• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
sights0d

Has ANYONE ever gotten rid of about:blank?

93 posts in this topic

I've been all over the net looking and NO ONE seems to have ever gotten rid of the About:Blank hijack. There don't seem to be ANY tools which successfully remove it. I've posted at least three threads here and no one except for idiots in the same boat as me have posted in them.

 

I've successfully removed it three times... only to have it show up after about 4-5 reboots. Does ANYONE know what to do aside from either :techsupport: this machine or wipe it clean? It's REALLY driving me nuts and whoever created this VIRUS needs to be flogged to death or injected full of flesh-eating bacteria.

 

Anyone?

 

Here's my log... for all the good it'll do...

Logfile of HijackThis v1.97.7

Scan saved at 11:50:33 PM, on 6/24/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE

C:\WINDOWS\SYSTEM\SAIMON.EXE

C:\PROGRAM FILES\SAITEK\SOFTWARE\PROFILER.EXE

C:\WINDOWS\SYSTEM\HIDSERV.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\NEW FOLDER\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {B0DBC223-C613-11D8-8AE8-0050D2DE99DF} - C:\WINDOWS\SYSTEM\BHOJ.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE

O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"

O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE

O4 - HKLM\..\Run: [sAIMON] C:\WINDOWS\SYSTEM\SaiMon.exe

O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe

O4 - HKLM\..\Run: [saiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7945.8447337963

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

Share this post


Link to post
Share on other sites

I had the same problem in Win 98. Please take a look at my solution here.

 

It might work for you too. Hope so.

 

BobO

Share this post


Link to post
Share on other sites

No I'm not at all sure that CWSearchx and the about:blank hijack are one and the same in all situations. This thing seems to have a huge number of mutations.

 

But the symptoms on my machine, which recurred again and again, were

 

1. browser home page reassigned to about:blank

2. about:blank redirected to c:\windows\temp sp.html

3. mysterious, gibberish-named .dll created in c:\windows\system folder

4. popups galore

 

If this sounds like you, then my experience might be helpful. I sure hope so. Good luck!

 

BobO

 

EDIT: Oh yeah I forgot to mention that Hijack This would always find a number of registry changes and new assignments to BHO's etc. I don't have any of my old Hijack This logs or I could be more specific. But what the hell you get the idea.

 

And they're all gone, so far a day and a half. I'm hanging in there...

Edited by BobO

Share this post


Link to post
Share on other sites

Yes it works -- and so I made a step-by-step guide on how to do it:

 

Here Is A Fix For Windows 98

 

but I don't know if it works *outside* of Win 98... still, it should provide plenty of clues for people working on a one-size-fits-all fix.

 

If you're still having problems yourself, give it a try and let me know how it works out.

 

Thanks!

Share this post


Link to post
Share on other sites

YEEHAH!!! THIS KICKS BUTT!!! (And about:this!)

 

It works! (so far)

 

I'm about to try it on another machine with XP. I'll let you know how it works.

 

YOU ARE THE MAN, BOB0!

Share this post


Link to post
Share on other sites

Pinned - but note that it may not work for everyone. However it is certainly worth a try and appears to be perfectly safe.

 

Make sure your Ad-Aware is updated.

Share this post


Link to post
Share on other sites

I am using XP and getting hijacked as I try to add these comments. I tried these instructions but did not find a .dll within windows\system or windows\system32. I'm encouraged that fixes are being found, so I'll post my hijack this log soon and hope for the best!

 

MW

Share this post


Link to post
Share on other sites

First off, a big THANK YOU to all who assist here. After much research (and some much needed education!) I was able to remove CWSsearchx (WinXP SP1).

I found a solution at:

 

Computing.net

 

that instructs how to remove the hidden value in the registry key that keeps reloading this dang thing. This process along with a good dose of AdAware, AboutBuster, CWShredder & HijackThis have me running malware free!

 

Being new to all this malware removal I don't know if the above will work for anyone else but I wanted to share my success. Again, thanks to all at Spywareinfo for providing much needed service and info to help beat these baddies!

