I have been combing the forums for about a month and nothing seems to work. I always get about:blank as my homepage. I am running win2000 and have everyhting up to date. I have uninstalled java and today ran this gambit of programs in the effort of killig this trojan (all have been updated): 1) rebooted to safe mode with no networking even disconnected the modem 2) Ran CWS shredder (it found nothing) 3) Ran spybot (found a dso exploit) 4) ran adaware (it found various things) 5) Rebooted 6) Ran spyware blaster After all that about:blank and its popups came back again. I dont have a appinit file in my registry. I am including the log from hijack this. Logfile of HijackThis v1.98.2 Scan saved at 8:23:14 AM, on 10/14/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\apifw32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINNT\Explorer.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\Program Files\2Wire\Gateway\2PortalMon.exe C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINNT\system32\CTHELPER.exe C:\WINNT\system32\javacg32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\QuickTime\qttask.exe C:\WINNT\system32\ctfmon.exe C:\WINNT\system32\l?gonui.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\Spyware Doctor\spydoctor.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\pillage\cws killer\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\gyunx.dll/sp.html#37794 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\gyunx.dll/sp.html#37794 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\gyunx.dll/sp.html#37794 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\gyunx.dll/sp.html#37794 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\gyunx.dll/sp.html#37794 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\gyunx.dll/sp.html#37794 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\gyunx.dll/sp.html#37794 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll O2 - BHO: (no name) - {2283D4D8-2E43-181C-E124-1D1BD8F264D6} - C:\WINNT\msav.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe O4 - HKLM\..\Run: [javacg32.exe] C:\WINNT\system32\javacg32.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Ssha] C:\Documents and Settings\vonb\Application Data\z????i.exe O4 - HKCU\..\Run: [Oaf] C:\WINNT\system32\l?gonui.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll Any help would be great I am at a loss as to what to do at his point.

Go to the link below for detailed instructions on how to remove about blank. Go to the site listed below for detailed info on how to remove about blank. http://www.spywareinfo.com/~merijn/cwschronicles.html#aboutblank Delete all windows temp files and temporary internet files prior to performing those instructions.

I have followed the instructions from merjin concerning CWS. I have swept my computer will a variety of software to kill this but nonthing lasts. I have a good feel for computers and have some skills but perhaps I just am not getting what I need to do. I think that I have killed the DLL and the BHO by using various spyware removal tools (which may not actually be removing them). I am most concerned with the filters in the registry. Other sits have indicated that there is an appinit.dll (or something like that), my computer dosent have that file in the registry. Please advise, I am not sure what else to do other than format the hard drive. I want to avoid that. Thanks for any help.

Try downloading and using Regcleaner 4.3. Find it here: http://www.worldstart.com/weekly-download/archives/reg-cleaner4.3.htm

Try this, With win explorer set to not hide anything, go to c: and search for *.* , sort by date and scroll to about the time you got this bug. Write 'em down. I did this about a week ago for a client who had caught isearchUSA. Sure enough, there were six eve files all created at the time of infection. Two gotchas: the trojan which created the nasty files may NOT have used the PC date & time. All but two were delted with windows running. To get the others, I booted in DOS. Note that if you use SHIFT-DEL they won't go to recycle bin to come back and haunt you. [yeah, yeah, there's no such thing as DOS. I booted on a DOS CD, as this laptop had no floppy drive.] When I get this far, I run FixIt regcleaner and it delets the keys for which the exe files no longer exist. HTH M2