About:blank woes, please help.

Status
Not open for further replies.

Sephirajo

Posts: 6   +0
Okay, I've managed to get a verison of the about:blank adware on my computer. SInce I really don't want to pay 40 bucks for a program that may or may not remove it, I'm at a total loss.

I looked over the how to post in this forum and I'm sure it would work, except, I can't resart in safe mode, nor can I do a system restore. The options are there, it's just not working.

A little help please? t____t This is driving me insane.

I have a copy of my hajackthis file here, any help, any help at all would make me very, very greatful.
 
1) Move HJT away from the desktop (see my signature).
2) You need to remove either Norton or Avast, you can't have 2 AVs at the same time. Avast does not seem to be complete.

Boot in Safe Mode. (if you can't, do it in Normal Mode).
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

winampa.exe
tgcmd.exe
ipyf.exe
sysax32.exe
qtspnlz.exe
EbatesMoeMoneyMaker0.exe

Next, UNinstall anything to do with:
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\Program Files\support.com\bin\tgcmd.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
C:\Program Files\Winamp\winampa.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\ipyf.exe
C:\WINDOWS\system32\sysax32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tjgvk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tjgvk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tjgvk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tjgvk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tjgvk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tjgvk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8C2B313B-0038-177E-6D7E-FA538BD46D1C} - C:\WINDOWS\ipkg.dll
O2 - BHO: (no name) - {B32B105D-2FED-6EFA-3683-23669852C7D7} - C:\WINDOWS\ipkg.dll
O4 - HKLM\..\Run: [ecusvxod] C:\WINDOWS\System32\qtspnlz.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ipyf.exe] C:\WINDOWS\ipyf.exe
O4 - Global Startup: Configuration & Monitor Utility.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
Tick-mark ALL of these: O16 - DPF:
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sysax32.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

Now click on the Fix Checked button in HJT.
When done, delete the highlighted bold files. When a directory-name is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Boot normal. When all OK, switch System Restore back on.
 
Okay, problem with that. We've never been able to remove norton antivirus, it doesn't show up on the unistaller or anything. Also, though I found a program that stopped the about:blank hijacking, different programs are still running strangely. Like AIM refuses to function.

And, we haven't been able to boot up the computer in safe mode, no matter what we tried... it just keeps going back to the screen where you pick how you want to boot up the computer.
 
Do the same as what you did, when you ran HJT. You got the HJT-log, so it must work somehow...

If you know how to, use Notepad and edit the file 'c:\boot.ini' and change the line
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows ...." /fastdetect
into
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows ...." /safeboot

Safe boot.ini and reboot. That should force the PC into Safe Mode.
When you are done with your HJT-stuff, reverse the above.

You may have to change the read-only file-attribute for 'boot.ini', using either
attrib -r c:\boot.ini or in Explorer rightclick boot.ini, select Properties and UNtick the Readonly box.
 
Okay, I was able to remove norton (finally) and though I couldn't boot in safe mode, this is my fiancee's computer, so editing of files like that is totally up to him, I did stop the listed processess and run hijack!this. It fixed my problems with aim and some other ones, but for some reason IE is still opening up on start up. Anyway to stop that?

Thanks so much for your help!
 
Click on Start/Run and type in msconfig and click OK.
Select the Startup tab and see if IE is mentioned in there. If yes, UNtick it, click on Apply, exit the program and reboot. Should be gone now, but report it here, so we can help you remove it permanently.

Also click on Start/(All) Programs and put the mousecursor on Startup to see if IE is in there. If so, rightclick it and select Delete, confirm that and you are done.

Are you sure you press the F8 button at the right time to get into Safe Mode? It is easy to miss!
 
Status
Not open for further replies.
Back