Pernicious About:Blank hijacker

I seem to have aquired an About:Blank hijacker that is proving very difficult to remove. The computer is also booting very slowly at times, so I suspect something else is going on as well. I did run SUPERAntiSpyware a couple of weeks ago and that seemed to help, but the problem has returned. As I was downloading the tools to run through your malware guide when I tried to download Combofix I was diverted to About:Blank. I did manage to get a copy from Bleepincomputer, but I couldn't access the MajorGeeks link. I've attached logs from MGtools, SAS, Mbam, and RootRepeal. I also have a Combofix log I can send in a second post, but it appears to be included in the MGTools logs. I appreciate any suggestions you can make or any help you can offer!

 

Hi, welcome to Major Geeks!

Yes please attach the logs from the following programs:

• MGtools
  [*]SAS
  [*]MBAM
  [*]RootRepeal

 

Logs attached. Thanks for the quick response!

 

If you want to change your start-page from about:blank
Please do the following:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now try opening Internet Explorer, is about:blank still your homepage?

What is this file?

If you don't know, please delete it

I'm not seeing any malware in your logs so far, but I would like you run the following scans.

Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

Be sure to attach your log from TDSSKiller

Also please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

 

Thanks for the reply, thisisu.

I used MGTools to fix the about:blank HKLM key. The home page is no longer about:blank, but when I tried to use the link you provided to TDSSKiller I was diverted to an About:Blank page for a few seconds, and then the browser opened the page with the TDSSKiller download. That is a bit an improvement from this afternoon - when I tried to follow your link to MBRCheck, I was diverted to an About:blank page which tried to download something else but was blocked by the download blocker. The only way I could get the MBRCheck was to manually enter the http address - the link was always diverted to About:Blank.

I don't know what the 2dbf~1 file is but I can't find it, even with the files not hidden. Search does not turn up anything either. It must be well hidden, which makes me suspicious. How do I track down and delete this file?

TDSSKiller and MBRChecker didn't turn up anything. The logs are attached.

The computer has become very variable in boot times - sometimes it boots in 2 minutes, sometimes it takes an hour. It is also losing some of the drivers and settings, particularily those related to the monitor. I don't know if it is related to the About:Blank issue, but the boot problem started about 2 weeks ago, just after I first ran SUPERAntispyware to try to fix the About: Blank issue.

Thanks again for your help with this!

 

What malware problems are you having? Your logs are clean of any type of about:blank hijacker and malware in general.

Based on what you have told me here, this is more of a software / hardware / driver issue.

 

You are right about the driver/software problems - I uninstalled Catalyst Control Center and removed and re-installed the ATI video card drivers and that seems to have fixed the boot problem.

I still can't find the 2dbf~1 file that you recommended I delete.

I haven't seen the About:Blank redirect problem since Monday when I was going through your procedure, so that seem to be cleaned up as well.

Good to hear that my PC is clean again! Thank you for your help - I really appreciate it.

Is there anything I should do to clean up from the tools you had me use? I notice I've got a Qoobox folder on my C: drive - I assume that's from Combofix.

Thanks again!

 

Oops, perhaps I spoke too soon. There is still something odd going on, but maybe it's not a problem. i just tried to follow the link Major Geeks provides to the Comodo firewall and it took me to http://About:Blank. After a few seconds, it took me to the Comodo download page. I was having this same redirect before I followed your cleaning procedure. Does it indicate I still have a problem, or is it normal? I don't recall noticing it before I had the About:Blank infection, but I wasn't looking for About:Blank issues then either. It isn't happening every time I try to follow a link, just happens now and then.

Thanks again!

 

Note: Seeing about:blank appear momentarily is not a sign of a hijacker.. In fact far from it. It is more likely just due to some kind of slow browsing, surfing, connection...etc condition.

Since you are not having malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Thanks for your help, thisisu. The tools are removed and everything looks good. Fabulous site you folks have here - great information resource and responsive and competent help to work through the problems. I really appreciate the time and trouble you took to help me out.

Thanks again!

 

You're welcome
Surf safely!