Share this post


Link to post
Share on other sites

Okay, I tried to [basically] follow your steps on my infected WinXP machine.

 

I did, infact, find a funny .dll that was the size of 30kbs (it was hidden and loaded). I renamed it and scanned it (due to the fact it was loaded it was no deleteable) and adware quickly red flaged it.

 

 

I marked it to be deleted upon reboot before it was loaded.

 

 

Soon as I got all booted up I ran spybot...which I ran before the boot too...but this time it found 32 problems opposed to the 0 it found last time. hijack this reported none of the files I have been seeing and adware reported no files.

 

The fact that my spy removal programs seems to be working again looks to be a plus...

 

but...

 

I still get redirected when I do a address bar search....so I am skeptic...

 

 

 

I was really wondering if, even after you fixed the problem on your 98 machine, if you still got redirected?

:wtf::techsupport:

Share this post


Link to post
Share on other sites

The problem was entirely cured in Win 98 -- no redirects, popups, or anything.

 

But WinXP is a completely different operating system than 98, sorry to say.

 

One thing I can suggest is this: reboot into Command Line Safe Mode, navigate to \Windows\System32, and type dir *.dll | more. You will get a page-by-page readout of all the dlls in that folder, along with their date and size. Write down all the dlls that have a size of exactly 57,344 bytes (there are a number of them). If you find one with a weird name, and a date within May or June 2004, it is suspect. Rename it, reboot Windows into Safe Mode, and scan it with Adaware. If it's harmless, rename it back.

 

Same thing with your \Windows\System directory. See if you can locate the file outside of Windows using good old DOS.

 

If you've done all this, and the problems keep coming back, I can only suggest you start a new thread and post your latest log there.

 

Best of luck,

BobO

Share this post


Link to post
Share on other sites

Lennme posted a solution different from BobO on the page 1 of this thread.

here it is:

 

This worked for me:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

 

You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.

 

The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.

 

1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.

2. Now delete the AppInit_DLLs key under the Windows2 folder.

3. Hit F5 and notice that AppInit_DLLs doesn't come back.

4. Rename the Windows2 folder back to Windows.

 

Now that AppInit_DLLs is gone, run the latest Adaware 6 to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."

 

 

THANK YOU very much for your solution posted there. It worked for me. (XP with SP1 installed). So the method you posted might be a successfull repeatable one!!

 

Mods have a look at this solution!

Edited by goingnuts

Share this post


Link to post
Share on other sites

Mine is 100% cured so far. No search page and no pop-ups. I attempted to use this same cure on a friends XP machine, but he doesn't have the program hook in his msinfo32 page.

 

Anyone have any idea for that? I guess I could scan for all files of 57k... but I imagine there could be dozens.

Share this post


Link to post
Share on other sites

Thanks to BobO's directions, I've found the offending file (finally!). However, I am running Window ME on the infected computer -- when I try to rename the file from DOS via Safe Mode, I get a message "duplicate file name or file in use." There is no Command Prompt Safe Mode option in Windows ME that I know of -- all the listed options involve loading part or all of Windows.

 

Does anyone know how to boot directly to the MS-DOS command prompt on a Windows ME-loaded machine so that loading Windows can be avoided but can be retrieved the next time? thanks...

 

ideaphorian

Share this post


Link to post
Share on other sites

I'm still free of the about:blank but I can't stop the redirecting of the browser seach.

 

I searched hi and low for anymore offending files but I've come up short.

Share this post


Link to post
Share on other sites

For the record, BobO's solution has (so far - fingers crossed) worked beautifully on my Windows 98SE machine, after some two dozen other tactics had failed over the course of five days!

 

I'm giddy with exhilaration! :bounce:

 

That being said, I'm running SpySweeper now and haven't yet put things to the ultimate test by disabling it for a couple days. Nonetheless, I've found none of the telltale signs that would come back before even while SpySweeper was allegedly guarding things. Although it would keep my homepage and search from changing, the sketchy BHOs and the random .dll files would quickly come back - then about:blank would sneak through sooner or later.

