obscure reference to about:blank

Discussion in 'Malware Help (A Specialist Will Reply)' started by IceMaiden, Jul 18, 2005.

  1. IceMaiden

    IceMaiden Private E-2

    Hi, several months ago I had the about:blank hijacker which I got when a relative changed my OS to XP without my knowing it and didn't replace my Norton's, Adware and Spybot, etc.
    I went through all of your tutorial and did everything but the ADSspy which I wasn't able to make work. Anyway, I thought I was about:blank free for some time and I have all my protection up and running but once in a while in the bottom tool bar and once in the very top green bar I saw just for a moment microsoft about:blank and then it switched to where I was going. Then yesterday when doing an airling ticket search, I clicked on the calendar for a date and for just a moment again I saw about:blank. Does this mean I still have it? Last time I edited my own hijack log with the guidance of the tutorial. However, I didn't fix any of the norton antivirus lines because I thought they were safe. Could I post a hijack log and get your professional opinion? Thank you. IceMaiden
     
    IceMaiden, Jul 18, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have you run thru the READ ME FIRST recently or was it run several months ago?
     
    chaslang, Jul 18, 2005
    #2
  3. IceMaiden

    IceMaiden Private E-2

    It's been probably about a month since I went thru it all. I was just on the Canon site looking for help with my old printer and about:blank showed twice in the address box and then changed to the right address.
     
    IceMaiden, Jul 18, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    A month or even two weeks is a very long time in the malware world unless the PC has had no use in that time frame.

    That does not sound like an about:blank hijacker problem. You could just try a reset of your websettings.


    To Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
     
    chaslang, Jul 18, 2005
    #4
  5. IceMaiden

    IceMaiden Private E-2

    I can type a new home address in such as majorgeeks.com but the use current button is not highlighted and the use default has a long string ending in microsoft.com then there is a button called use blank which when clicked says about:blank. Is this just for someone who wants to have a blank home page or does this have to do with the highjacker? Is there some other place to change my use default button because even if I type majorgeeks in that box it will still revert back to the microsoft.com and I cannot click on the use current button. I hope I'm not asking too dumb of a question.
    Thanks, IceMaiden
     
    IceMaiden, Jul 24, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes the Use blank is just to set the page to be blank.

    Try the below for the Home Page problem.

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file UnlockHP.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the UnlockHP.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes
     
    chaslang, Jul 24, 2005
    #6
  7. IceMaiden

    IceMaiden Private E-2

    I did exactly as you asked but the use current button is still not highlighted. Under the programs tab when you click reset your web settings it asks "Do you want to reset to your original internet explorer defaults. I tried it both ways but it didn't change anything. I can still type majorgeeks.com in myself as the home page so I don't know if this matters all that much or not, just curious about why the button is not highlighted. Thanks, IceMaiden
     
    IceMaiden, Aug 12, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is a setting someplace that is blocking the buttons from being available. This is normally contained in a registry key location. That is what that patch I gave you was attempting to fix.

    Do you have administrator priviledges?
    Have you tried booting in safe mode and seeing if the buttons are available?

    Please follow the directions below exactly:


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Aug 13, 2005
    #8
  9. IceMaiden

    IceMaiden Private E-2

    Yes, I have administrator privileges and yes I have booted in safe mode and the button is still unavailable. I am working on the Hijack This right now. Thank you, IceMaiden
     
    IceMaiden, Aug 21, 2005
    #9
  10. IceMaiden

    IceMaiden Private E-2

    I am attaching my log file now. You didn't say to run it in safe mode so I ran the scan in normal mode.
     

    Attached Files:

    IceMaiden, Aug 21, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    How in the world did you get your Symantec software installed like the below:
    C:\New Folder\navapsvc.exe
    C:\New Folder\IWP\NPFMntor.exe

    You have some of if installed properly to the Symantec folder but the above was a bad idea. It may be working okay (not sure) but this is not the right way to install it. All of their software should be installed in their own normal default folders.


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    After clicking Fix, exit HJT.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working. Any change to your problem now.
     
    chaslang, Aug 21, 2005
    #11
  12. IceMaiden

    IceMaiden Private E-2

    No, the button is still inaccessible. I have posted two logs, one run in normal mode and one run in safe mode. You will see that there are a couple of possibly suspicous entries in safe that aren't in the one in normal. As for the weird installation of NAV. When my son installed XP without my knowledge he didn't do anything about the NAV already running and when he was finished it was badly corrupted. After four days, and much help from NAV and dialogues we were able to get it reinstalled and it seems to work okay but that is a possible reason for the weird installation. If it could be reinstalled properly and still work I would be willing to try it. Thank you. Ice Maiden
     

    Attached Files:

    IceMaiden, Aug 22, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure what you are referring to? There are no suspicious entries. The only difference is that the below seem to disappear in normal mode:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.majorgeeks.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

    I'm not sure why.
    Are you logging into safe mode and normal mode on the same user account?

    Try re-running the registry patch from message # 6 now.

    I think you should go to the below thread and begin by completing step 1 which is Microsoft Update.

    How to Protect yourself from malware!
     
    Last edited: Aug 22, 2005
    chaslang, Aug 22, 2005
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds