Help with HSA about:blank

HJT is not the first step and we have guidelines about when and how to post logs. While you do have the HSA hijack you must do things in the proper order. Please follow our guidelines. No logs unless we request them and they must be attachments. You must locate HJT in the proper directory and have no browsers running when using it (see below).

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Make sure you pay close attention to steps referring to about:blank or HSA or Only the Best hijackers. Definitely you should be running about:Buster and HSremove where indicated.

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

It this does not clean you up (and often this hijacker is very difficult to remove), the next step may be:
When all else fails - Generic Solution to HSA (Only the Best) & about:Blank hijack

 

Post a current HJT log and read thru the Generic Solution but don't start it yet. Ask any questions you may have on doing any of the steps. If we need to run it, it you must be disconnected from the internet with no browsers running, and you need to run from beginning to end without rebooting except where indicated. Do not reboot after posting your log because files could mutate. Wait until I get back to you.

 

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\idyoj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\idyoj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\idyoj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\idyoj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\idyoj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\idyoj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\idyoj.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A0155D68-A707-2FAF-F02D-027C5446BD84} - C:\WINDOWS\system32\appxl32.dll

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete (if found):
C:\WINDOWS\system32\idyoj.dll
C:\WINDOWS\system32\idyoj.dat
C:\WINDOWS\system32\idyoj.exe
C:\WINDOWS\system32\appxl32.dll
C:\WINDOWS\system32\appxl32.dat
C:\WINDOWS\system32\appxl32.exe
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You're welcome.

Just fix these to items with HJT:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab


After that you should check this out: How to Protect yourself from malware!

And you should be good to go.

 

Just use the automatic removal tool: MSJVM Removal Tool 1.0a

Run FireFox and click Tools, Options. You will see a selection on that page for Default Browser. Just check it and the say yes when it asks you if you want it to be your default browser. If it is already your default, it will not ask.