 

For the past 12 hours everything is registering perfectly clean! :D

Share this post


Link to post
Share on other sites

ideaphorian:

 

I also am running ME, but have been unable to find the offending file using BobO's instructions. I can't find a System Hooks file under Software Environments. Where did you find the offending file?

 

The Fist

Share this post


Link to post
Share on other sites

Got rid of it !!! on a XP pro machine

 

:rofl:

 

following the registry key deletion recipe from Lennme.

 

was confirmed by windoze update i was now able to make and AVG install

that i could now complete (it used to stop at 51% saying it could not write to disk).

ran adaware came out clean then ran AVG (norton protection off) AVG came up with :C:\WINDOWS\SYSTEM32\RES.DLL Trojan horse BackDoor.Agent.BA

C:\WINDOWS\SYSTEM32\AKNMHE~1.SHI repaired

don't know if they came 1st ,with it or after but still Norton never saw them !!!

i'm no longer a Norton fan that's for sure....

 

maybee a clever coder could make up an autoexec of somekind for those of us who are not to comfy about messing with registry key...

 

im really pleased with this, a whole bunch of hurrah's for you guy's..

Edited by kontrol_1

Share this post


Link to post
Share on other sites
ideaphorian:

 

I also am running ME, but have been unable to find the offending file using BobO's instructions.  I can't find a System Hooks file under Software Environments.  Where did you find the offending file?

 

The Fist

Fist,

 

I found the offending file by using BobO's instructions about finding the files in MS-DOS: go to the MS-DOS prompt (from Programs -> Accessories), then at the C:\WINDOWS prompt, type cd system, then type dir *.dll|more -- look for files that have 57,344 bytes (lots of them) but that were entered recently (in my case, just one on 6/11/04). Mine's called kbdfnj.dll, but I suspect that the file name might be random.

 

I hope this helps!

 

What's more, I think I've figured out how to get rid of the about:blank problem on Windows ME. I can't try to rename it as BobO suggests using the 'normal' boot options in ME because they do not allow for direct boot into MS-DOS. So I had to create a Windows ME startup disk, then boot up ME using the startup disk. Eventually it allows you to get to a DOS prompt, from which I could follow BobO's instructions. I just re-booted the system after deleting the offending file, but the telltale signs of trouble (error message with msgsrv32 on startup; error message with mmtask at shutdown) have disappeared.... free at last, free at last?!?!?!

Edited by ideaphorian

Share this post


Link to post
Share on other sites

OSC is going to post the proper fix, but in the meantime you may be able to do it your self via About:Buster

Share this post


Link to post
Share on other sites

Thanks BobO and goingnuts, it seemed to work on Windows 2000!

 

I've been fighting with this one for days. Yesterday I even deleted too many suspicious-looking registry keys and DLLs so had to reinstall IE.

 

By the way, I'm pretty the virus is related to the iSearch toolbar company, at leat mine was. My about:blank always started at a screen that looks just like the iSearch website. I found this by opening a DLL or the "local settings\temp\sp.html" in notepad, I forget which one, then googling "iSearch" and finding the page that looked just like my about:blank. Even after I removed iSearch, it's "toolbar.dll", and "sp.html' the virus kept remaking that page until BobO and goingnuts saved the day.

Share this post


Link to post
Share on other sites

:( Spoke too soon, the evil is back! It hasn't replaced my homepage to "about:blank" yet but it's back to its old tricks....

 

- I got that error message box while shutting down the last time I rebooted.

 

- After rebooting I discovered a new 57,344 byte DLL file in c:\winnt\system32.

 

- I again have "notepad.exe" and "wmplayer.exe" mysteriously reappearing a few seconds after I delete them. A file monitor tool is showing that WINLOGON process is creating them, somehow related to CRYPT32.DLL and maybe WINTRUST.DLL. Or is this unrelated to this virus?

