Greetings all,

I have a small problem with about:blank. I have stopped the homepage switch problem, but whenever I log off of Internet Explorer, a second window (which is blank) which is titled about:blank closes also. This window does not appear until I log off.

I am using Spybot, Spy Sweeper and adAware. I have and have used HiJackthis, Taskinfo, Killbox and CWS shredder. If I understand it correctly, everthing in Taskinfo (when I'm in IE) is accounted for. It's just this silly page that pops up.

Any suggestions for a flustered female???

Thanks in advance

Welcome to the PC Guide forums!

Where did you have the HJT log analyzed?
There are programs specifically for about:blank problems, but I would wait for Budfred, David Eaton or other expert here before directing you to use one.

Thanks PrntRhd.

I have read a lot of the logs about finding and fixing the problem using HJT. After that, it seemed pretty easy (I think) to isolate the dll causing the problem. Maybe I'm mistaken and I'll wait for the others to offer their help.

thanks again!

The best thing to do is post a fresh HJT log and wait for the experts to view it before fixing anything. Some of the malware is capable of morphing and coming back, sometimes it has to be removed in a particular order. Start by describing the symptom and post a complete log here.

If you only need "Simple help" with an about:blank infection, it will be one of the first times I have seen that... As was already said, a HJT log would be helpful to figure out what else might need to be done... Please also provide as much detail about what you already did as possible... The more we know about the problem and what you have done to address it, the more likely we can help....

Hi Budfred,
Thanks for the response. I'll be happy to post you my HJT log...uh..how do I do that? There is probably an easier way then typing out all the lines, right? I am a bit green.
What I basically did was used a routine, which you may have posted for someone else, a few months ago. I cleaned everything with WinWasher, Spybot and Spyware Sweeper. Also used CWS shredder. I then used HJT to locate several HKCU lines which contained about:blank in the script. I deleted those and everything is working great. My computer is faster and zings!! My homepage is no longer hijacked and I can access the Internet (home modem) very quickly now.

However, whenever I log off of the Internet (I use IE), a second window appears which is titled about:blank and closes also. I downloaded Taskinfo, engaged IE and checked the tasks based on company. All tasks were accounted for (Windows, Norton, spysweeper, etc). There were no tasks just dangling out there with no company I didn't recognize. I also tried Firefox as a browser and did not have the second page appear, but I prefer IE.

I'm trying to give you as much info as I can and, being a little green on the PC, I may not have all the terminology right. But I will be happy to post my HJT log (if you can tell me how to do that).

Thanks again for your assistance, you are very kind.
Susan

First, don't run HJT from within a zip file. If you still have it in a zip file, extract it from that to a permanent folder (your desktop is fine). Then run the scan. After scanning, the Scan Button has a new Caption. Save Log. Click the Save Log button to create a file named Hijackthis.log. A dialog box will pop up. Use it to select the location where you will save the log. Close the program. Return to the Forum and reply to your original post. Open the Log in Notepad. Highlight the entire contents. Copy and paste the contents of the HijackThis log into your post. Wait for help.

How to copy and paste:

Open the text file. Go to the Toolbar of your text editor, Notepad for example and click Edit. Move the mouse down to Select All and click on Select All to highlight the text. Go back to Edit again and move the mouse down to Copy. Click Copy. Go to the Forum and reply to your original post. When the page opens, click on an empty space in the reply window with your mouse to set focus for the paste operation. Finally, hold down the Ctrl button and click the letter v on the keyboard to paste the text into your post.

(http://www.tomcoyote.org/hjt/)

Hi Pentachris,

Well, duuuh! I should have realized it was this easy. I did indeed extract the HJT to its own folder and do have the log saved. Unfortunately, I'm not at my home PC right now, but will post it when I return.

Thanks for the helping hand!

Hi all you really helpful people...here's my log:

Logfile of HijackThis v1.99.0
Scan saved at 5:27:45 AM, on 4/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\MY DOCUMENTS\HTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=search&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://compaq.my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Tour] C:\WINDOWS\wincool.exe /30m
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - [url]http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409[/url] (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - [url]http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409[/url] (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - [url]http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409[/url] (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - [url]http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409[/url] (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - [url]http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409[/url] (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - [url]http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409[/url] (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - [url]http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409[/url] (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - [url]http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409[/url] (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]

YAY!! it worked!!

Thanks...in advance

Your log looks clean... This could be the problem in that it suggests that you have an ICQ process loading and running whenever you are online... Is that intentional??

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL

You are one version behind on HJT, but that probably doesn't make a difference in this case... If you do need to run it again, it should be 1.99.1...

Hi Budfred,

Thanks for looking me over and giving me a "bascially" clean bill of health. As for the ICQ thing, I'll check and see what that's all about.

I keep the spyware and adaware programs pretty up to date so I guess I'm protected.

Any suggestions as to why that page appears when I log off?? Like I said, the window is titled about:blank but has nothing on it and then disappears in about three seconds as soon as my connection is severed.

Thanks again for your time,
Susie

And to all of you that replied..you are wonderful

What I was trying to say in my last post is that I suspect that the ICQ thing is what is causing the window to open... I don't know enough about ICQ to know for sure, but I think it is a good possibility... You could fix that item and see if the problem persists...

Hi Budfred,

LAUGH! Yes, I understood what you meant. I took ICQ off quite a while ago so this must be some kind of straggler. I'll remove it and see what happens.

You've been a fantastic help!!
Thanks again.

(by the way...I'm also thinking of adding memory to my PC...Compaq presario...where should I go to post a thread about this??)

I can answer that one, post it into Buying Advice, also post the make/model of the PC so members can search for appropriate RAM.
:)

Hi PrntRhd,

You guys are so fantastic!! Thanks again!

Susan