I need help removing "about:blank"

In the future please wait to be asked to post a log.
Why do you have to sessions of HJT running and from two different locations:
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\highjackthis\HijackThis.exe

That's not a good thing to do.

You said you followed all the steps in the READ ME. So tell me why this service is still running.

O23 - Service: Network Security Service - Unknown - C:\WINDOWS\ipxo32.exe

See step 2 of the section titled Getting Prepared; Steps to be sure your system is ready to be scanned:


Did you have a problem running these steps? If so, that should have been explained.

You have other issues that must be fixed first. I'll start those steps in my next message.

But make sure you have downloaded HSremove and About:Buster.

 

First step:
Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Second Step:
If the below service is still running, stop it and disable it as per the instructions in the READ ME FIRST:
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\ipxo32.exe

Third Step:

Make sure system restore is disabled and viewing of hidden files is enabled.

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your PC to the internet and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
ipxo32.exe
ienf32.exe

Now run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qqaty.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qqaty.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qqaty.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qqaty.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qqaty.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qqaty.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qqaty.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {450AE58B-1398-3EC2-C67A-3F51544D8206} - C:\WINDOWS\system32\mfcad32.dll
O4 - HKLM\..\Run: [iphv.exe] C:\WINDOWS\system32\iphv.exe
O4 - HKLM\..\Run: [ienf32.exe] C:\WINDOWS\ienf32.exe
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\ipxo32.exe

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete (if you find them):
C:\WINDOWS\system32\iphv.exe
C:\WINDOWS\ienf32.exe
C:\WINDOWS\ipxo32.exe
C:\WINDOWS\system32\qqaty.dll
C:\WINDOWS\system32\mfcad32.dll

If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

We need to get this service stopped and disabled:
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\ipxo32.exe

Go back to step 2 of the Getting Prepared section of the READ ME FIRST and look for this Network Security Service if it is not found by that name, look for a gibberish name like the below:

?%AF夶À¨

Let me know what you find. Also note the name of the file in the path to executable should be C:\WINDOWS\ipxo32.exe

 

Try it again but this time just before stopping and disabling, have Task Manager open and kill this process ienf32.exe then immediately stop and disable the service.

What happens?

 

Run services.msc first and get your self already on that screen to stop and disable the service.

Now open Task Manager by hitting CTRL-ALT-DEL simultaneously then click the Processes tab. If you click the Image name column it will sort the process list for you. FInd your process and right click on it and select End Process.

Now immediately go back to the services window and stop and disable the service.

You should already know how to do this after doing message number 3!

 

It may have changed names! Post a new HJT log and do not reboot!

 

It's still in your Process list. Try using HijackThis to End the process.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process and kill it by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\ienf32.exe

After killing all the above process stop and disable the service.

 

Okay! Now you know how to do it. Repeat the procedure and do all the steps in message # 3 again but use the new file names from your log. DO EVERYTHING WITH BROWSERS CLOSED AND PHYSICALLY DISCONNECTED FROM THE INTERNET.

Here is the stuff to be concerned with in your log:


C:\WINDOWS\ienf32.exe
C:\WINDOWS\ipxo32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zzstj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zzstj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zzstj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zzstj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zzstj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zzstj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zzstj.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {34A8C882-0B85-48F6-9143-61D261C5D1D1} - C:\WINDOWS\d3al32.dll
O4 - HKLM\..\Run: [ienf32.exe] C:\WINDOWS\ienf32.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\ipxo32.exe

 

You look clean now! Good job following the directions!

Now to help avoid problems like this in the future, complete any steps from the below link that you have not already implemented:

How to Protect yourself from malware!

 

You're welcome!