Trojan About:Blank Hijacker

When I first contracted this virus and couldn't get rid of it, I just deleted all the Internet Explorer files I could and started using Firefox. This solved the homepage hijack problem but, of course, I still had the virus. My Norton Internet Security software was still stating it couldn't get to it to delete it.

From your website, I printed and tried to follow all the instructions to purge this virus but I'm not sure if it is gone. I downloaded and used all the scan and removal files in order as instructed but couldn't use one of them. When I downloaded aboutbuster, the screen would come up to do a scan, but according to the instructions, I could only use it after some of the others. Unfortunately, when it came time to use it, I got an error message that the file had been corrupted and to download another one. I originally did all this in safe mode. I went back in to normal mode and downloaded another aboutbuster program but it did the same thing.

I decided to do everything else (minus aboutbuster), then reinstalled IE6. I have used IE6 and have not had the homepage hijack problem today (yet). I downloaded aboutbuster separately and did a scan and it didn't show any signs of the Trojan virus. At this point I thought I had finally got rid of it but then a window came up from Norton Internet Security saying it had detected the Trojan virus but access to it for deletion was denied.

So, now I'm not sure if I actually still have it or not. I'll continue to use IE6 just to see if it comes back.....hopefully, it won't. Any help would be appreciated.

 

D3m3nt3d,

Thanks for your help. Here's the log (attached).

Also, one other instruction I got from another forum suggested using Registrar lite. It took me to the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs.

It went on to say that I should find a hidden file name under the data column in the field next to AppInit_DLLs. This is the file I needed to find and delete. Unfortunately there was no file name in that field. Is there any truth to that instruction?

 

D3m3nt3d,

Please bear in mind that I have limited knowledge with computers so I will follow your instructions to the letter if possible. Here is what I did:

I went in to the "add/remove" programs in the control panel. I assume that's where you wanted me to go. I did not find anything called "wareout". I went into Hijackthis and scanned and check marked the items you listed however I did not find one of the O17 items. I did not select "fix checked" as it was not what you instructed. I rebooted in safe mode and did a search for the 7 .exe files, exactly as instructed, but did not find them. I did another scan in Hijackthis and attached the log. Thanks.

 

D3m3nt3d,

Ok, let's try this again. See attached log. Thanks.

 

D3m3nt3d,

I did as instructed but I didn't find the winrumgjx2.dll file. The other file was there and I deleted it. I also went ahead and did a scan from Norton Internet Security. Although it detected 4 other hijackers and numerous other threats, it was able to resolve all of them. It didn't detect the about:blank hijacker and I have had any problems with IE6 being redirected to another homepage, so maybe this problem is resolved as well. Thanks for your help.

 

D3m3nt3d,

While surfing tonight, my Norton Internet Security gave me a popup saying it had detected another trojan and couldn't get into it to delete it. When it comes up again, I'll write down what it is and post you again. I'll wait to do another log until then.

 

D3m3nt3d,

It looks like I have another trojan. When I started my computer, Norton did a scan and detected the following:

c:\windows\system32\hclean32.exe

I did a scan with Trend Housecall and it found one trojan with the file name:

TROJ DELF.2K

It was not able to clean the file. What do I need to do to clean this from my computer and how do I keep it from coming back?

I did notice the last few times, when I open IE6, the homepage goes to hsremove.com. When I change it back to yahoo.com, it will stay there until the next time I open IE6.

I did another Hijackthis scan and attached the log.

Thanks again for your help.