 

- I'm again having trouble downloading files from Internet Explorer.

 

- The "AppInit_DLLs" registry key is *not* back this time. Maybe it's unrelated to my virus.

 

- I don't have the "Local Settings\Temp\sp.html" file yet. I imagine it'll appear when my homepage is reset to "about:blank".

 

The one difference between myself and everyone else is AdAware didn't find the virus after I removed that registry key and deleted the DLL files. I'll work on it some more tomorrow.... Grrr.

Share this post


Link to post
Share on other sites

Update:

 

I stopped notepad.exe from reappearing. Something copied it in my c:\winnt\dllcache directory 5 days ago, which I didn't even know existed until I did "dir /as". Very tricky... I think that version of notepad.exe contained a copy of the virus so it could spread back after I deleted all the other copies. It might be different on other people's computers so everyone check that directory for recently-created files.

Share this post


Link to post
Share on other sites
The problem was entirely cured in Win 98 -- no redirects, popups, or anything.

 

But WinXP is a completely different operating system than 98, sorry to say.

 

One thing I can suggest is this: reboot into Command Line Safe Mode, navigate to \Windows\System32, and type dir *.dll | more. You will get a page-by-page readout of all the dlls in that folder, along with their date and size. Write down all the dlls that have a size of exactly 57,344 bytes (there are a number of them). If you find one with a weird name, and a date within May or June 2004, it is suspect. Rename it, reboot Windows into Safe Mode, and scan it with Adaware. If it's harmless, rename it back.

 

Same thing with your \Windows\System directory. See if you can locate the file outside of Windows using good old DOS.

It seems that Win ME/2K/XP users can't reach DOS at the F8 starup menu. But why not use an older Windows startup disk to reach DOS? Once you're at the DOS prompt you can reach and nullify that wretched dll.

 

What's more, I sat down at an XP machine at work (uninfected) and for the hell of it I shut it down and stuck a Win 98 startup disk in the A: drive and powered up.

 

Got to the DOS prompt no problem. Got to the C: drive no problem. Deleted some test files no problem.

 

Of course, as an XP user you'd need a DOS disk. But that should be easy to come by (though I don't think XP lets you make your own startup emergency disk).

 

Could this be a fix for Win XP? Could some XP users give it a try?

 

BobO

 

==> Thank you ideaphorian for the *idea* on this approach!

Edited by BobO

Share this post


Link to post
Share on other sites
It seems that Win ME/2K/XP users can't reach DOS at the F8 starup menu. But why not use an older Windows startup disk to reach DOS? Once you're at the DOS prompt you can reach and nullify that wretched dll.

Not unless you installed WinXP as an upgrade, and kept the FAT32 partition. A new install of WinXP creates an NTSF partition. and the Win98 startup disk won't see it. No joy there.

Share this post


Link to post
Share on other sites
It seems that Win ME/2K/XP users can't reach DOS at the F8 starup menu. But why not use an older Windows startup disk to reach DOS? Once you're at the DOS prompt you can reach and nullify that wretched dll.

Not unless you installed WinXP as an upgrade, and kept the FAT32 partition. A new install of WinXP creates an NTSF partition. and the Win98 startup disk won't see it. No joy there.

Good point. I guess the machine at work here is an upgrade.

 

However, a tech friend here at the office suggests investigating the Windows XP Recovery Console (which acts similarly to DOS) to access and rename/remove the bad dll file. I'm not familiar with it myself, but there is information from Microsoft at:

 

http://support.microsoft.com/default.aspx?...kb;EN-US;314058

 

Ya think?

Share this post


Link to post
Share on other sites

I've tried EVERYTHING mentioned on this board. I cannot get rid of this thing. Is there anything I can do? I'm running XP with IE 6. The popups are crashing my computer! I may have re-format my hard drive, which I really don't want to do. Has anyone using XP managed to get rid this thing?

Share this post


Link to post
Share on other sites

I have also been dealing with the fun coolwebsearch hijacking. It has been so challenging to stay calm and not want to really get back at the company that created this plague.

