Trojan about:blank

There's several versions of "About:Blank"
Let's see which one you've got -
Do this -

Download HijackThis (version 1.99.1) from:
http://www.gatesofdelirium.com/ee/tools/
Place it into a folder of it's own - something like:
C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
Do not run it directly from the "Zip" file, a "temp" folder, or the Desktop.
HijackThis makes "backups" and it's good to have them in a centralized location.

With all browser windows closed - run HijackThis and
copy and paste the log file into the Analysis site here:
http://www.hijackthis.de/en

Click on the "Analyze" button; and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis -
Post a LINK to that page back here.

We'll take a look at it!  :)

Please, do not post your log file here!

Here's the Experts-Exchange guidelines on posting HijackThis logs:
https://www.experts-exchange.com/questions/21149514/Instructions-regarding-the-handling-of-HIJACK-THIS-logs.html

There's versions of this "stuff" that all the "Spyware" removers listed above
will have no effect on.
Let' see what "About: Bkank" you have.

Good luck!
RF

Rf,
I followed your directions  - here is the link. Thanks for your help
http://www.hijackthis.de/logfiles/dd087b661ce9b94c045717bfa63ff845.html

Thanks - I went to the link and got the page "
Homepage set to res://random.dll/index.html#randomnumber". Before I do the steps I want to verify with you that this is the right one. There is also a link for removing about:blank. Is the link you sent me the one I should use.
Thanks again
HS

RF,
 I tried the directions in http://www.pchell.com/support/onlythebest.shtml.
I am still getting about:blank as my home page. Hopefully I did it correctly. What do you think my next step should be.
Thanks again
Heidi

Hi!

Run HijackThis again, run your log through the analysis site -
Post a LINK to your new log here.
Sometimes this "thing" is stubborn.

RF

One other thing - there's a new version of "AboutBuster" (ver. 4) see here:
{About:Buster 4}   http://www.besttechie.net/forums/index.php?showtopic=1488

Also, use "The Hoster" to reset your hosts file:
Please download the Hoster from here:
          http://members.aol.com/toadbee/hoster.zip
          Unzip it to the desktop and run it.
          Click "Restore original HOSTS" and OK any prompts.
          You may have to reimmunize with Spybot, SpywareBlaster,
          and/or IE-SPYADs, etc. after doing this.
          Please restart your computer

RF

Here is the link from hijackthis
http://www.hijackthis.de/index.php#anl

I also noticed that when I sign as a guest without admin rights, ny home page is correct.  Is there something about an admin user that the trogan latches on to.
Also explorer pops up without even me having to click on. Something might have changed in the start up but I don't want ot touch anything until you see my analyzer results.  

In step 4 of the instructions to remove the trojan, the service name of "Network Security Services" had strange characters and the path is C:\WINDOWS\system32\mfctf.exe /s. I then deleted from the registry any occurance of mfctp.exe according to the directions. Does this make sense?

Thanks
HS

No, you're still posting the link to the Analysis page - not the link to
the page with your saved analysis, which is what we need.
Read my instructions above carefully.
After your log is analyzed, you have to click on "Save Analysis" and then post a
link to the page that is generated.

Yes, deleting all references to it in the Registry is fine.
However, We still need to see a new HijackThis log.
Quite often, you have to go through the removal procedure
numerous times.

By the way, if it's seems like I don't get back to this question in a timely fashion -
I'm having a very unpleasant time with my Internet connection!  :)

RF

Hi Hidesign,

Microsoft's new spyware removal tool is your best bet to get rid of such crap. you can get a copy for your self from the link below:)
http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

it may not require you to postback again and again hopefully work at first.

Cheers!

if you wish to go thorough the process of hijackthis, do as suggested  in the PAQ.

https://www.experts-exchange.com/questions/21031644/about-blank-Trojan-browser-hijack.html?#11352877

another link that might be very informative for you by petelong

http://www.petenetlive.com/Tech/Browsers/hijack.htm

RF,
Here is the correct link. Sorry about posting the incorrect one.
http://www.hijackthis.de/logfiles/dd087b661ce9b94c045717bfa63ff845.html
Thanks
HS

