or your network, and then try again. If it still cannot be located, the information might have been removed to a different location".

So I guess the uninstall didn't work

Now about "Disable System Restore" temporarily (point 1). I understood that this should restart your computer. In my case, it doesn't! I right click on My Computer, System Restore tab, Check box "Turn off system restore". Once this is done I click yes and I receive a message from Windows:

"You have chosen to turn off system Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer. Do you want to turn off System Restore"? I answer YES to that question, and it doesn't do anything visible. No restart of the computer. What am I doing wrong in this step?

Thank you for helping me,
Meanwhile waiting for this answer, I am reading the instructions, but I am not doing anything until you tell me to.

Maggie

 

UPDATE ABOUT SITUATION

I've gone through all the required steps as per the sticky named "How to: Spyware, Trojan And Virus Removal".

Firstly, I have:

* Disabled system restore temporarily
* Stopped the service of "Workstation Netlogon Service" found with a services.msc search. ["Remote Procedure Call (RPC) Helper" was not found, but "Remote Procedure Call (RCP)" and ""Remote Procedure Call (RCP) Locator" were found. I did NOT delete them (not exact same name). Is that normal and ok?]
* Enabled viewing of hidden files
* Downloaded and/or Installed all the Required Tools as per Tutorial
--> Everything went ok.

Then I did an online scan with Trend Micro : no viruses found.
With Symantec Security Check: everything ok (ie safe) expect "Antivirus Product: Warning, no known virus protection found". I do have an anti-virus, AVG 7.0, which I have dowloaded yesterday (after sending you the first HJT file - thats why it doesn't appear on my initial log). AVG 7.0 is perfectly fine!! [Maybe Symantec doesn't recognize other antivirus than Norton? Please advice me about this step.]

Then in "Safe Mode with Networking":
* Stinger : All files appear to be clean
... Reboot in safe mode
* Ad-aware: 40 new critical objects found (all of them are with Vendor: CoolWebSearch), delete those
... Reboot in safe mode
* SpyBot: "Problems found" with DSO Exploit and Winpup, delete those
... Reboot in safe mode
*Ad-aware another time : no critical objects found
... Reboot in safe mode
*SpyBot another time: "Problems found" with DSO Exploit, Advertising, Avenue A Inc.

I didn't try Secondary Spyware Scan because it says that is only for the about:blank hijack removal. I didn't seem to have this problem anymore because all the CoolWebSearch things are not there anymore. I then switch back to normal mode, and I don't have the about: blank symptoms anymore. No more about:blank homepage and no more search-to-find.com redirection. [Is the problem gone for good now?]

QUESTIONS:

- Check the brackets [ ] for my questions about the specific tasks?
- What my inability to run C:\PROGRA~1\Toolbar\TBPS.exe uninst (ref: My reply at Nov 2 19:06)?
- Are the problems found with SpyBot (DSO Exploit, Advertising, Avenue A Inc.) dangerous?? What should I do about them?
- Are the instructions you gave me about my INITIAL HJT log (in your first reply, you tell me lines to remove, etc etc) still valid??? Since I made updates and new scans, I am unsure if your first instructions are still valid. So I will wait for your answer.
- Should I post a new HJT log? It is advised in the tutorial not to do that unless we are asked for it.

Thanks in advance for your help. That was a LONG work for me but I think the situation will be good in a short while!!!! And I learn new things!

Gotta get some sleep now. I'll be checking for more news from you tomorrow morning (around 6:30 Eastern Time).

Maggie

 

Re: First steps

It appears we were writting at the same time!!!
So..... quick replies to your queries :

1 - YesI'm sure I have entered
C:\PROGRA~1\Toolbar\TBPS.exe uninst

I have put this slash / in my comments because I was typing too fast. The command really tells me that is refres to a location that is unavailable. Why does this mean?

2 - I made sure that the disable system restore box is still checked.

I will wait for more news from you about my general "update about situation" that I have just posted.

 

just to make sure

I just want to make sure that you see my TWO answers that I have just made. One of them is short and answering about the first steps small query. The other long one is about my updated situation - I went through all the steps of the tutorials and I have tried to explain the situation as best as I can.

 

one last thing

One last thing: Yes, Hijack This is on his own directory under
C:\Program Files\HJT\ with ONLY the hijackthis.exe file in there.

 

Re: one last thing

Allright!!! Other RPC's were not stopped or deleted. I have no idead what was the Path to executable for Workstation Netlogon Service (I'm not sure what you mean??). When I run the services.msc command again, "Workstation Netlogon Service" is not shown anymore in the list. How can I find the "path to executable"?

 

Re: one last thing

OK, I will uninstall Spybot and put the version you tell me, plus I will do the scan and new HJT file. I will do this tonight, at around 5pm Eastern Time.

Thanks again,
Magali

 

Hi again!

I have uninstalled my SpyBot and downloaded the 1.3.1 version. Also did the "Immunize this system" thing upon installation. (It said 0 bad products found).

I have then reboot in safe mode and it said "Congratulations! No immediate threats were found". I have to say though that the scan was much much faster than the previous scans I did with SpyBot. I am not sure this is normal?

As asked, you will find below the HJT log which was done after the scan.
And just to let you know, I will be back here at around 11pm Eastern Time and I will be ready to follow other instructions that you might have add.

PS: I am not good enough with computers to read the HJT files, but I checked it just out of curiosity and I have found the about:blank words again somewhere as a default webpage of some sort... When I start IE though, my real homepage (http://www.courriel.polymtl.ca) is the one that is being opened?! I didn't see that about:blank thing today.

Thanks,
Maggie


Edit by chaslang: Inline log changed to an attachment

 

Hello again,

Firstly I have run HJT and fixed the lines you told me. I have removed the Security iGuard program and fixed the HJT line related to it. I don't know what is that software, I think I've downloaded it from a pop-up add linked with the about:blank spyware. Shouldn't have done that - now I will only download TRUSTED antispyware things!

Now about this part:

None of these files/folders were found after the computer was rebooted.

AboutBuster log gives me this (sorry for not attaching, but it was said to be in Progress for a long time when trying to upload and couldn't attach it properly somehow):

Scanned at: 11:55:41 PM on: 04/11/2004

-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15

ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15

ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

As requested, the new HJT file is attached.
The HJT log was done in Safe Mode.

I'll check again soon for the next steps,
I'm learning new things while doing this work
Maggie

 

Great!! I don't have any noticeable problems right now - everyhing is running smoothly. I will enable system restore now that we are finished. I read the sticky and will do those steps you mention.

Two last questions though (not answered in stickied - I did check!):

1. I was thinking about putting back the " don't show hidden files" option. This way I could avoid deleting an important file that is hidden. Is this a good idea?

2. A friend told me to browse with Mozilla Fire Fox instead of Internet Explorer to avoid pop-up and spyware. Do you think it is a good idea, provided that I would use the spyware + anti-virus softwares in both cases?

3. I download music from Morpheus software. I have been told that this program is particularily prone to spyware. True? Any better options?

PS: If you can't / don't have time to answer my questions, maybe you could tell me where to search for the info?

THANKS A LOT FOR YOUR HELP.

 

Thank you very much for answering my questions and being so helpful. It's really appreciated. I hope I won't have to post again though because it would mean I have other problems. But I'll keep reading.