 

Anyway, I did figure out a neat way to get the pop ups to stop. So far it has kept my fron page from being hijacked also. I have tried all the suggested programs listed here and I think my computer is still infected with the incurable virus/spyware.

 

Here is the work around I came up with ( also posted on my server)

http://www.surferess.com/coolwebsearch

 

The biggest problem is that the popup ads are not really real HTML pop up windows. They are activeX and have javascripts that run and install applications and registry entries. Other problems are that the window has no address window so the URL is difficult to find. After several days I did figure out a way to find the URLs through the history function. On my computer, the URL these sites are loading from is http://s1di.d8t.biz (DO NOT GO THERE!!! I just wanted you too see the URL)

 

So I put this URL into the restricted sites list in the internet options list of restricted URLs.

 

Open Internet explorer and click “TOOLS” “InternetOptions” and then click the “securities tab”. Click the “restricted sites” and click custom level. Now disable every single thing and turn off your java virtual machine and java scripting. Only changing the settings in the restricted sites area helps a lot.

 

Now you will need the URL of your pop ups: Open up your history in MSIE and right click the spyware ad entry. Then click “Properties” The URL should come up then. Now copy the basic domain (with no directory info) and go back to your internet options security tab under restricted sites option, click “Site” and add the URL to the restricted sites list. then click ok.

 

So far (only about 30 mins) I have not had a pop up ad come up. Let me know if this works for you. It doesn’t stop all the changes, but it did stop the pop ups.

 

At least I don't have to watch 4 sets of bugs performing sexual acts on one another every 10 mins now!

Share this post


Link to post
Share on other sites

for winXP

 

 

 

findnfix prog will locate a .dll file, this file is given a random name by the virus. understand that i mean that to follow the instructions that freeatlast has given, you must read the findnfix log yourself to see what the name of the .dll is using in your machine ! then use the path that freeatlast gives to use to rid the offending .dll , it works. it worked for me, and you can see that it worked for the guy in the thread that i am directing you too.

 

life is good. follow the instructions that freeatlast gives here

 

http://www.spywareinfoforum.com/index.php?act=ST&f=18&t=10027

Edited by trollafrogg

Share this post


Link to post
Share on other sites

I was unable to get the executable findandfix to run. It kept coming up with a missing dll file and would not install.

 

I am currently deleting registry entries, as I have been for the last 6-7 days now. We have finally given up and downloaded the mozilla firefox browser. It is the old Netscape pretty much. I kind of missed it anyway. I used to be totally anti Microsoft and wouldn't install anything but Netscape. However, when Netscape was purchased by AOL I lost all respect for them and uninstalled Navigator, leaving MSIE as my default browser.

 

I believe this adware/spyware is truly the undoing of the internet. It is also a National Security Issue, IMHO. When an application starts installing itself, stealing passwords and reinstalling itself it is beyond just being a "pest". The fact that one simply can not get rid of it, no matter what one does, gives one a sense of great defeat. I consider myself to be net savvy and an expert computer user and this has truly defeated me for almost a week. I spent the sleeping hours trying to figure out a way to fix it and my waking hours scanning with one of 10 different spy programs.

 

It is OVER! I am so NOT going to use MSIE! Screw Microsoft - I truly can not believe they still have NO PATCH for this??? They are due all the MS bashing they get, as far as I am concerned.

 

The only thing I can figure out is perhaps Msft is making money on it somehow? Otherwise, where is the freaking patch already??? Sorry to sound so frustrated, but this really does suck! :wtf:

Share this post


Link to post
Share on other sites
At least I don't have to watch 4 sets of bugs performing sexual acts on one another every 10 mins now!

I wish I didn't have to watch the fornicating bugs any more. Unfortunately, what you suggested didn't work for me. I'm still getting the popups, and I'm still hijacked by about: blank.

 

I'm tired. I've been trying to fix this all day. Gotta sleep. I'll try again tomorrow.