I tried the Microsoft spyware tool. It  found spyware and deletled it but when I went to explorer, I received a warning that unclassified spyware.65 spyware was trying to change my home page. I ran the scanner again and again (4 more times) and it founds the spyware and deletes it but it keeps coming back. Also each time I ran it, it showed different files were infected and different registry keys.
What should be my next step. This spyware is unbelievable.
Thanks
 

Did you go through the removal procedure from the link I gave you -
without skipping any steps?
(http://www.besttechie.net/forums/index.php?showtopic=1488)

RF

Here's a breakdown of detailed instructions if you need it (step by step):

Please print out or copy this page to Notepad.  Make sure to work through the fixes in the exact order it is mentioned below.  If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.  You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.  Also make sure that 'Display the contents of system folders' is checked.  If you have Windows XP, the  search feature is a little different.  When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom.  Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean.  If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.zip and unzip it to a folder on your the Desktop.  Run AboutBuster and click OK.  Click Update and then Check For Update to see if there are any updates.  Close the program now.

Reboot into Safe Mode by hitting the F8 key until menu shows up.  In some systems, this may be the F5 key, so try that if F8 doesn't work.  
Go to Start->Run and type in services.msc and hit OK.  Then look for Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) and double click on it.  Click on the Stop button and under Startup type, choose Disabled.

Make sure to close any open browsers.  Go into HijackThis->Config->Misc. Tools->Open process manager.  Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\sdkeb.exe
C:\WINDOWS\syskv32.exe

Run a scan in HijackThis.  Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129         
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ocnty.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yah oo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AB05AE41-F1D5-D736-88F2-C487321270C0} - C:\WINDOWS\javaqv32.dll
O2 - BHO: GetPostLog module - {C9B0D3DC-DC2B-4a17-8E34-02CD4C1E573F} - C:\WINDOWS\gpl.dll (file missing)
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [sdkeb.exe] C:\WINDOWS\sdkeb.exe
O4 - HKLM\..\RunOnce: [syskv32.exe] C:\WINDOWS\syskv32.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mfctf.exe (file missing)

Run AboutBuster and click OK.  Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all).  It will ask you if you want a second scan, choose Yes.  Save the log file and post it here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\javaqv32.dll
C:\WINDOWS\gpl.dll
C:\WINDOWS\sdkeb.exe
C:\WINDOWS\syskv32.exe
C:\WINDOWS\system32\mfctf.exe

Reboot into Normal Mode run a new HijackThis scan.  Save the log file and run the scan at hijackthis.de and post a link to the analyzed log.

Thank you - I will go though the process now. Yesterday I ran spysweeper and it deleted the spyware but it kept reinstalling itself. The program atlvk32.exe kept getting flagged. I was not able to delete it out of windows but I kept deleting it out of my registry. Is this part of the about:blank hijacker.
Now when I go into Outlook, I keep getting the message the it can't connect to the database engine.
I'll write back after I try the above directions. Thanks for everybodys input.

I went through the process above, step by step. I still have the hijacker. It seems that each time a different executable is the culprut. Now it seems to be ieqs.exe. What program keeps generating the hijacker. Thanks

Here is the link to my new hijack analysis: http://www.hijackthis.de/logfiles/70cc4cc6e41e8699bf5fa141498c1de3.html

Here is the AboutBuster logfile:

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 2 Random Key Entries
Removed! : C:\WINDOWS\kmovo.dat
Removed! : C:\WINDOWS\xuvwy.dat
Removed! : C:\WINDOWS\System32\kiwbg.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Here's the new hijack link:
http://www.hijackthis.de/logfiles/70cc4cc6e41e8699bf5fa141498c1de3.html

(about:blank is still there)

Thanks

Just want to confirm, are you in Safe Mode when doing these fixes?  Is Internet Explorer closed?

Check and fix all those R0 and R1 entries except for the one with localhost.  Also check this one:

O2 - BHO: (no name) - {3C149E0B-2AF5-C8DC-F78A-AAC09F8001C3} - C:\WINDOWS\syszi32.dll

Then hit Fix Checked.

Run AboutBuster.  Delete this file:

C:\WINDOWS\syszi32.dll

Restart and go back to normal mode.  Do a new HijackThis scan and post it at that hijackthis.de site.

I have finally resolved this problem. I did all the above directions and then used Spysweeper in safe mode and the about:blank was gone. Thanks for all your help - I'll split the points since the fix was a combination of different answers.