Hey, i run hijackthis and removed what i've been told before .. and it works great untill i reboot my computer, it's all back !

Anyways, after running HijackThis and removing the files, i also run adware and i also run cwshredder, everything seems to work great .. i also delete all of my cookies and clear ie 6's history !

As soon as i reboot, about:Blank is set back as my homepage.

anyways here's what i get after running hijackthis ...

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Free Surfer\fs20.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\SIMONG~1\LOCALS~1\Temp\Rar$EX00.422\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ecmdca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ecmdca.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ecmdca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ecmdca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ecmdca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ecmdca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {CF960536-98BA-40AD-A2E2-1BC8763B6920} - C:\WINDOWS\System32\ecmdca.dll
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -


Any help would be great ! Thanks

This was written by Mosaic 1, a security expert on another forum. Follow instuctions exactly. At the moment there is no easy way.

Get the latest CWShredder from this page. Do not run it yet:
CWShredder

Download TheKillbox from this link: here.
------------------
Sign off the internet.
Run CWShredder and press the fix Button to clean.


Stay off the internet!
Step Two:
Remove the reinstaller:
Go to start>Run and type regedit. Press enter.

Navigate to:
Open the registry and navigate here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Highlight Windows in the left pane.

Look in the right pane for this value:
AppInit_Dlls

You won't see any data there.

But if you right click on that and choose Modify Binary Data you will.

If nothing is there it should just show a few 0's.

But if they are hiding a dll they load to reinstall, it will show a path to it.


----------------------------
This is how one looks when there is only one file loading.
0000 00 00 3A 00 5C 00 77 00 ..:.\.w.
0008 69 00 6E 00 64 00 6F 00 i.n.d.o.
0010 77 00 73 00 5C 00 73 00 w.s.\.s.
0018 79 00 73 00 74 00 65 00 y.s.t.e.
0020 6D 00 33 00 32 00 5C 00 m.3.2.\.
0028 6D 00 73 00 6B 00 6B 00 m.s.k.k.
0030 67 00 2E 00 64 00 6C 00 g...d.l.
0038 6C 00 00 00 l...

Notice on the far right. You want to look there. It looks funny because all of the periods.

Look closely and you'll see the path and file name here was:
Windows\system32\mskkg.dll

This was the example. Yours will have its own file name. This is not the same file as you are seeing in your HijackThis log. Get its name the same as I just described.
--------------

Once you have the filename unzip TheKillBox and run it.

In the "Paste Full Path of File to Delete" box, copy and paste the following:

c:\windows\system32\filename Where filename is what you found as the filename in the appinit_dlls key in the registry.

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The c:\Windows\system32\filename listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot. Restart the Computer.

When you get back into Windows reset your Search and Home pages.

Look in the registry and remove the entry which should now be clearly visible and no longer hidden.


This last part and removing the AppInit_Dlls entry and its corresponding file is removing the reinstaller. So you do not get reinfected. Do not go on the internet until you have performed all of the steps.
--------------------------------

Hey Crunchie !

Thanks a lot -- i did what you told me and i rebooted my computer and it's now set to whatever i wanted !

Thanks again, this experience was just soo damn frustrating !!
Anyways take care buddy !

Thanx to Mosaic1. Cheers.

I figured I would drop a short note, as none of the above referenced suggestions would help me this go around. Between Norton Antivirus & Firewall, CWShredder, Spybot Search & Destroy, and Hijack This (all good programs) I could not fix this problem this time. My homepage would still revert back to the about:blank search page no matter what I did! After fooling around with my computer for nearly 4 hours, I finally fixed it by logging in as the administrator under safe mode and running the CWShredder, man that program is awesome (thanks merjin)!. Normally, my anti-virus would pick up everything under safe mode, or CWShredder would normally pick up everything in regular Windows operation, but not this time, my home page would still revert back to the about:blank. So I guess the virus coming in would effect even at the administrator level.

Anyway, hope that helps someone. I swear these viruses are getting more and more nasty! They seem to start spoofing or blocking themselves from being detected by my anti-virus and even start controlling it, like keeping my Live update from working and stopping from detecting viruses as well! It's getting harder and harder to stop the attacks! Thinking about getting a Mac instead!! LOL. Either that or stay away from the porn sites!!!

Bah! - just install Linux on your PC. :mrgreen:

Actually, just switching to a browser other than IE will protect you from a lot of this stuff if you need to stick with Windows.

Splitting out your post to it's own thread so that you can recieve better assistance

http://www.daniweb.com/techtalkforums/thread6943.html

about:blank trojan removed!
(aka HomeOldSP hijacker)

I tried most adware programs to no avail.
The wicked pest kept returning.
Now I am happy to report that there is a cure:
Adware Away.
It is as easy as pie to use.
The about:blank trojan was killed in minutes.

Click "more" on Adware Away's menu.
Icons with names of various hijackers are displayed.
Click on those bothering you, and they're gone!!

In fact it also trashed
CoolWebSearch, Lycos SideSearch and IstBar -
trojans I didn't even know I had. All I can say,
"Adware Away is FANTASTIC".

www.AdwareAway.com

Which is, unfortunatley, only a 5-day trial; after that you have to buy it. Funny that you'll find no mention of the fact that the trial is a download unless you dig to the bottom of their FAQ... :rolleyes:

Have split out your post to it's own thread.