 

Thanks for your help. If and when I ever get this fixed, I'll trumpet it all over these boards!

Share this post


Link to post
Share on other sites

Hi all....

 

I'm going to throw my input into the mix for the Windows2000 users... Upon reading Kooderi's explanation of the mysterious NOTEPAD.EXE file cretion in the WINNT\dllcache directory, i decided to check my own creation/modifications of theis file.

 

YUP, my system suspiciously created a NOTEPAD.EXE at the EXACT same time as my resurfacing of about:blank....

 

spurred on by curiosity I also checked for other file modifications wich occured at that exact moment - I found these:

 

wmplayer.exe.bak

notepad.exe.bak in WINNT dir

notepad.exe.bak in WINNT\system32

notepad.exe.tmp in WINNT\system32

 

Ive tried most of everything and curiously should note that on the last reappearane of the hijack my AppInit_DLL did not resurface with the problem - the 30Kb mystery .dlls in WINNT\System32 did however.

 

I ran the latest CWS shredder today as well as HijackThis. I , like others, cannot get into the DOS mode with Win2000 to follow BobOs' instructions..

 

<--- NOT a computer guru here at all - just wondering if these finds add to any knowledge base out ther....

 

regards

Share this post


Link to post
Share on other sites

dooom --

 

You may not be able to get to DOS in Win 2000, but you can get to a command-line interface with access to your Windows and system files -- without starting Win2000 itself.

 

It appears that there is something called the Windows 2000 Recovery Console, which is an application from Microsoft designed to help you repair a bad Windows installation. But it sure looks and acts a *lot* like MS-DOS to me.

 

If you have your Windows installation disks or installation CD, you can run this application and get to your system files. And if you can identify the bad .dll beforehand, you can access it and remove/rename it, thereby putting it out of business.

 

Here is the information from Microsoft Support:

 

Windows 2000 Recovery Console

 

There's a Recovery Console for Windows XP too, see my post above. I think this approach may be worth investigating, but I've only got Win98 so I can't test it.

 

Good luck.

 

BobO

Share this post


Link to post
Share on other sites
I've tried EVERYTHING mentioned on this board. I cannot get rid of this thing. Is there anything I can do? I'm running XP with IE 6. .... Has anyone using XP managed to get rid this thing?

i did .XP pro fully updated rig..look at my earlier post,as mentionned the current AV used did not find all the bugs (?) i ad,try AVG , don't forget to disable xp restore 1st ,empty all temp file after deleting the registry key, run spybot and adaware, download AVG then reboot, and install it if you can't then you still have some bug's partying around. NB:if you have norton utilities don't forget to disable the trash bin protection and delete all protected files (right click on the trashcan 4 option)..2nd nb:4 temp files removal try emptemp at

http://www.danish-shareware.dk/soft/emptemp/

 

i believe that you must get rid of all temp files before rebooting ..at least that way it worked for me ...goodluck !!

 

Kontrol.

Share this post


Link to post
Share on other sites

I fought with this virus for a week and a half. It's a Win32MerstingB trojan. I believe it also contains variations of the CWS trojan too. Here are some useful sites and some information to help you get rid of it.

 

From ca's website: "Win32.Mersting is a trojan that is used to change a user's default Internet Explorer homepage and/or default search page that may also download other components and add pornography related Favorites to Internet Explorer."

 

Turns out it can enter your system through the Microsoft Java Virtual Machine. I had all the latest updates from Microsoft and it didn't stop it.

 

Aside from running the CWS shredder, Spybot, Adaware, pest patrol and an antivirus program, there are a couple of other things you can do too.

 

My antivirus program (eztrust from cai) would stop it from executing, but it wouldn't remove it. Below are some websites explaining what it is and a couple of ways to remove it.

