Hi

i have the About blank problem and although i have looked at all the previous removal threads i am still going around in circles....

please find below my Hijack this log file...

Logfile of HijackThis v1.99.1
Scan saved at 15:58:57, on 13/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\msole32.exe
C:\WINNT\system32\shnlog.exe
C:\WINNT\system32\intmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ccreasey\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebslinks.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebslinks.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hp2ED9.tmp
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe

Please help..many thanks

Hello,scudon & Welcome

First

Please change the location of HijackThis.exe.
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

msole32.exe
shnlog.exe
popuper.exe
intmonp.exe
intmon.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
Security iGuard

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebslinks.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebslinks.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/

O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hp2ED9.tmp

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
C:\Program Files\Security iGuard\<---This folder
C:\WINDOWS\System32\msole32.exe<---This file
C:\WINDOWS\System32\shnlog.exe<---This file
C:\WINDOWS\popuper.exe<---This file
C:\WINDOWS\System32\intmonp.exe<---This file
C:\WINDOWS\System32\intmon.exe<---This file
C:\WINDOWS\System32\hp76E5.tmp<---This file

Then reboot do this here

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: DelDomains.inf
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

once done with all of the above till us how it is
& show us new logfile.

just like to add we may need to do this all over again not
all of the logfile was posted.

HGD

Many thanks...Will do all that you say and return wth logfile. My problem is that to gain access to the laptop in safe mode it does not offer me the same login domain so i have to go in as administrator of which i do not know the password?!?!?!? i wil be able to get his from work on Monday.

ori sthere anyway of gaining access without the admin password?

Thanks very much.

i have tried to delete the files C:\WINNT\system32\shnlog.exe and C:\WINNT\system32\intmon.exe but everytime i do this it immediately puts them back

All the other files where deleted and/or where not there.

Help!!!

thanks

Scudon

Ok did all that and now have this in the logfile

Logfile of HijackThis v1.99.0
Scan saved at 22:37:44, on 14/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\msole32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.wdpr.disney.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.wdpr.disney.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emea.wdpr.disney.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe

i appear now to not have the about blank on the internet.

Is there anything else i should do now.

many thanks

Scudon

Hi,scudon

Yes you did not post a full logfile we need
to see all of it so please run a new scan
& show us all of the logfile so we can move on.

HGD

Many thanks for your response.

Please find my log file for your attention.

Logfile of HijackThis v1.99.0
Scan saved at 10:52:00, on 15/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\msole32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.wdpr.disney.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.wdpr.disney.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emea.wdpr.disney.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe

this is it........when i was originally trying to get rid of this about blank i followed your previous threads and decided to delete all the items in the scan out of desperation.

i have checked the WINNT\System32 and the only file i can not delete is the msole32.exe. it says access denied or file in use.

I have also downloaded your other files and performed cleanups and so on.

many thanks

Scudon

Hi,scudon

Try this here tell me if it is any help to you

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it

C:\WINNT\system32\msole32.exe

For this file, put a mark next to "Delete on Reboot". Copy and paste the file into the file name box, then click the red button with the X . It will ask you if you want to reboot answer YES

If your computer does not restart automatically, please restart it manually.

HGD