 

To see information about it, go to:

 

http://vic.zonelabs.com/body/CA/virusDetails.jsp?VId=39113

http://www3.ca.com/securityadvisor/virusin...s.aspx?id=39113

http://uk.trendmicro-europe.com/enterprise...me=TROJ_AGENT.A

 

For information on the Reg Start page, go to:

 

http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=28683

 

Trend micros removal too for this particular mofo is at:

 

https://beta.activeupdate.trendmicro.com/fi...gentv1.0007.zip

 

I have a command file (.cmd) named delmer.cmd that will remove it for you too that was sent to me from CAI. If anyone needs it, email me and I can send it to you. You'll need software to be able to decode mime files tho. For anyone who knows how to create a command file, below is the contents of that command file:

 

 

@echo off

rem Grant everyone full access to the file

echo y| cacls.exe %1 /g everyone:f

rem Access the file to trigger resident protection

type %1 > nul

rem Wait 10 seconds to allow system clean to run

delay 10

rem In case system clean didn't run, delete the file manually

del /q /f %1

 

Make sure that once you run the command file, or the fixtool from Trend Micro that you turn off the system restore if you're using Win Me or XP. You'll need to reboot before the computer deletes all the system restore points. Your antivirus will detect the virus if you don't turn the system restore off.

 

I hope this will help everyone who went thru the nightmare I've gone thru too!!

 

If you need the command file or more info, my email address is Mrfullsrvc at aol.com. (Don't for to use the '@' symbol in the email.

Share this post


Link to post
Share on other sites
ideaphorian:

 

I also am running ME, but have been unable to find the offending file using BobO's instructions.  I can't find a System Hooks file under Software Environments.  Where did you find the offending file?

 

The Fist

Fist,

 

I found the offending file by using BobO's instructions about finding the files in MS-DOS: go to the MS-DOS prompt (from Programs -> Accessories), then at the C:\WINDOWS prompt, type cd system, then type dir *.dll|more -- look for files that have 57,344 bytes (lots of them) but that were entered recently (in my case, just one on 6/11/04). Mine's called kbdfnj.dll, but I suspect that the file name might be random.

 

I hope this helps!

 

What's more, I think I've figured out how to get rid of the about:blank problem on Windows ME. I can't try to rename it as BobO suggests using the 'normal' boot options in ME because they do not allow for direct boot into MS-DOS. So I had to create a Windows ME startup disk, then boot up ME using the startup disk. Eventually it allows you to get to a DOS prompt, from which I could follow BobO's instructions. I just re-booted the system after deleting the offending file, but the telltale signs of trouble (error message with msgsrv32 on startup; error message with mmtask at shutdown) have disappeared.... free at last, free at last?!?!?!

FYI, two days or so later, my Windows ME computer remains free of this virus -- thanks again BobO and everyone for your postings which helped!

Share this post


Link to post
Share on other sites

Hi, I need serious help with this hijacked home page situation. I have tried numerous things as far as scanning with spybot, ad aware, (with all info). Please keep in mind I have read the faq's on what to do before doing anything. I even tried hijackthis through an online support system and it just didnt delete it. I am stumped other then reformating my hard drive. Can someone show me how to get hijackthis without getting a page that has been moved or some other thing happening to it? If i can get hijackthis ill post what i got in here without chaning anything. I can see that a lot of people have the same problem so i know there has to be a fixed. any responses will be appreciated.

 

 

rocky.

Share this post


Link to post
Share on other sites

As I understand it, CWShredder (updated) now fixes this particular variant,with

( Temp\sp.html ) in the R0s and R1s.

Latest info received, this variant will not be fixed by CWShredder. Sorry for the muckup.

Edited by Mad Max

Share this post


Link to post
Share on other sites

well the thing is i did the cwshredder updated. this thing CANNOT be updated without going in and deleting something. i have tried and tried and tried. im stumped. i even tried getting a log file for hijackthis but dont know how. can someone help me there?

Share this post


Link to post
Share on other sites

I fought with this virus for a week and a half. It's a Win32MerstingB trojan. I believe it also contains variations of the CWS trojan too. Here are some useful sites and some information to help you get rid of it.

 

From ca's website: "Win32.Mersting is a trojan that is used to change a user's default Internet Explorer homepage and/or default search page that may also download other components and add pornography related Favorites to Internet Explorer."

 

Turns out it can enter your system through the Microsoft Java Virtual Machine. I had all the latest updates from Microsoft and it didn't stop it.

 

Aside from running the HJT, CWS shredder, Spybot, Adaware, pest patrol and an antivirus program, there are a couple of other things you can do too.

 

My antivirus program (eztrust from cai) would stop it from executing, but it wouldn't remove it. Below are some websites explaining what it is and a couple of ways to remove it.

 

To see information about it, go to:

 

http://vic.zonelabs.com/body/CA/virusDetails.jsp?VId=39113

http://www3.ca.com/securityadvisor/virusin...s.aspx?id=39113

http://uk.trendmicro-europe.com/enterprise...me=TROJ_AGENT.A

 

For information on the Reg Start page, go to:

 

http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=28683

 

Trend micros removal too for this particular mofo is at:

 

https://beta.activeupdate.trendmicro.com/fi...gentv1.0007.zip

 

I have a command file (.cmd) named delmer.cmd that will remove it for you too that was sent to me from CAI. If anyone needs it, email me and I can send it to you. You'll need software to be able to decode mime files tho. For anyone who knows how to create a command file, below is the contents of that command file:

 

 

@echo off

rem Grant everyone full access to the file

echo y| cacls.exe %1 /g everyone:f

rem Access the file to trigger resident protection

type %1 > nul

rem Wait 10 seconds to allow system clean to run

delay 10

rem In case system clean didn't run, delete the file manually

del /q /f %1

 

Make sure that once you run the command file, or the fixtool from Trend Micro that you turn off the system restore if you're using Win Me or XP. You'll need to reboot before the computer deletes all the system restore points. Your antivirus will detect the virus if you don't turn the system restore off.

 

I hope this will help everyone who went thru the nightmare I've gone thru too!!

Share this post


Link to post
Share on other sites

BobO,

 

I have been able to follow most of your instructions on my Win 98SE machine. I have found the *.dll file of the exact size and renamed it. This file also has a recent date which adds to my suspicion it is a baddie.

 

However, here's the problem: when I try to run Ad-aware in dos safe mode, I get a message that Ad-aware has to run under WIN 32. Does this mean I should move Ad-aware to the WIN subfolder before running it? I have Ad-aware.exe installed under Program Files\Lavasoft\Ad-aware 6/0\

 

I have run Ad-aware under windows and it does not recognize the newly named file. Perhaps I should delete this renamed file to the recycle bin (from which it can be restored) or save it on a floppy, then delete it from my hard drive.

 

Your comments, please?

Share this post


Link to post
Share on other sites

zophiel --

 

Sounds like you've done everything right -- up to the point where you run Adaware on the suspect file.

 

The idea is that you get at and rename the bad dll in Command Line (i.e. DOS) safe mode, and once you've done that, you restart your computer in *Windows* safe mode. That way you can run Adaware on it, and yes Adaware can only be run in Windows. Note that if you really did find and rename the hidden CWS bootup file, Windows will look for it while booting -- even in Safe Mode -- and complain that it can't find it. No problem, ignore its complaints and keep going.

 

I guess its a good idea to recycle the file instead of trashing it too, just in case you need it. But if it's 57,344 bytes, and it has a recent date and a nonsense name, it sounds like the culprit to me.

 

While you're in Windows Safe Mode, you can run Shredder and Spybot as well, to clean up the leftovers.

 

Good luck!

 

PS - Here's an idea for Windows XP users who want to get to the command line -- why not put a blank floppy in Drive A (Daddy, what's a floppy? :)), right-click on the icon, and select Format. When the dialog comes up, choose Make This A Bootable Disk (or whatever it says like that). My XP user friends say that you can boot an XP machine with such a disk and reach a command line, from which you can navigate over to the suspect file etc etc etc.

 

Check it out...

 

BobO

Edited by BobO

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0